From 8575c918ea3b04ecd81580484269935fbe81d11a Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Fri, 27 Mar 2026 12:58:51 -0600 Subject: [PATCH 01/10] enable abi3t builds --- Cargo.lock | 27 +++++++++++++++------------ Cargo.toml | 4 ++-- pyproject.toml | 7 +++---- src/rust/cryptography-cffi/build.rs | 16 ++++++++++++++-- 4 files changed, 34 insertions(+), 20 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8e60e2609de2..eab6bb908922 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -118,7 +118,7 @@ dependencies = [ "openssl-sys", "pem", "pyo3", - "pyo3-build-config", + "pyo3-build-config 0.28.2 (registry+https://github.com/rust-lang/crates.io-index)", "self_cell", ] @@ -254,13 +254,12 @@ dependencies = [ [[package]] name = "pyo3" version = "0.28.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf85e27e86080aafd5a22eae58a162e133a589551542b3e5cee4beb27e54f8e1" +source = "git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section#91a041953f3f0f219ffb717e321dac56cc56b2b4" dependencies = [ "libc", "once_cell", "portable-atomic", - "pyo3-build-config", + "pyo3-build-config 0.28.2 (git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section)", "pyo3-ffi", "pyo3-macros", ] @@ -274,21 +273,27 @@ dependencies = [ "target-lexicon", ] +[[package]] +name = "pyo3-build-config" +version = "0.28.2" +source = "git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section#91a041953f3f0f219ffb717e321dac56cc56b2b4" +dependencies = [ + "target-lexicon", +] + [[package]] name = "pyo3-ffi" version = "0.28.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "491aa5fc66d8059dd44a75f4580a2962c1862a1c2945359db36f6c2818b748dc" +source = "git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section#91a041953f3f0f219ffb717e321dac56cc56b2b4" dependencies = [ "libc", - "pyo3-build-config", + "pyo3-build-config 0.28.2 (git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section)", ] [[package]] name = "pyo3-macros" version = "0.28.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5d671734e9d7a43449f8480f8b38115df67bef8d21f76837fa75ee7aaa5e52e" +source = "git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section#91a041953f3f0f219ffb717e321dac56cc56b2b4" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -299,12 +304,10 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" version = "0.28.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22faaa1ce6c430a1f71658760497291065e6450d7b5dc2bcf254d49f66ee700a" +source = "git+https://github.com/ngoldbaum/pyo3?branch=expose-critical-section#91a041953f3f0f219ffb717e321dac56cc56b2b4" dependencies = [ "heck", "proc-macro2", - "pyo3-build-config", "quote", "syn", ] diff --git a/Cargo.toml b/Cargo.toml index 95363f2bdde0..6969ae832f39 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,8 +30,8 @@ foreign-types-shared = "0.1" openssl = "0.10.76" openssl-sys = "0.9.111" pem = { version = "3", default-features = false } -pyo3 = { version = "0.28", features = ["abi3"] } -pyo3-build-config = { version = "0.28" } +pyo3 = { git = "https://github.com/ngoldbaum/pyo3", branch = "expose-critical-section", features = ["abi3t"] } +pyo3-build-config = { version = "0.28", features=["resolve-config"] } self_cell = "1" [profile.release] diff --git a/pyproject.toml b/pyproject.toml index fb9583132367..d4aa8b0689a7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,15 +2,14 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin>=1.9.4,<2,!=1.12.0", + "maturin @ git+https://github.com/ngoldbaum/maturin@abi3t", # Must be kept in sync with `project.dependencies` - "cffi>=1.14; platform_python_implementation != 'PyPy' and python_version == '3.8'", - "cffi>=2.0.0; platform_python_implementation != 'PyPy' and python_version >= '3.9'", + "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3", # Used by cffi (which import distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back) as # well as our build.rs for the rust/cffi bridge. - "setuptools!=74.0.0,!=74.1.0,!=74.1.1,!=74.1.2", + "setuptools @ git+https://github.com/ngoldbaum/setuptools@abi3.abi3t", ] build-backend = "maturin" diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index ae619f6f88ed..0c9c2da7ac67 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -82,16 +82,28 @@ fn main() { &python, "import sysconfig; print(bool(sysconfig.get_config_var('Py_GIL_DISABLED')), end='')", ) + .unwrap() + == "True"; + let at_least_py_315 = run_python_script( + &python, + "import sys; print(sys.version_info > (3, 14), end='')", + ) .unwrap() == "True"; // Enable abi3 mode if we're not using PyPy or the free-threaded build - if !(python_impl == "PyPy" || is_free_threaded) { + if !(python_impl == "PyPy" || is_free_threaded || at_least_py_315) { // cp38 (Python 3.8 to help our grep when we some day drop 3.8 support) build.define("Py_LIMITED_API", "0x030800f0"); } - if cfg!(windows) { + if at_least_py_315 { + build.define("Py_LIMITED_API", "0x030F0000"); + build.define("Py_GIL_DISABLED", "1"); + build.define("_Py_OPAQUE_PYOBJECT", "1"); + } + + if cfg!