◐ Shell
clean mode source ↗

build: pin build-time Cython to the locked version by bluetoothbot · Pull Request #1793 · python-zeroconf/python-zeroconf

bluetoothbot

Summary

Release wheels are built by cibuildwheel in an isolated environment that resolves build-system.requires from PyPI and ignores poetry.lock. The previous unbounded Cython>=3.0.8 spec let every release pick up whichever Cython was newest at build time, so the compiled C output — and the shipped .pyd binaries — drifted between releases with no source change. This matches the maintainer's read in #1791 that "nothing changed besides the cython version": the Cython version was an uncontrolled build variable.

This pins build-time Cython to the version in poetry.lock (3.2.5), so release wheels are built with the exact, tested compiler and the binaries are reproducible.

Closes #1791

Changes

  • pyproject.toml: build-system.requires Cython >=3.0.8==3.2.5 (lockstep with the dev dependency / poetry.lock), with a comment explaining the cibuildwheel isolation pitfall.

Notes / honest scope

The reported ImportError: DLL load failed ... Access is denied is a Palo Alto Cortex XDR "Hash Control" false positive on the unsigned _cache.*.pyd binary — confirmed by the reporter (pinning to an older release is their current workaround). A scanner vendor's heuristic/reputation verdict is not something a source change can definitively clear. What this repo can control is build determinism:

  • This PR removes the silent compiler drift so the binary doesn't change identity release-to-release for no reason, and gives maintainers a single knob to roll a flagged Cython back (e.g. to the 0.149.12-era version) in lockstep with poetry.lock.
  • It does not by itself guarantee the scanner stops flagging the binary. If the false positive persists on the next pinned-and-rebuilt wheel, the remaining levers are out-of-band: report the false positive / submit the hash to Palo Alto, and/or code-sign the Windows wheels (needs a signing cert + CI secrets).

Test plan

  • Build-system metadata only; not reproducible in pytest (Windows-specific scanner verdict on compiled binaries).
  • Verified pyproject.toml parses and build-system.requires resolves to the pinned spec.
  • Wheel builds continue to use REQUIRE_CYTHON=1 with the pinned Cython unchanged otherwise.

Quality Report

Changes: 1 file changed, 6 insertions(+), 1 deletion(-)

Code scan: clean

Tests: passed (4 PASSED)

Branch hygiene: clean

Generated by Kōan