Clarify Python dependency constraints

[MadLittleMods]

Clarify Python dependency constraints

Spawning from #18852 (comment) as I don't actually know the the exact rule of thumb. It's unclear to me what we care about exactly. Our deprecation policy mentions Debian oldstable support at-least for the version of SQLite. But then we only refer to Debian stable for the Twisted dependency:

synapse/pyproject.toml

Lines 179 to 186 in 40edb10

	# Twisted 18.9 introduces some logger improvements that the structured
	# logger utilises
	# Twisted 19.7.0 moves test helpers to a new module and deprecates the old location.
	# Twisted 21.2.0 introduces contextvar support.
	# We could likely bump this to 22.1 without making distro packagers'
	# lives hard (as of 2025-07, distro support is Ubuntu LTS: 22.1, Debian stable: 22.4,
	# RHEL 9: 22.10)
	Twisted = {extras = ["tls"], version = ">=21.2.0"}

Dev notes

Arch:

• https://wiki.archlinux.org/title/Python_package_guidelines
• https://wiki.archlinux.org/title/Rust_package_guidelines

Fedora:

• https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/

Pull Request Checklist

• Pull request is based on the develop branch
• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
  • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
• Code style is correct (run the linters)

[MadLittleMods]

I wrote something. Feel free to correct it however.

[MadLittleMods]

@richvdh chimed in with some counter-points on reasons why we may want to relax this

[Having said all that, Synapse is no longer included in Debian stable, mostly because nobody had time to backport Synapse's critical fixes. I haven't looked at the situation in Fedora or other distros recently, but maybe it's time to reconsider the policy of being tolerant of old versions of dependencies.]

-- @richvdh, #18852 (comment)

[anoadragon453]

Removing this from the review queue and instead added to the to-discuss board, as I feel it's something we should discuss as a team. I personally don't have the full context on packaging here to approve/deny.

We may also want to pitch the question to packagers in some form?

[sandhose]

This isn't entirely true, Fedora for example packages each dependency individually when they can, and so they do for Synapse right now.

[MadLittleMods]

Thanks for the extra background @sandhose!

Reading on https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/, it seems like they prefer not to vendor dependencies but it's possible when necessary.

From the weekly backend team meeting:

• We experience real pain around having to be careful with our Python dependencies and we'd like to avoid also having that pain for Rust.
• Given Rust is compiled, and generally package managers distribute compiled artifacts, its way more niche to require packaging Rust deps than Python deps.
• And regardless, we are aggressive with our Rust dependency updates

I've updated the langauge to be "can pose no ongoing maintenance burden" and a note about Fedora packaging Rust libraries as the outlier.

[anoadragon453]

This follows what I, as a Synapse developer, expect. Thanks for writing it up so it's clear to others, and so that we don't deviate from the pattern unwittingly.

[MadLittleMods]

👍 The current iteration basically documents status-quo. Thanks for the review @anoadragon453 🐯

There is a potential future for relaxing things even further (see #18856 (comment))