(windows) && !at_least_py_315 { build.define("WIN32_LEAN_AND_MEAN", None); // python.h doesn't set this on the Windows free-threaded build // see https://github.com/python/cpython/issues/127294 From 9c105f94827ae82aeead1b7f3a23de9302932c88 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 10:14:44 -0600 Subject: [PATCH 02/10] Add 3.15(t) CI jobs --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2bff997c6c8..e61bf970fa43 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,8 @@ jobs: - {VERSION: "3.14", NOXSESSION: "rust"} - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "4.0.1"}} - {VERSION: "3.14t", NOXSESSION: "rust,tests"} + - {VERSION: "3.15-dev", NOXSESSION: "rust,tests"} + - {VERSION: "3.15t-dev", NOXSESSION: "rust,tests"} - {VERSION: "pypy-3.11", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.14", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4.0.1", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - {VERSION: "3.14", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "4.0.1", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "0"}} @@ -286,6 +288,8 @@ jobs: - {VERSION: "3.9", NOXSESSION: "tests"} - {VERSION: "3.14", NOXSESSION: "tests"} - {VERSION: "3.14t", NOXSESSION: "tests"} + - {VERSION: "3.15-dev", NOXSESSION: "tests"} + - {VERSION: "3.15t-dev", NOXSESSION: "tests"} timeout-minutes: 15 steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -347,6 +351,8 @@ jobs: - {VERSION: "3.9", NOXSESSION: "tests-nocoverage"} - {VERSION: "3.14", NOXSESSION: "tests"} - {VERSION: "3.14t", NOXSESSION: "tests"} + - {VERSION: "3.15-dev", NOXSESSION: "tests"} + - {VERSION: "3.15t-dev", NOXSESSION: "tests"} include: # Windows on ARM is in a stability validation period; the work # step uses `continue-on-error` only for this entry so transient From a70b4e02407bbe45814219cbb2de60fc44c10a5a Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 10:17:12 -0600 Subject: [PATCH 03/10] Attempt using upstream versions --- pyproject.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index ad8c7ade49c4..acba4a35d4c4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,14 +2,14 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin @ git+https://github.com/ngoldbaum/maturin@abi3t", + "maturin>=1.9.4,<2,!=1.12.0", # Must be kept in sync with `project.dependencies` - "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3; platform_python_implementation != 'PyPy'", + "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3 ; platform_python_implementation != 'PyPy'", # Used by cffi (which import distutils, and in Python 3.12, distutils has # been removed from the stdlib, but installing setuptools puts it back) as # well as our build.rs for the rust/cffi bridge. - "setuptools @ git+https://github.com/ngoldbaum/setuptools@abi3.abi3t", + "setuptools!=74.0.0,!=74.1.0,!=74.1.1,!=74.1.2", ] build-backend = "maturin" From 5f167cbecad4907e430d1705665faa7915bf9392 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 10:20:37 -0600 Subject: [PATCH 04/10] Don't define _Py_OPAQUE_PYOBJECT, Python does that for us --- src/rust/cryptography-cffi/build.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 17f324240039..5549547825a2 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -126,7 +126,6 @@ fn main() { // cp315 (Python 3.15 to help out grep when we some day drop 3.15 support) build.define("Py_LIMITED_API", "0x030F0000"); build.define("Py_GIL_DISABLED", "1"); - build.define("_Py_OPAQUE_PYOBJECT", "1"); } if cfg!(windows) && !at_least_py_315 { From 6f8fff668e9b1a239ca6dcbba0bd849bc59a7082 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 10:23:18 -0600 Subject: [PATCH 05/10] Depend on maturin's 'main' branch --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index acba4a35d4c4..238d889772ca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,7 +2,7 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin>=1.9.4,<2,!=1.12.0", + "maturin @ git+https://github.com/pyo3/maturin" # Must be kept in sync with `project.dependencies` "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3 ; platform_python_implementation != 'PyPy'", From 56e344d7fcaf2bdc698abce7eaf0d037ca9b3855 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 10:24:33 -0600 Subject: [PATCH 06/10] Depend on maturin's git repo --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 238d889772ca..470c5f47dc30 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,7 +2,7 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin @ git+https://github.com/pyo3/maturin" + "maturin @ git+https://github.com/pyo3/maturin", # Must be kept in sync with `project.dependencies` "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3 ; platform_python_implementation != 'PyPy'", From f1a2c7af0028a310727f07e0572c5f8cdda37b29 Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 12:15:29 -0600 Subject: [PATCH 07/10] Use pyo3-build-config to get ABI info in the CFFI crate --- Cargo.lock | 1 + src/rust/cryptography-cffi/Cargo.toml | 1 + src/rust/cryptography-cffi/build.rs | 48 +++++++++++++-------------- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 28ba572e0649..28b569e9c89d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -58,6 +58,7 @@ dependencies = [ "cc", "openssl-sys", "pyo3", + "pyo3-build-config", ] [[package]] diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml