Python 3.12 update.

[dumol]

Scope

This was supposed to fix #57.

Changes

Updated Python to version 3.12.7, as there's no pywin32 for Python 3.13 for now. Fixes CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492.

Also updating OpenSSL for Python's ssl module to 3.0.15 on all platforms, fixing CVE-2024-6119, CVE-2024-6119. On Windows, CVE-2024-6119 and CVE-2024-6119 are now fixed too.

Python modules version updates:

• pip to 24.2
• setuptools to 75.1.0 (70.3.0 to match the version in server repo)
• psutil to 6.0.0.

Updated the Alpine Linux version to build on to 3.15 (with musl 1.2.2). Therefore, musl 1.1.x distributions are no longer supported. This follows upstream cryptography, which only builds musl 1.2 wheels since version 43.0.0.

Drive-by changes:

• Added support for building beta and rc Python versions.
• Enabled building against libedit on macOS, where it's a system lib.
• Removed safety and added requirements.txt to leverage GitHub's own security checks.
• The requirements.txt file is auto-updated when building successfully on Windows through GHA.
• Updated pythia.* from server repo with minor improvements.
• Trimmed the packages by installing only the minimum xz stuff, and by bzip'ing copied header files.

Testing

Automated.

[adiroiban]

Thanks for the changes

Moving to 3.12 is an important step toward 3.13

Maybe, in the future we should always focus on gettting the next Python version, instead of trying to jump from 3.11 to 3.13 for example

---

Can we update the docker tests, to include centos 8 and 9 ?

I have found this issue related to the new libnsl dependency

conda-forge/rasterio-feedstock#220

---

I hope that we can get the "-dev" packages removed from our build system, and then the Python configure script will disable those modules

[adiroiban]

I am not happy with this ... but we can look to fix this in a separate PR

The CI run should not modify the source code

Can we have the "requirements.txt" manually updated before a push ?

I guess that this is a question for #62

---

What we can do as part of the CI, is make sure that "requirements.txt" doesn't need an update during a CI run

We have something similar for chevah/server

[dumol]

What we can do as part of the CI, is make sure that "requirements.txt" doesn't need an update during a CI run

We have something similar for chevah/server

Not sure what that would be. I know it's used for cache updates, but what do you mean by "making sure it doesn't need an update"?

[adiroiban]

Why do we need to distribute psutil with pythia ?

For the long term, my expectation is that pythia, will be just python + embedded pip

No other requirements.

setuptools / pywin32 / pycparser can all be installed later in chevah/server and chevah/compat via pip from our PyPI mirror

[dumol]

It has been added as requested through chevah/python-package#125.

It can also be removed as requested. I've added a ticket to deal with all this: #66

[dumol]

Note though that psutil doesn't have a musl wheel, so we need to build it until upstream changes its mind. More at giampaolo/psutil#2126

[adiroiban]

thanks. That's ok. We just need to add a comment that psutils is still needed and link to the upstream bug report.

In theory, on alpine, we can build the wheel for psutil and then copy it to bin.chevah.com .. it will be available as wheel for Alpine just for us

[adiroiban]

this needs a comment ... I have no idea why we need this and what it does

[dumol]

It's copying needed files after a successful build. All the commands in chevahbs for this library are also cp commands.

[adiroiban]

Do we need these files in the install dir ?

What is the "install dir" ?

I expect them to be needed in the build dir , but they should not be needed for the final package

[dumol]

$INSTALL_DIR is where the built libraries and Python are installed (or simply copied as needed).

Pruning files needed there but not wanted in the final dist package is done through cleanup_install_dir() in functions_build.sh:

pythia/functions_build.sh

Line 172 in ba80a30

cleanup_install_dir() {

[dumol]

Added #67 for this.

[adiroiban]

Is this library directly needed by Python 3.12?

Can we build python without NIS module

https://docs.python.org/3/library/nis.html

This module is not used by the Chevah repos ... and will be removed soon

[dumol]

Didn't bother much about it, because it's so small and unimportant, soon to be removed.

We used to patch setup.py for disabling such modules, but that file is gone. Other ideas of how to do this with 3.12?

[dumol]

Fixed through https://github.com/chevah/pythia/pull/58/files/2303a256768d84384699427d6498fe9fb580eb2e..ac6595fba8c420b6f6a5a63559d7398cc29e4a6f.

[dumol]

Ooops… needs-changes

[dumol]

Thanks for the review!

Can we update the docker tests, to include centos 8 and 9 ?

These are not actually "tests", but rather builds. So we build the musl and glibc Linux packages through Docker on Alpine Linux 3.15 and Amazon Linux 2.

Building on other platforms would result in false positives, e.g. for RHEL 8/9 and clones, the build is going to be contaminated with unwanted dependencies.

I have found this issue related to the new libnsl dependency

conda-forge/rasterio-feedstock#220

I've seen that this is part of glibc on Amazon Linux 2, thus not removable. Checked a number of distro containers, all had libnsl libraries, but I see now that some have libnsl.so.2 as an independent package installed by default, with libnsl.so.1 available through a legacy package, similar to libxcrypt-compat.

Obviously, this is a problem that might arise again in the future. Not sure how to best check for this, now that tests in the server repo are not done on supported platforms. But why didn't compat tests catch this issue?

I hope that we can get the "-dev" packages removed from our build system, and then the Python configure script will disable those modules

Well, on Amazon Linux 2 this would be glibc-headers… I'm going to try the same hack as for avoiding building dbm and gdbm modules.

[dumol]

The dependency on libnsl.so.1 was removed, the nis module is no longer built on Amazon Linux 2. I've commented above on this, I'm bothered that it wasn't caught by the tests in the compat repo at chevah/compat#700. What shall we do about it?

I've added tickets for the other suggestions, but left the conversations open until your resolution. Let me know if I missed something. Thanks!

needs-review

[adiroiban]

I'm bothered that it wasn't caught by the tests in the compat repo at chevah/compat#700. What shall we do about it?

Maybe Oracle Linux 8 has that library ... I think that we are ok.

---

These are not actually "tests", but rather builds.

True. Makes sense.

well... what we can do is create separate docker test runs as part of GitHub actions.
It will work something like this

• After the binary .tar.gz is created for each OS, upload that file as an GitHub Action artifact
• After all the build jobs are done, trigger the docker test job
• THe docker test job will download the GitHub Action Artifacts for this build and will save them in cache
• The docker test job can then run a few smoke tests to make sure we can start Python on other OSes ... for example run our custom test file

That's all

With GitHub Action Artifacts we can "publish" the pythia .tar.gz files in kind of a temporary location

More info about GitHub Artifacts here https://github.com/actions/upload-artifact

[adiroiban]

Thanks. Let's have this released.

We can then merge compat ...and also I am looking forward to have this included in chevah/server

Many thanks again! Great work!