Rebuild Bookworm wheels for Python 3.11

[legoktm]

• Rebuild all compiled wheels for Bookworm moving to Python 3.11
• Our pinned version of Cython was incompatible with 3.11, so I bumped it
  • Diff review: https://github.com/freedomofpress/securedrop-builder/wiki/Cython-0.29.22-to-0.29.33 (for transparency, like half of this was reviewing C and generated C code, which I barely understand/follow).
• Temporarily(?) patch dh_virtualenv so it works on 3.11

securedrop-export and securedrop-log have no compiled dependencies, so those builds are passing with just the bootstrap update. securedrop-client and securedrop-proxy will only pass CI if the following PRs are also merged:

• https://github.com/freedomofpress/securedrop-client/pull/1623
• https://github.com/freedomofpress/securedrop-proxy/pull/113

[legoktm]

reprotest failure is:

diff --git a/securedrop-proxy/wheels/PyYAML-5.4.1-cp39-cp39-linux_x86_64.whl b/securedrop-proxy/wheels/PyYAML-5.4.1-cp39-cp39-linux_x86_64.whl
index 22387f1..77e57fd 100644
--- a/securedrop-proxy/wheels/PyYAML-5.4.1-cp39-cp39-linux_x86_64.whl
+++ b/securedrop-proxy/wheels/PyYAML-5.4.1-cp39-cp39-linux_x86_64.whl
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:645773490bf785cd110b4a5e47635990c46219b7c4f01b424f0409cf01d12f2b
-size 529082
+oid sha256:f7190863a72d6eb89ed92e345e178a0803c439fd7126985b62c1c113cb01e534
+size 531596
FAILED

I bet the Cython update is generating new code, causing the PyYAML output to change. Probably should just rebuild it.

[legoktm]

• I still see the reprotest failing in CI, after the commit that re-builds PyYAML, is it expected to be passing?

The earlier failure was reprotest-wheels failing, because it said the PyYAML wheel wasn't reproducible. The reprotest-debs job is failing because the securedrop-proxy bullseye build will be broken until the PyYAML hash is updated in that repository to match.

So it should pass once the client/proxy PRs are merged. In response to your question from last night, we can merge these in either direction 1) builder first with failing jobs and then green client/proxy PRs or 2) client/proxy with failing jobs and then green builder PR.

I slightly prefer 2 just so we can see all the jobs across both repos being green in one spot but it really doesn't matter.

[gonzalo-bulnes]

Cool, that makes sense @legoktm. Let's go with option 2, and nothing is blocking https://github.com/freedomofpress/securedrop-client/pull/1623 am I correct?

[gonzalo-bulnes]

Small blocker in https://github.com/freedomofpress/securedrop-client/pull/1623#issuecomment-1414540477 that I'm not making sense of. I merged the proxy PR.

[gonzalo-bulnes]

Merging this as agreed with @legoktm.