From 22dd79367c13d8e9198fdd3e3b55e9d7682f7604 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= <bence.szepkuti@arm.com>
Date: Wed, 16 Jul 2025 13:23:18 +0200
Subject: [PATCH 1/3] Freeze cryptography version on the CI at 35.0.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The version was unspecified because of our use of Python 3.5 on the CI,
whichi has since been eliminated.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
---
 scripts/ci.requirements.txt | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index fc10c63b85..123b5430bf 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -16,12 +16,8 @@ pylint == 2.4.4
 mypy == 0.942
 
 # At the time of writing, only needed for tests/scripts/audit-validity-dates.py.
-# It needs >=35.0.0 for correct operation, and that requires Python >=3.6,
-# but our CI has Python 3.5. So let pip install the newest version that's
-# compatible with the running Python: this way we get something good enough
-# for mypy and pylint under Python 3.5, and we also get something good enough
-# to run audit-validity-dates.py on Python >=3.6.
-cryptography # >= 35.0.0
+# It needs >=35.0.0 for correct operation, and that requires Python >=3.6.
+cryptography >= 35.0.0
 
 # For building `framework/data_files/server9-bad-saltlen.crt` and check python
 # files.

From 9ecab503c2a34cd7a85154263f67f5068e6838cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= <bence.szepkuti@arm.com>
Date: Wed, 16 Jul 2025 13:33:17 +0200
Subject: [PATCH 2/3] Don't install cryptography on the FreeBSD CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Recent versions of cryptography require a Rust toolchain to install on
FreeBSD, which we do not have set up yet.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
---
 scripts/ci.requirements.txt | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index 123b5430bf..4bb41e5136 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -17,7 +17,10 @@ mypy == 0.942
 
 # At the time of writing, only needed for tests/scripts/audit-validity-dates.py.
 # It needs >=35.0.0 for correct operation, and that requires Python >=3.6.
-cryptography >= 35.0.0
+# >=35.0.0 also requires Rust to build from source, which we are forced to do on
+# FreeBSD, since PyPI doesn't carry binary wheels for the BSDs.
+# Disable on FreeBSD until we get a Rust toolchain up and running on the CI.
+cryptography >= 35.0.0; platform_system != 'FreeBSD'
 
 # For building `framework/data_files/server9-bad-saltlen.crt` and check python
 # files.

From 222090abf626ee76a79538d6fa83327ac0e7a35a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= <bence.szepkuti@arm.com>
Date: Wed, 16 Jul 2025 14:18:12 +0200
Subject: [PATCH 3/3] Restrict CI-specific python requirements to Linux
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The dependencies declared in ci.requirements.txt are only used in
scripts that we run on the Linux CI.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
---
 scripts/ci.requirements.txt | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index 4bb41e5136..2ab7ba98da 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -2,10 +2,12 @@
 
 -r driver.requirements.txt
 
+# The dependencies below are only used in scripts that we run on the Linux CI.
+
 # Use a known version of Pylint, because new versions tend to add warnings
 # that could start rejecting our code.
 # 2.4.4 is the version in Ubuntu 20.04. It supports Python >=3.5.
-pylint == 2.4.4
+pylint == 2.4.4; platform_system == 'Linux'
 
 # Use a version of mypy that is compatible with our code base.
 # mypy <0.940 is known not to work: see commit
@@ -13,15 +15,14 @@ pylint == 2.4.4
 # mypy >=0.960 is known not to work:
 #   https://github.com/Mbed-TLS/mbedtls-framework/issues/50
 # mypy 0.942 is the version in Ubuntu 22.04.
-mypy == 0.942
+mypy == 0.942; platform_system == 'Linux'
 
 # At the time of writing, only needed for tests/scripts/audit-validity-dates.py.
 # It needs >=35.0.0 for correct operation, and that requires Python >=3.6.
 # >=35.0.0 also requires Rust to build from source, which we are forced to do on
 # FreeBSD, since PyPI doesn't carry binary wheels for the BSDs.
-# Disable on FreeBSD until we get a Rust toolchain up and running on the CI.
-cryptography >= 35.0.0; platform_system != 'FreeBSD'
+cryptography >= 35.0.0; platform_system == 'Linux'
 
 # For building `framework/data_files/server9-bad-saltlen.crt` and check python
 # files.
-asn1crypto
+asn1crypto; platform_system == 'Linux'