python3Packages.cryptography: 3.4.8 -> 35.0.0

[cpcloud]

Motivation for this change

Upgrade python3Packages.cryptography from 3.4.8 to 35.0.0.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• 21.11 Release Notes (or backporting 21.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[mweinelt]

That definitely needs to go into staging, cryptography is at the core of many python packages. In fact I wonder if we should wait for the next python-unstable run, depending how much breakage we can expect.

[cpcloud]

That definitely needs to go into staging, cryptography is at the core of many python packages. In fact I wonder if we should wait for the next python-unstable run, depending how much breakage we can expect.

Cool. Are there some guidelines somewhere around going through staging?

[SuperSandro2000]

https://github.com/NixOS/nixpkgs/blob/master/doc/contributing/submitting-changes.chapter.md#staging-branch-submitting-changes-staging-branch

[primeos]

In fact I wonder if we should wait for the next python-unstable run, depending how much breakage we can expect.

IIRC Cryptography updates usually caused (very) few breakages in the past so it should probably be fine. The changelog also LGTM: https://cryptography.io/en/latest/changelog/#v35-0-0. However, we could still wait for the next python-unstable run if that would help.

@cpcloud would you mind doing some additional testing (I'm usually trying out a few simple examples and use nixpkgs-review to test (most) Python rebuilds)?

[SuperSandro2000]

What do we usually test? home-assistant?

[risicle]

Cherry-picked, this builds happily on macos 10.15, python 3.8 & 3.9

[SuperSandro2000]

With the exception of python-miio everything required in home-assistant still build successful. I think this can be safely merged without causing to much havoc.

[mweinelt]

This update broke python3Packages.fido2 and by extension home-assistant and a few other packages. I think we might need to revert it.

[mweinelt]

Reverted in #141037 due to breakages in fido2, mitmproxy and a whole lot of downstream packages. We're too close before a release for these kinds of breaking changes.

[primeos]

@mweinelt thanks for reverting it and sorry about the inconveniences. In that case it seems best to delay the update until most downstream packages adapt to the new versioning scheme (which should be the case after the next release) or someone properly tests it using nixpkgs-review (which I usually do - especially if the version changes in a way that might cause problems).