python-pillow.org

Proposal submitted to the Python Software Foundation Friday, February 10, 2017.

Grant Proposal

Provide funding to renew python-pillow.org for maximum period of time of 8 years.¹ By doing so, we can ensure security issues can be reported discretely to security@python-pillow.org for the foreseeable future.

Abstract

The Python Imaging Library is one of the oldest and most popular third party libraries available to Python programmers today. It adds support for opening, manipulating, and saving many different image file formats.²

Pillow is a popular and well-maintained fork of the Python Imaging Library. At the time of this writing it has been downloaded over a 15 million times from the Python Package Index³ and is now included in major Linux distributions like Debian and Ubuntu.⁴

History

Frustrated with the proliferation of third party repackagings of PIL containing ad hoc changes, none of which were available to download from the Python Package Index, on July 31, 2010 Alex Clark forked the Python Imaging Library based on Hanno Schlicting's repackaging⁵ and published the results to the Python Package Index as Pillow 1.0⁶.

Milestones

• The ability to add library paths to setup.py (e.g. 64 bit library and headers directories) and make timely releases quickly led to widespread adoption of Pillow within about two years.
• Just over a year after Pillow 1.0 was released, on 2011-09-08, Takayuki Shimizukawa⁷ uploaded the first Windows (win32) eggs. Since then, every Pillow release included Windows eggs thanks to Takayuki. And on 2013-02-02, the first 64-bit Windows eggs (amd64) were uploaded to PyPI by Takayuki.
• For the first 3 years, the fork focused on packaging fixes only. In 2013, a Python 3 compatible pull request from Brian Crowell⁸ was merged and released as Pillow 2.0.0.
• Shortly after the release of Pillow 2.0, Christoph Gohlke gave permission for the Pillow project to use his Unofficial Windows Binaries for Python Extension Packages.⁹.
• In 2014 the first of 12 (at present) CVEs was reported. At the time, no formal mechanism to contact the Pillow team existed. In 2016, python-pillow.org was registered and a security email address was configured to send mail to the Pillow team.¹⁰
• As of early 2017, Pillow is developed, maintained and released quarterly by 7 organization members and many more contributors.

Grant objective

To fund, in advance, renewal of python-pillow.org for the maximum period of time allowed by the registrar. By doing so, we can ensure that security issues are handled discretely and professionally for the foreseeable future. Additionally, to reimburse ACLARK.NET, LLC for initial expenses.

Grant size

• $91.44 USD based on registrar's shopping cart total:

• $30.00 USD to reimburse ACLARK.NET, LLC for 2016 purchase and 2017 renewal.

Total $121.44 USD

Grant beneficiaries

Most importantly, the Python community and Pillow users will be able to reach members of the Pillow team discretely via the security@python-pillow.org email address.

Preferred method of funds delivery

A check made payable to:

ACLARK.NET, LLC

And sent to:

ACLARK.NET, LLC
XXXX XXXXXXXX XX
Bethesda, MD 20814

---

1. Allowed by DirectNIC.↩

2. http://en.wikipedia.org/wiki/Python_Imaging_Library↩

3. "Pillow has been downloaded 15,199,249 times!" — Via http://pypi.python.org/pypi/vanity.↩

4. http://en.wikipedia.org/wiki/Python_Imaging_Library↩

5. http://dist.plone.org/thirdparty/PIL-1.1.7.tar.gz↩

6. http://mail.python.org/pipermail/image-sig/2010-July/006423.html↩

7. https://twitter.com/shimizukawa↩

8. https://github.com/fluggo↩

9. http://www.lfd.uci.edu/~gohlke/pythonlibs/↩

10. security@python-pillow.org↩