Add note about Fedora packaging Rust libraries

See https://github.com/element-hq/synapse/pull/18856#discussion_r2330378204
Best effort for application dependencies
2025-12-07 01:20:16 +00:00 · 2025-09-08 19:43:10 -05:00 · 2025-09-05 15:10:37 -05:00 · 2025-08-21 19:51:38 -05:00 · 2025-08-21 19:48:05 -05:00
800 changed files with 10947 additions and 18253 deletions
--- a/.ci/scripts/calculate_jobs.py
+++ b/.ci/scripts/calculate_jobs.py
@@ -36,11 +36,11 @@ IS_PR = os.environ["GITHUB_REF"].startswith("refs/pull/")
 # First calculate the various trial jobs.
 #
 # For PRs, we only run each type of test with the oldest Python version supported (which
-# is Python 3.10 right now)
+# is Python 3.9 right now)

 trial_sqlite_tests = [
    {
-        "python-version": "3.10",
+        "python-version": "3.9",
        "database": "sqlite",
        "extras": "all",
    }
@@ -53,12 +53,12 @@ if not IS_PR:
            "database": "sqlite",
            "extras": "all",
        }
-        for version in ("3.11", "3.12", "3.13", "3.14")
+        for version in ("3.10", "3.11", "3.12", "3.13")
    )

 trial_postgres_tests = [
    {
-        "python-version": "3.10",
+        "python-version": "3.9",
        "database": "postgres",
        "postgres-version": "13",
        "extras": "all",
@@ -68,7 +68,7 @@ trial_postgres_tests = [
 if not IS_PR:
    trial_postgres_tests.append(
        {
-            "python-version": "3.14",
+            "python-version": "3.13",
            "database": "postgres",
            "postgres-version": "17",
            "extras": "all",
@@ -77,7 +77,7 @@ if not IS_PR:

 trial_no_extra_tests = [
    {
-        "python-version": "3.10",
+        "python-version": "3.9",
        "database": "sqlite",
        "extras": "",
    }
@@ -99,24 +99,24 @@ set_output("trial_test_matrix", test_matrix)

 # First calculate the various sytest jobs.
 #
-# For each type of test we only run on bookworm on PRs
+# For each type of test we only run on bullseye on PRs


 sytest_tests = [
    {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
    },
    {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
        "postgres": "postgres",
    },
    {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
        "postgres": "multi-postgres",
        "workers": "workers",
    },
    {
-        "sytest-tag": "bookworm",
+        "sytest-tag": "bullseye",
        "postgres": "multi-postgres",
        "workers": "workers",
        "reactor": "asyncio",
@@ -127,11 +127,11 @@ if not IS_PR:
    sytest_tests.extend(
        [
            {
-                "sytest-tag": "bookworm",
+                "sytest-tag": "bullseye",
                "reactor": "asyncio",
            },
            {
-                "sytest-tag": "bookworm",
+                "sytest-tag": "bullseye",
                "postgres": "postgres",
                "reactor": "asyncio",
            },
--- a/.ci/scripts/triage_labelled_issue.sh
+++ b/.ci/scripts/triage_labelled_issue.sh
@@ -1,29 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# 1) Resolve project ID.
-PROJECT_ID=$(gh project view "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --format json | jq -r '.id')
-
-# 2) Find existing item (project card) for this issue.
-ITEM_ID=$(
-  gh project item-list "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --format json \
-  | jq -r --arg url "$ISSUE_URL" '.items[] | select(.content.url==$url) | .id' | head -n1
-)
-
-# 3) If one doesn't exist, add this issue to the project.
-if [ -z "${ITEM_ID:-}" ]; then
-  ITEM_ID=$(gh project item-add "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --url "$ISSUE_URL" --format json | jq -r '.id')
-fi
-
-# 4) Get Status field id + the option id for TARGET_STATUS.
-FIELDS_JSON=$(gh project field-list "$PROJECT_NUMBER" --owner "$PROJECT_OWNER" --format json)
-STATUS_FIELD=$(echo "$FIELDS_JSON" | jq -r '.fields[] | select(.name=="Status")')
-STATUS_FIELD_ID=$(echo "$STATUS_FIELD" | jq -r '.id')
-OPTION_ID=$(echo "$STATUS_FIELD" | jq -r --arg name "$TARGET_STATUS" '.options[] | select(.name==$name) | .id')
-
-if [ -z "${OPTION_ID:-}" ]; then
-  echo "No Status option named \"$TARGET_STATUS\" found"; exit 1
-fi
-
-# 5) Set Status (moves item to the matching column in the board view).
-gh project item-edit --id "$ITEM_ID" --project-id "$PROJECT_ID" --field-id "$STATUS_FIELD_ID" --single-select-option-id "$OPTION_ID"
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -31,7 +31,7 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Extract version from pyproject.toml
        # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
@@ -41,13 +41,13 @@ jobs:
          echo "SYNAPSE_VERSION=$(grep "^version" pyproject.toml | sed -E 's/version\s*=\s*["]([^"]*)["]/\1/')" >> $GITHUB_ENV

