Pillow security alert, can we upgrade Pillow to +v10.0.1?

[fredoh9]

Getting daily warning email, probably most of us are getting this.

Warning! thesofproject / sof-docs

Known security vulnerabilities detected
Dependency Pillow 	Version < 10.0.1 	Upgrade to ~> 10.0.1
Defined in requirements.txt 

Remember the issue, #472, but any recommendation or fix?

# blockdiag is orphaned and not compatible with pillow>=10,
# see https://github.com/thesofproject/sof-docs/issues/472
sphinxcontrib-blockdiag
pillow<10

[lgirdwood]

@deb-intel @intelkevinputnam @marc-hb who is the owner for this ?

[deb-intel]

@deb-intel @intelkevinputnam @marc-hb who is the owner for this ?

This issue is being resolved. We had some outdated version numbers that was creating problems. I also need to update requirements on one of our posted pages, which I will do this week.

[marc-hb]

@deb-intel what is your plan for @mwasko 's single blockdiag diagram? Delete it?

[deb-intel]

@marc-hb Is @mwasko the only person who uses the blockdiag diagram (I assume this is sphinxcontrib-blockdiag)? @mwasko can your diagram use another format? If so, we can remove it.

@marc-hb Does anyone use sphinxcontrib-applehelp? If not, we will remove it.

[marc-hb]

@mwasko the only person who uses the blockdiag diagram (I assume this is sphinxcontrib-blockdiag)

Last time I checked there was only one blockdiag diagram, see #472. It's easy to check: remove it, uninstall sphinxcontrib-blockdiag and see if the build fails and how if it does.

This issue is being resolved.

Last time I looked into this it was not possible to "resolve" this without getting rid of blockdiag. Has there been any change?

@marc-hb Does anyone use sphinxcontrib-applehelp? If not, we will remove it.

The only way to tell is to try. Thankfully sof-docs are built in a single configuration so either it works or it does not.

BTW: #485 (comment)

[mwasko]

@marc-hb Is @mwasko the only person who uses the blockdiag diagram (I assume this is v)? @mwasko can your diagram use another format? If so, we can remove it.

@marc-hb Does anyone use sphinxcontrib-applehelp? If not, we will remove it.

@deb-intel, @marc-hb as you have already mention the diagram need to be converted into other format and then we can git rid of sphinxcontrib-blockdiag - I am ok with that. Unfortunately, I will not be able to handle this directly as I am no longer involved in architecture documentation development. Maybe @marcinszkudlinski or @mmaka1 can help here but if time is the essence and it is just one diagram that blocking you then maybe it would be faster to just convert it to other format that will generate similar diagram and send it for review.

[deb-intel]

@mwasko Thanks for the info. Can you remind us on what page the diagram is located? What is the image filename?

[marc-hb]

@deb-intel you must uninstall sphinxcontrib-blockdiag as the first, required step to solve the security alert. That's not optional.

Once you've done that then the failing build will automatically tell you: 1) where @mwasko's diagram is 2) if there is any other use (I think and hope none)

[deb-intel]

@marc-hb Thanks very much! I appreciate that.

[marc-hb]

Once you've done that then the failing build will automatically tell you: 1) where @mwasko's diagram is 2) if there is any other use (I think and hope none)

This unfortunately does not work. After removing sphinxcontrib.blockdiag from conf.py, blockdiag is silently ignored! :-(

git grep to the rescue:

git grep blockdiag

architectures/firmware/sof-zephyr/mpp_layer/images/mpp_scheduling/edf_scheduling.diag:// FIXME: blockdiag is orphaned and not compatible with Pillow anymore:
architectures/firmware/sof-zephyr/mpp_layer/images/mpp_scheduling/edf_scheduling.diag:// https://github.com/blockdiag/blockdiag/pull/171
architectures/firmware/sof-zephyr/mpp_layer/images/mpp_scheduling/edf_scheduling.diag:blockdiag edf_scheduling {
architectures/firmware/sof-zephyr/mpp_layer/mpp_scheduling.rst:  blockdiag:: images/mpp_scheduling/edf_scheduling.diag # orphaned