Stop compiling Python using --with-system-expat (#1925)

edmorley · web-flow · commit 227fcbf2f815 · 2025-10-06T15:16:03.000+02:00
The upstream Python test suite (which gets run when compiling with PGO enabled) fails with the `libexpat` in Ubuntu 22.04. In #1661, I previously added what I hoped would be a temporarily workaround until the failures were fixed upstream, however, the Python maintainers say they don't guarantee compatibility with distro `expat`, and that it's up to us to test for compatibility and patch if we want to use the distro version. However, this isn't viable given that we're neither a Linux distro maintainer, a CPython maintainer or an expat maintainer. Instead, like the upstream Docker Hub Python images (who were also affected by this issue), we will switch the `expat` bundled within the CPython sources, which is actually what the upstream CPython project tests in its CI. This means users won't get security updates for free via the base image, and will instead need to update their Python patch versions instead as newer versions are vendored in CPython. However, this is the least worst alternative for now. I'm doing this now, since otherwise I'll need to generate another patch series for the soon to be released Python 3.14. Note: This change only affects Python versions compiled/released after this merges. Existing Python versions on S3 are unaffected for now (unless they ever get recompiled in the future). For more details, see: python/cpython#125067 (comment) GUS-W-17414073.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## [Unreleased]
 
+- Stopped using `--with-system-expat` when compiling new Python versions. ([#1925](https://github.com/heroku/heroku-buildpack-python/pull/1925))
 
 ## [v312] - 2025-10-05
 
diff --git a/builds/Dockerfile b/builds/Dockerfile
@@ -17,4 +17,4 @@ RUN apt-get update --error-on=any \
 COPY --from=cosign /ko-app/cosign /usr/local/bin/cosign
 
 WORKDIR /tmp
-COPY build_python_runtime.sh python-3.13-ubuntu-22.04-libexpat-workaround.patch .
+COPY build_python_runtime.sh .
diff --git a/builds/build_python_runtime.sh b/builds/build_python_runtime.sh
@@ -83,14 +83,6 @@ cosign verify-blob \
 tar --extract --file python.tgz --strip-components=1 --directory "${SRC_DIR}"
 cd "${SRC_DIR}"
 
-# Work around PGO profile test failures with Python 3.13 on Ubuntu 22.04, due to the tests
-# checking the raw libexpat version which doesn't account for Ubuntu backports:
-# https://github.com/heroku/heroku-buildpack-python/pull/1661#issuecomment-2405259352
-# https://github.com/python/cpython/issues/125067
-if [[ "${PYTHON_MAJOR_VERSION}" == "3.13" && "${STACK}" == "heroku-22" ]]; then
-	patch -p1 </tmp/python-3.13-ubuntu-22.04-libexpat-workaround.patch
-fi
-
 # Aim to keep this roughly consistent with the options used in the Python Docker images,
 # for maximum compatibility / most battle-tested build configuration:
 # https://github.com/docker-library/python
@@ -110,9 +102,6 @@ CONFIGURE_OPTS=(
 	# Skip running `ensurepip` as part of install, since the buildpack installs a curated
 	# version of pip itself (which ensures it's consistent across Python patch releases).
 	"--with-ensurepip=no"
-	# Build the `pyexpat` module using the `expat` library in the base image (which will
-	# automatically receive security updates), rather than CPython's vendored version.
-	"--with-system-expat"
 )
 
 if [[ "${PYTHON_MAJOR_VERSION}" != +(3.9) ]]; then
diff --git a/builds/python-3.13-ubuntu-22.04-libexpat-workaround.patch b/builds/python-3.13-ubuntu-22.04-libexpat-workaround.patch

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`## [Unreleased]`
`4`	`4`
	`5`	+- Stopped using `--with-system-expat` when compiling new Python versions. ([#1925](https://github.com/heroku/heroku-buildpack-python/pull/1925))
`5`	`6`
`6`	`7`	`## [v312] - 2025-10-05`
`7`	`8`