      - name: Log in to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -75,7 +75,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ matrix.suffix }}
          path: ${{ runner.temp }}/digests/*
@@ -95,21 +95,21 @@ jobs:
      - build
    steps:
      - name: Download digests
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true

      - name: Log in to DockerHub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ startsWith(matrix.repository, 'docker.io') }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: ${{ startsWith(matrix.repository, 'ghcr.io') }}
        with:
          registry: ghcr.io
@@ -120,7 +120,7 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

      - name: Calculate docker image tag
        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
--- a/.github/workflows/docs-pr.yaml
+++ b/.github/workflows/docs-pr.yaml
@@ -13,7 +13,7 @@ jobs:
    name: GitHub Pages
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@@ -24,7 +24,7 @@ jobs:
          mdbook-version: '0.4.17'

      - name: Setup python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"

@@ -39,7 +39,7 @@ jobs:
          cp book/welcome_and_overview.html book/index.html

      - name: Upload Artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: book
          path: book
@@ -50,7 +50,7 @@ jobs:
    name: Check links in documentation
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -50,7 +50,7 @@ jobs:
    needs:
      - pre
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@@ -64,7 +64,7 @@ jobs:
        run: echo 'window.SYNAPSE_VERSION = "${{ needs.pre.outputs.branch-version }}";' > ./docs/website_files/version.js

      - name: Setup python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"

--- a/.github/workflows/fix_lint.yaml
+++ b/.github/workflows/fix_lint.yaml
@@ -18,14 +18,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
          components: clippy, rustfmt
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -47,6 +47,6 @@ jobs:
      - run: cargo fmt
        continue-on-error: true

-      - uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
+      - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
        with:
          commit_message: "Attempt to fix linting"
--- a/.github/workflows/latest_deps.yml
+++ b/.github/workflows/latest_deps.yml
@@ -42,12 +42,12 @@ jobs:
    if: needs.check_repo.outputs.should_run_workflow == 'true'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      # The dev dependencies aren't exposed in the wheel metadata (at least with current
      # poetry-core versions), so we install with poetry.
@@ -77,13 +77,13 @@ jobs:
            postgres-version: "14"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - run: sudo apt-get -qq install xmlsec1
      - name: Set up PostgreSQL ${{ matrix.postgres-version }}
@@ -93,7 +93,7 @@ jobs:
            -e POSTGRES_PASSWORD=postgres \
            -e POSTGRES_INITDB_ARGS="--lc-collate C --lc-ctype C --encoding UTF8" \
            postgres:${{ matrix.postgres-version }}
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: pip install .[all,test]
@@ -139,9 +139,9 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - sytest-tag: bookworm
+          - sytest-tag: bullseye

-          - sytest-tag: bookworm
+          - sytest-tag: bullseye
            postgres: postgres
            workers: workers
            redis: redis
@@ -152,13 +152,13 @@ jobs:
      BLACKLIST: ${{ matrix.workers && 'synapse-blacklist-with-workers' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Ensure sytest runs `pip install`
        # Delete the lockfile so sytest will `pip install` rather than `poetry install`
@@ -173,7 +173,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@@ -202,14 +202,14 @@ jobs:

