From 7990a3296df24a1f7bb8875005d78495c7e0076c Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 22 Aug 2023 17:27:00 +0200
Subject: [PATCH] Explain the story about cryptography version requirements

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/ci.requirements.txt | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/scripts/ci.requirements.txt b/scripts/ci.requirements.txt
index ac9c25acf..7dbcfe8e0 100644
--- a/scripts/ci.requirements.txt
+++ b/scripts/ci.requirements.txt
@@ -11,7 +11,10 @@ pylint == 2.4.4
 # See https://github.com/Mbed-TLS/mbedtls/pull/3953 .
 mypy >= 0.780
 
-# Install cryptography to avoid import-error reported by pylint.
-# What we really need is cryptography >= 35.0.0, which is only
-# available for Python >= 3.6.
+# At the time of writing, only needed for tests/scripts/audit-validity-dates.py.
+# It needs >=35.0.0 for correct operation, and that requires Python >=3.6,
+# but our CI has Python 3.5. So let pip install the newest version that's
+# compatible with the running Python: this way we get something good enough
+# for mypy and pylint under Python 3.5, and we also get something good enough
+# to run audit-validity-dates.py on Python >=3.6.
 cryptography # >= 35.0.0