Depend on CFFI 2.0.0 or newer on Python > 3.8

[ngoldbaum]

To hopefully fix the issue with CFFI 2.0.0 not installing on Python 3.14 under pip because it's a prerelease.

[alex]

this should be >=, right?

[alex]

these files need to be updated for this

[alex]

Suggested change

	cffi>=1.12; platform_python_implementation != 'PyPy' and python_version == '3.8'
	cffi>=1.14; platform_python_implementation != 'PyPy' and python_version == '3.8'

[ngoldbaum]

Should I add a changelog entry for the new minimum CFFI version?

[alex]

nah

[emilykl]

This is a pretty strict version pin; cffi 2.0.0 was just released 10 days ago. We are experiencing conflicts with our other requirements and will have to pin a previous version of cryptography until we can find a different workaround, or until our other dependencies are updated to support cffi 2.0.0.

Are there any other solutions to the above-mentioned issue that don't involve such a restrictive version pin?

[reaperhulk]

Does 46.0.0 work for you? The version bound was only py314 there.

More broadly, I’m not aware of a good answer to this situation, only tradeoffs to choose between. There is no way to express free threaded only dependencies and pip additionally has a constraint where it does not consider pre-release to match >=3.14. Once 3.14 is out we could consider shifting the pin back up to 3.14 but technically that’s still incorrect since we only need it on 3.14t.

Separately, cffi 2.0 is not a semantic versioned library though so compatibility should not be an issue and libraries bounding <2 are under a misapprehension. That said, I imagine you aren’t setting that bound, it’s some other dep.

[alex]

(Let's move this discussion to #13468 so it's all in one place. Thanks!)