Thank you for maintaining this until now :) #36
Comments
|
@dzuelke just noticed this. As a vips user, what would it take to get the |
|
@dzuelke deleted my last comment... I think I got confused, at present I do not seem to have access to So just making this buildpack a no-op would leave anyone who wants vips command-line utilities out of luck. Perhaps libvips is installed, but vips command line utilities is a separate package? This buildpack does leave you with vips command-line utilities. If you can provide any info about the "right" way to get vips CLI on heroku-20 or heroku-22, in light of the changelog you mention, it would be helpful! |
|
@dzuelke OK, more info.... While the I also use the But now, with https://devcenter.heroku.com/changelog-items/2549 -- can I list It appears successful. I'll need a bit more testing to be sure.
I need JPEG2000 support via OpenJPEG. I originally came to this repo to troubleshoot that, and found this ticket. Apparently I can get what I need on heroku-22 -- and without this buildpack. There is still no supported way to get (I would love it if heroku would make the popular Aptfile buildpack officially supported, and improve it by resolving long-running bug which prevents loading from non-default apt repos). |
|
Thank you for letting us know about this @dzuelke While I'm intrigued by the idea of using a built-in library instead of maintaining this buildpack, I'm concerned that we will lose the ability to update the vips library. Can you share any information about how often, if at all, we can expect vips to be updated? I'm also concerned about the loss of the CLI tool, as others have expressed. |
|
It's the They'll only get critical security fixes backported, not normal version updates, as is customary with LTS operating system releases. The CLI tools, for folks who need them, can indeed be installed using the Apt buildpack, although that will pull in 187 MB of unneeded cruft as the package not only recommends |
|
So with heroku-22 without this buildpack but with Heroku-22 with this buildpack, today, gives me a Here's the thing -- I came here to try to investigate getting a vips that could write ...Which I cannot reproduce on my MacOS machine with vips (view So I don't really know that the vips version is the problem -- maybe it's the version of the my problem is related to colors, and I do see some color profile related issues in CHANGELOG since 8.13.0, the one that is most suspicious to me is @brandoncc , ...any interest in updating to vips Also, this is the only third-party heroku buildpack I have encountered among things relevant to me, that is actually maintained, like quickly updated to work with heroku-22 and have README say that, etc. So THANK YOU. And if you plan to keep maintaining this, to allow access to more recent |
|
So, jcupitt vips author suspects my use case has run into a problem when running vips 8.13.0 and previous, that is fixed in vips 8.14.0. (It's actually a problem with the OpenJPEG library for jpeg2000, that vips works around in more recent versions). So... it's just a coincidence that working with Jpeg2000 is what brought me to the repo to notice this ticket and restart discussion on it.... and which also seems to have brought me to a demonstration of why it is in some cases necessary to install more recent versions of vips than the heroku stack ubuntu has. :( I am working on compiling libvips 8.14.0 in my own fork to test it out, but not very familiar with the process, and not sure if I can do it on a Mac or not. Either way, @dzuelke , any interest in updating to a more recent vips in this repo? |
|
(Sorry for so many messages, I have discovered a workaround with older versions of vips, but point probably stands!) |
Thank you for the kind words.
@jcupitt is so helpful, he is definitely in my top five favorite open source contributors!
If you have docker installed, it should be very simple to compile 8.14.2. The instructions below reference 8.14.3 though, because it was released 52 minutes ago.
No problem, this is a healthy discussion and very useful for others who might search for the issue you are having! In order to have a healthier update cycle, I am going to continue maintaining the buildpack for the foreseeable future. If the time comes when I do not need the buildpack myself anymore, I will re-evaluate that decision and possibly deprecate or hand it off to someone else to maintain. I will add a comment to the README mentioning that the buildpack is not strictly needed anymore, so that those who don't need it are aware. If I don't see a PR for this update by this weekend, I will look for some time to update it myself. If I do see a PR, I will very happily merge it. Thank you all for your contributions to this discussion. |
|
Sorry, I'm a bit late to this interesting discussion.
Yes, this can be very annoying! The Debian maintainer swears this is now finally fixed, but for older Deb-derived package lists you can use Another issue is that the Deb package includes every possible loader, including several which are extremely vulnerable to exploitation. If you give untrusted internet files to Debian libvips, you can be trivially 0wned. Now that heroku bundle an insecure libvips as the default image handler for rails, that's a lot of very vulnerable sites, and a lot of customers about to be very angry. (having said that, if something upstream of libvips is sniffing data and reliably blocking anything that doesn't look like one of the trusted formats, it's probably OK) We've added a feature in 8.13 to address this: if you set the Sadly, 8.13 is still too recent to be in heroku-22 and we'll have to wait for heroku-24. So I think this buildpack is still the best way to install libvips on heroku, at least until then. |
|
Here's the dep list for the libvips in 22.04: https://packages.ubuntu.com/jammy/libvips-dev You can see there are a number of very ill-advised packages in there which you would certainly not want to give untrusted data to. |
|
Thank you for this information, John. This reinforces my decision to continue maintaining the buildpack, and is also full of information I didn't know about. |
|
I finally have a PR for the 8.14.3 update. I will probably merge it tomorrow. One thing to be aware of is that the build now uses pdfium instead of poppler. |
# What it does Configures ActiveStorage to use vips instead of imagemagick as its underlying image processor. Vips should use a lot less memory than imagemagick. See #1164 (comment) for more information and background. # Why it is important Currently an esoteric user traffic pattern has triggered ImageKit's throttling so images are broken on the site. # Implementation notes * My plan is to merge this, test it on staging, deploy it to production, and then remove IMAGEKIT_URL to see if the site works okay enough without any fancy variant preprocessing. The images will be a little slow on first load but I think this is better than no images! If it's super slow we can also run a loop in a rails console to manually preprocess all the existing items. * I'm not removing the IMAGEKIT_URL conditional yet which means we'll be able to quickly revert by restoring the environment variable. * My research suggests we can rely on the version of vips that comes preinstalled on Heroku rather than installing it ourselves. See Newlywords/heroku-buildpack-vips#36 for discussion. (There are some security implications of not being on the latest version, but we only have trusted users uploading images so I think we can afford to choose the simpler deployment option of using the existing package.)
Hi @brandoncc.
Thank you for maintaining this buildpack up to this point.
All Heroku stacks now have
libvipsruntime libraries as well as the various Poppler utils available: https://devcenter.heroku.com/changelog-items/2549Maybe it would be possible to archive this repository and place a note at the top of
README?Ideally,
bin/compilecould also be changed to a no-op, or print a message to notify users.The text was updated successfully, but these errors were encountered: