Closed regro-cf-autotick-bot closed 1 year ago
conda-forge-linter
commented
1 year ago Hi! This is the friendly automated conda-forge-linting service.
I just wanted to let you know that I linted all conda-recipes in your PR (recipe) and found it was in an excellent condition.
ocefpaf
commented
1 year ago Looks like one tests is failing:
_______________________________ test_load_blp1 ________________________________
def test_load_blp1():
with Image.open("Tests/images/blp/blp1_jpeg.blp") as im:
> assert_image_equal_tofile(im, "Tests/images/blp/blp1_jpeg.png")
tests\test_file_blp.py:15:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests\helper.py:105: in assert_image_equal_tofile
assert_image_equal(a, img, msg)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
a = <PIL.BlpImagePlugin.BlpImageFile image mode=RGB size=256x256 at 0x28EB98C6040>
b = <PIL.PngImagePlugin.PngImageFile image mode=RGB size=256x256 at 0x28EB98C6850>
msg = None
def assert_image_equal(a, b, msg=None):
assert a.mode == b.mode, msg or f"got mode {repr(a.mode)}, expected {repr(b.mode)}"
assert a.size == b.size, msg or f"got size {repr(a.size)}, expected {repr(b.size)}"
if a.tobytes() != b.tobytes():
if HAS_UPLOADER:
try:
url = test_image_results.upload(a, b)
logger.error(f"Url for test images: {url}")
except Exception:
pass
> assert False, msg or "got different content"
E AssertionError: got different content
bollwyvl
commented
1 year ago recommend skipping the test, perhaps, as this release contains the fix for: https://nvd.nist.gov/vuln/detail/CVE-2022-45199
bollwyvl
commented
1 year ago @conda-forge-admin please rerender
bollwyvl
commented
1 year ago bollwyvl
commented
1 year ago Upstream says
The reason that this wasn't detected sooner is that Pillow tests with libjpeg-turbo.
Is there a compelling reason not to do so?
ocefpaf
commented
1 year ago Is there a compelling reason not to do so?
Not really. We, conda-forge, have been planning to migrate to libjpeg-turbo for ages now. We need to figure out a way to do that safely ASAP.
bollwyvl
commented
1 year ago safely
what dangers lurk? please forgive my ignorance! i see some license-averse stuff in the feedstock... are there other concerns?
bollwyvl
commented
1 year ago bollwyvl
commented
1 year ago That fails on a different test.
h-vetinari
commented
1 year ago @bollwyvl @ocefpaf
We now have a couple of passing PRs:
Which one of #126 / #128 do you prefer? Could also go to 9.4 directly, but there the same question reappears anyway.
ocefpaf
commented
1 year ago Which one of #126 / #128 do you prefer? Could also go to 9.4 directly, but there the same question reappears anyway.
We need an ecosystem wide migration to drop jpeg in lieu of libjeg-turbo to merge #128. While that is, IMO the best path we cannot merge that right now until we start the migration.
h-vetinari
commented
1 year ago We need an ecosystem wide migration to drop jpeg in lieu of libjeg-turbo to merge #128. While that is, IMO the best path we cannot merge that right now until we start the migration.
You do realise that you merged the libjpeg-turbo version in #132? I had noted this above, and it's obviously also in the diff of that PR. Also, I explicitly asked to merge one of the 9.3 builds first - there was no reason to skip it, and then I would have rebased #132 correctly based on what we do for 9.3.
I spent a bunch of time preparing this yesterday, and such rash actions are really counterproductive.
ocefpaf
commented
1 year ago You do realise that you merged the libjpeg-turbo version in #132?
Yep. Kind of wanted to give it a go after thinking about it. I believe we can start updating the feedstocks wihtout a migration.
there was no reason to skip it, and then I would have rebased https://github.com/conda-forge/pillow-feedstock/pull/132 correctly based on what we do for 9.3.
We can reopen and re-issue this one with your commits. If you don't want to do that I can do it for you.
I spent a bunch of time preparing this yesterday, and such rash actions are really counterproductive.
Sorry about that but your effort won't be wasted!
h-vetinari
commented
1 year ago Yep. Kind of wanted to give it a go after thinking about it. I believe we can start updating the feedstocks wihtout a migration.
OK, just wanted to make sure because it was not in line with your comment here
We can reopen and re-issue this one with your commits. If you don't want to do that I can do it for you.
Not sure if worth the effort to create a branch, but in general, I find it better to avoid skipping versions (esp. if CI is green already). If there's any issue with 9.4 (as it was just released, that possibility exists), then we need to fall back all the way to 9.2 (and 9.3 has a CVE fix as noted above, etc.)
Sorry about that but your effort won't be wasted!
All good. 🙃
ocefpaf
commented
1 year ago OK, just wanted to make sure because it was not in line with your comment here
To be honest I should've edited my comment above b/c I changed my mind as soon as I hit enter there.
If there's any issue with 9.4 (as it was just released, that possibility exists), then we need to fall back all the way to 9.2 (and 9.3 has a CVE fix as noted above, etc.)
:+1:
Not sure if worth the effort to create a branch,
I'll leave that up to you. If you want to do that route I can do that, no problem.
h-vetinari
commented
1 year ago I'll leave that up to you. If you want to do that route I can do that, no problem.
Let's 🤞 our fingers that no issues come up with either 9.4 or the change to libjpeg-turbo; as long as that's the case, I don't see the need to create a branch for 9.3
It is very likely that the current package version for this feedstock is out of date.
Checklist before merging this PR:
license_fileis packagedInformation about this PR:
please add bot automergein the title and merge the resulting PR. This command will add our bot automerge feature to your feedstock.bot-rerunlabel to this PR. The bot will close this PR and schedule another one. If you do not have permissions to add this label, you can use the phrase code>@<space/conda-forge-admin, please rerun bot in a PR comment to have theconda-forge-adminadd it for you.Pending Dependency Version Updates
Here is a list of all the pending dependency version updates for this repo. Please double check all dependencies before merging.
Dependency Analysis
Please note that this analysis is highly experimental. The aim here is to make maintenance easier by inspecting the package's dependencies. Importantly this analysis does not support optional dependencies, please double check those before making changes. If you do not want hinting of this kind ever please add
bot: inspection: falseto yourconda-forge.yml. If you encounter issues with this feature please ping the bot teamconda-forge/bot.Analysis by source code inspection shows a discrepancy between it and the the package's stated requirements in the meta.yaml.
Packages found by source code inspection but not in the meta.yaml:
This PR was created by the regro-cf-autotick-bot. The regro-cf-autotick-bot is a service to automatically track the dependency graph, migrate packages, and propose package version updates for conda-forge. Feel free to drop us a line if there are any issues! This PR was generated by https://github.com/regro/autotick-bot/actions/runs/3371211158, please use this URL for debugging.