Update explanation for setuptools dep (#12254)

.github/requirements/build-requirements.txt

@@ -1,10 +1,6 @@
-#
+# This file was autogenerated by uv via the following command:
-# This file is autogenerated by pip-compile with Python 3.10
+#    uv pip compile --universal -p 3.9 --allow-unsafe --generate-hashes build-requirements.in -o build-requirements.txt
-# by the following command:
+cffi==1.17.1 ; platform_python_implementation != 'PyPy' \
-#
-#    pip-compile --allow-unsafe --generate-hashes build-requirements.in
-#
-cffi==1.17.1 ; platform_python_implementation != "PyPy" \
     --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \
     --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \
     --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \
@@ -92,11 +88,15 @@ maturin==1.8.1 \
     --hash=sha256:ec49cd70cad3c389946c6e2bc0bd50772a7fcb463040dd800720345897eec9bf \
     --hash=sha256:f9f5c47521924b6e515cbc652a042fe5f17f8747445be9d931048e5d8ddb50a4
     # via -r build-requirements.in
-pycparser==2.22 \
+pycparser==2.22 ; platform_python_implementation != 'PyPy' \
     --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \
     --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc
     # via cffi
-tomli==2.2.1 \
+setuptools==73.0.1 \
+    --hash=sha256:b208925fcb9f7af924ed2dc04708ea89791e24bde0d3020b27df0e116088b34e \
+    --hash=sha256:d59a3e788ab7e012ab2c4baed1b376da6366883ee20d7a5fc426816e3d7b1193
+    # via -r build-requirements.in
+tomli==2.2.1 ; python_full_version < '3.11' \
     --hash=sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6 \
     --hash=sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd \
     --hash=sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c \
@@ -130,9 +130,3 @@ tomli==2.2.1 \
     --hash=sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a \
     --hash=sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7
     # via maturin
-
-# The following packages are considered to be unsafe in a requirements file:
-setuptools==73.0.1 \
-    --hash=sha256:b208925fcb9f7af924ed2dc04708ea89791e24bde0d3020b27df0e116088b34e \
-    --hash=sha256:d59a3e788ab7e012ab2c4baed1b376da6366883ee20d7a5fc426816e3d7b1193
-    # via -r build-requirements.in

ci-constraints-requirements.txt

@@ -318,9 +318,7 @@ zipp==3.20.2 ; python_full_version == '3.8.*'
     #   importlib-metadata
     #   importlib-resources
 zipp==3.21.0 ; python_full_version >= '3.9' and python_full_version < '3.10.2'
-    # via
+    # via importlib-metadata
-    #   importlib-metadata
-    #   importlib-resources
 
 # The following packages were excluded from the output:
 # cffi

pyproject.toml

@@ -6,8 +6,9 @@ requires = [
 
     # Must be kept in sync with `project.dependencies`
     "cffi>=1.12; platform_python_implementation != 'PyPy'",
-    # Needed because cffi imports distutils, and in Python 3.12, distutils has
+    # Used by cffi (which import distutils, and in Python 3.12, distutils has
-    # been removed from the stdlib, but installing setuptools puts it back.
+    # been removed from the stdlib, but installing setuptools puts it back) as
+    # well as our build.rs for the rust/cffi bridge.
     "setuptools!=74.0.0,!=74.1.0,!=74.1.1,!=74.1.2",
 ]
 build-backend = "maturin"
@@ -16,11 +17,11 @@ build-backend = "maturin"
 name = "cryptography"
 version = "45.0.0.dev1"
 authors = [
-    {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
+    { name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org" },
 ]
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 readme = "README.rst"
-license = {text = "Apache-2.0 OR BSD-3-Clause"}
+license = { text = "Apache-2.0 OR BSD-3-Clause" }
 classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Intended Audience :: Developers",
@@ -74,11 +75,24 @@ test = [
     "certifi >=2024",
 ]
 test-randomorder = ["pytest-randomly"]
-docs = ["sphinx >=5.3.0", "sphinx-rtd-theme >=3.0.0; python_version >= '3.8'", "sphinx-inline-tabs; python_version >= '3.8'"]
+docs = [
-docstest = ["pyenchant >=3", "readme-renderer >=30.0", "sphinxcontrib-spelling >=7.3.1"]
+    "sphinx >=5.3.0",
+    "sphinx-rtd-theme >=3.0.0; python_version >= '3.8'",
+    "sphinx-inline-tabs; python_version >= '3.8'",
+]
+docstest = [
+    "pyenchant >=3",
+    "readme-renderer >=30.0",
+    "sphinxcontrib-spelling >=7.3.1",
+]
 sdist = ["build >=1.0.0"]
 # `click` included because its needed to type check `release.py`
-pep8test = ["ruff >=0.3.6", "mypy >=1.4", "check-sdist; python_version >= '3.8'", "click >=8.0.1"]
+pep8test = [
+    "ruff >=0.3.6",
+    "mypy >=1.4",
+    "check-sdist; python_version >= '3.8'",
+    "click >=8.0.1",
+]
 
 [tool.maturin]
 python-source = "src"
@@ -137,18 +151,13 @@ warn_unused_configs = true
 strict_equality = true
 
 [[tool.mypy.overrides]]
-module = [
+module = ["pretend"]
-    "pretend"
-]
 ignore_missing_imports = true
 
 [tool.coverage.run]
 branch = true
 relative_files = true
-source = [
+source = ["cryptography", "tests/"]
-    "cryptography",
-    "tests/",
-]
 
 [tool.coverage.paths]
 source = [
@@ -157,10 +166,7 @@ source = [
     "*.nox\\*\\Lib\\site-packages\\cryptography",
     "*.nox/pypy/site-packages/cryptography",
 ]
-tests = [
+tests = ["tests/", "*tests\\"]
-    "tests/",
-    "*tests\\",
-]
 
 [tool.coverage.report]
 exclude_lines = [
@@ -186,4 +192,3 @@ git-only = [
     ".gitattributes",
     ".gitignore",
 ]
-