index 74214d3305ec..44d479bc9490 100644 --- a/src/rust/cryptography-cffi/Cargo.toml +++ b/src/rust/cryptography-cffi/Cargo.toml @@ -13,6 +13,7 @@ openssl-sys.workspace = true [build-dependencies] cc.workspace = true +pyo3-build-config.workspace = true [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(python_implementation, values("CPython", "PyPy"))'] } diff --git a/src/rust/cryptography-cffi/build.rs b/src/rust/cryptography-cffi/build.rs index 5549547825a2..7679e7dd0ddc 100644 --- a/src/rust/cryptography-cffi/build.rs +++ b/src/rust/cryptography-cffi/build.rs @@ -6,6 +6,8 @@ use std::env; use std::path::Path; use std::process::Command; +use pyo3_build_config::{PythonAbiKind, StableAbi}; + fn main() { let target = env::var("TARGET").unwrap(); let openssl_static = env::var("OPENSSL_STATIC") @@ -102,37 +104,33 @@ fn main() { build.include(python_include); } - let is_free_threaded = run_python_script( - &python, - "import sysconfig; print(bool(sysconfig.get_config_var('Py_GIL_DISABLED')), end='')", - ) - .unwrap() - == "True"; - let at_least_py_315 = run_python_script( - &python, - "import sys; print(sys.version_info > (3, 14), end='')", - ) - .unwrap() - == "True"; - - // Enable abi3 mode if we're not using PyPy or the free-threaded build on 3.14 and older - if !(python_impl == "PyPy" || is_free_threaded || at_least_py_315) { - // cp39 (Python 3.9 to help our grep when we some day drop 3.9 support) - build.define("Py_LIMITED_API", "0x030900F0"); - } + // Drive the limited-API level off the ABI that pyo3 (and therefore + // maturin) is targeting for this build, resolved from the abi3/abi3t Cargo + // features, rather than off the host interpreter. + let config = pyo3_build_config::get(); - // Enable abi3t mode if we're targeting Python 3.15 or newer - if at_least_py_315 { - // cp315 (Python 3.15 to help out grep when we some day drop 3.15 support) - build.define("Py_LIMITED_API", "0x030F0000"); - build.define("Py_GIL_DISABLED", "1"); + match config.target_abi().kind() { + // GIL-enabled limited API (abi3): a single wheel for CPython 3.9 to 3.14 (not free-threaded) + PythonAbiKind::Stable(StableAbi::Abi3) => { + // cp39 (Python 3.9 to help our grep when we some day drop 3.9 support) + build.define("Py_LIMITED_API", "0x030900f0"); + } + // Free-threaded limited API (abi3t): a single wheel CPython 3.15+. + PythonAbiKind::Stable(StableAbi::Abi3t) => { + // cp315 (Python 3.15 to help our grep when we some day drop 3.15 support) + build.define("Py_LIMITED_API", "0x030f00f0"); + } + // PyPy, or a free-threaded build older than abi3t (e.g. 3.14t): + // compile against the full, version-specific ABI. + PythonAbiKind::VersionSpecific(_) => {} } - if cfg!(windows) && !at_least_py_315 { + if cfg!(windows) { build.define("WIN32_LEAN_AND_MEAN", None); + // python.h doesn't set this on the Windows free-threaded build // see https://github.com/python/cpython/issues/127294 - if is_free_threaded { + if config.is_free_threaded() { build.define("Py_GIL_DISABLED", "1"); } From 1c420f52472327e6a74e33e300cacf41cd99c8ab Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Thu, 18 Jun 2026 14:13:04 -0600 Subject: [PATCH 08/10] temporarily depend on my maturin PR branch --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 470c5f47dc30..70a147322508 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,7 +2,7 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin @ git+https://github.com/pyo3/maturin", + "maturin @ git+https://github.com/ngoldbaum/maturin@fix-pyo3-cffi-build-script", # Must be kept in sync with `project.dependencies` "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3 ; platform_python_implementation != 'PyPy'", From da1c873415a5aaec023bc11ac3148ead61ad5c4c Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Fri, 19 Jun 2026 07:23:40 -0600 Subject: [PATCH 09/10] Require maturin 1.14.1 or newer on 3.15 or newer --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 70a147322508..0653a657eed5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,7 +2,8 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin @ git+https://github.com/ngoldbaum/maturin@fix-pyo3-cffi-build-script", + "maturin>=1.9.4,<2,!=1.12.0", + "maturin>=1.14.1; python_version >= '3.15'", # Must be kept in sync with `project.dependencies` "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3 ; platform_python_implementation != 'PyPy'", From e83c831ed749892857f4120ccc4ad54c597466dd Mon Sep 17 00:00:00 2001 From: Nathan Goldbaum Date: Fri, 19 Jun 2026 07:40:33 -0600 Subject: [PATCH 10/10] Require Maturin 1.14.1 or newer --- pyproject.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 0653a657eed5..60fca02c6279 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,8 +2,7 @@ # These requirements must be kept sync with the requirements in # ./.github/requirements/build-requirements.{in,txt} requires = [ - "maturin>=1.9.4,<2,!=1.12.0", - "maturin>=1.14.1; python_version >= '3.15'", + "maturin>=1.14.1,<2", # Must be kept in sync with `project.dependencies` "cffi @ git+https://github.com/ngoldbaum/cffi@abi3t.abi3 ; platform_python_implementation != 'PyPy'",