securedrop-client icon indicating copy to clipboard operation
securedrop-client copied to clipboard
verified publisher icon freedomofpress

Enable Debian trixie support in CI

Open legoktm opened this issue 11 months ago • 6 comments

Description

Once Python 3.13 is the default in Debian trixie [now the case - @eloquence], we should build wheels for it and enable CI against it so we can fix any upstream breakage before the release happens.

legoktm avatar Jan 08 '25 21:01 legoktm

I've started pushing to a trixie branch; most of the work has just been updating various development dependencies to versions that are Python 3.13-compatible.

Only one prod dependency has needed an update so far, six, which should be trivial. (Really we need to figure out how to drop it...)

One thing I haven't yet figured out is poetry compatibility across bookworm and trixie. We can't set package-mode = false, but installing with poetry install --no-root works.

But it's unhappy with the root pyproject.toml used for linting, as both versions want to format/structure the lock file differently. I'm not sure why this isn't an issue with any of the other subprojects. Worst case we can go back to fetching a compatible poetry version from PyPI.

legoktm avatar Feb 07 '25 22:02 legoktm

Oh also, functionally basic client functionality appears fine (sync, reply, etc.). Didn't test further, plenty of that coming in the future :)

legoktm avatar Feb 07 '25 22:02 legoktm

One thing I haven't yet figured out is poetry compatibility across bookworm and trixie. We can't set package-mode = false, but installing with poetry install --no-root works.

I may be missing something, but this is because of the python3-poetry package (1.x supported for bookworm, 2.x supported for trixie), is that correct? for #2435 I think we have to migrate, so I wonder if we should consider changing the poetry install method in ci to pull in a newer version for all jobs - does that work? (My bookworm machine is fine with poetry 2.x, installed via pipx per the official docs, although we may not want to do that in ci)

rocodes avatar May 27 '25 21:05 rocodes

Just to recap what Ro and I discussed:

I may be missing something, but this is because of the python3-poetry package

Yep.

so I wonder if we should consider changing the poetry install method in ci to pull in a newer version for all jobs - does that work

And yes, that's what we used to do in the docs repos (https://github.com/freedomofpress/securedrop-docs/blob/7fcd6d377bdd063513e30f9d0d0c310183100bae/.github/workflows/ci.yml)

legoktm avatar May 29 '25 14:05 legoktm

For whatever reason, I couldn't install poetry that way per my comment in #2435. I could spend more time trying to make it work, e.g. by using --break-system-packages to force the install or trying other approaches, but since the poetry-recommended approach (and what they do in their own CI) is to install using pipx, that's what I've moved towards. Once it's ready for review, we can keep going on trixie support.

fwiw in poetry 2.x I noticed it might be a bit easier to specify different bookworm vs trixie dependencies (aka python version constraints): https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies

rocodes avatar May 29 '25 15:05 rocodes

Removing from backlog in favor of https://github.com/freedomofpress/securedrop-workstation/issues/1396

eloquence avatar Aug 07 '25 18:08 eloquence