lru-dict blocks Python 3.13 and later for release builds

[yorickdowne]

We need to have reproducible, secure builds. lru-dict is seeking a maintainer and has no binary wheels for Python 3.13 and later.

While we can source compile lru-dict, that opens us up to supply-chain attacks in the gcc and libc6-dev Debian packages. There is no good way to require specific versions with specific md5sums that dependabot can update inside the Dockerfile.

Possible ways forward:

• lru-dict finds a new maintainer
• ssz pivots from lru-dict
• We fork ssz and pivot from lru-dict

That last one is not going to happen.

For now, builds need to stay on Python 3.12. Possibly as 3.14 and 3.15 and 3.16 become more wide-spread, the lack of binary lru-dict wheels will surface a maintainer or cause ssz to use another library

[yorickdowne]

Engaged lru-dict maintainer here: amitdev/lru-dict#77

[eth2353]

You could also consider using the remerkleable library for your SSZ needs. I only took a very quick look but I believe you don't have a lot of SSZ-related code so that could maybe work and not be that painful?

remerkleable is used in the consensus specs repo, we use it in Vero and best of all, has no upstream dependencies.

[yorickdowne]

That is very interesting. I’ll take a look.