    steps:
      - name: Check out synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -234,7 +234,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/poetry_lockfile.yaml
+++ b/.github/workflows/poetry_lockfile.yaml
@@ -16,8 +16,8 @@ jobs:
    name: "Check locked dependencies have sdists"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: '3.x'
      - run: pip install tomli
--- a/.github/workflows/push_complement_image.yml
+++ b/.github/workflows/push_complement_image.yml
@@ -33,22 +33,22 @@ jobs:
      packages: write
    steps:
      - name: Checkout specific branch (debug build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        if: github.event_name == 'workflow_dispatch'
        with:
          ref: ${{ inputs.branch }}
      - name: Checkout clean copy of develop (scheduled build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        if: github.event_name == 'schedule'
        with:
          ref: develop
      - name: Checkout clean copy of master (on-push)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        if: github.event_name == 'push'
        with:
          ref: master
      - name: Login to registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -27,8 +27,8 @@ jobs:
    name: "Calculate list of debian distros"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - id: set-distros
@@ -55,7 +55,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: src

@@ -66,7 +66,7 @@ jobs:
          install: true

      - name: Set up docker layer caching
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -74,7 +74,7 @@ jobs:
            ${{ runner.os }}-buildx-

      - name: Set up python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"

@@ -101,7 +101,7 @@ jobs:
          echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT"

      - name: Upload debs as artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
          path: debs/*
@@ -114,8 +114,8 @@ jobs:
        os:
          - ubuntu-24.04
          - ubuntu-24.04-arm
+          - macos-13 # This uses x86-64
          - macos-14 # This uses arm64
-          - macos-15-intel # This uses x86-64
        # is_pr is a flag used to exclude certain jobs from the matrix on PRs.
        # It is not read by the rest of the workflow.
        is_pr:
@@ -124,7 +124,7 @@ jobs:
        exclude:
          # Don't build macos wheels on PR CI.
          - is_pr: true
-            os: "macos-15-intel"
+            os: "macos-13"
          - is_pr: true
            os: "macos-14"
          # Don't build aarch64 wheels on PR CI.
@@ -132,9 +132,9 @@ jobs:
            os: "ubuntu-24.04-arm"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          # setup-python@v4 doesn't impose a default python version. Need to use 3.x
          # here, because `python` on osx points to Python 2.7.
@@ -145,7 +145,7 @@ jobs:

      - name: Only build a single wheel on PR
        if: startsWith(github.ref, 'refs/pull/')
-        run: echo "CIBW_BUILD="cp310-manylinux_*"" >> $GITHUB_ENV
+        run: echo "CIBW_BUILD="cp39-manylinux_*"" >> $GITHUB_ENV

      - name: Build wheels
        run: python -m cibuildwheel --output-dir wheelhouse
@@ -154,7 +154,7 @@ jobs:
          # for, and so need extra build deps.
          CIBW_TEST_SKIP: pp3*-* *i686* *musl*

-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: Wheel-${{ matrix.os }}
          path: ./wheelhouse/*.whl
@@ -165,8 +165,8 @@ jobs:
    if: ${{ !startsWith(github.ref, 'refs/pull/') }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.10"

@@ -175,7 +175,7 @@ jobs:
      - name: Build sdist
        run: python -m build --sdist

-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: Sdist
          path: dist/*.tar.gz
@@ -191,7 +191,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all workflow run artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      - name: Build a tarball for the debs
        # We need to merge all the debs uploads into one folder, then compress
        # that.
@@ -200,11 +200,16 @@ jobs:
          mv debs*/* debs/
          tar -cvJf debs.tar.xz debs
      - name: Attach to release
+        # Pinned to work around https://github.com/softprops/action-gh-release/issues/445
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v0.1.15
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh release upload "${{ github.ref_name }}" \
-            Sdist/* \
-            Wheel*/* \
-            debs.tar.xz \
-            --repo ${{ github.repository }}
+        with:
+          files: |
+            Sdist/*
+            Wheel*/*
+            debs.tar.xz
+          # if it's not already published, keep the release as a draft.
+          draft: true
+          # mark it as a prerelease if the tag contains 'rc'.
+          prerelease: ${{ contains(github.ref, 'rc') }}
--- a/.github/workflows/schema.yaml
+++ b/.github/workflows/schema.yaml
@@ -14,8 +14,8 @@ jobs:
    name: Ensure Synapse config schema is valid
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - name: Install check-jsonschema
@@ -40,8 +40,8 @@ jobs:
    name: Ensure generated documentation is up-to-date
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - name: Install PyYAML
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -86,12 +86,12 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
          python-version: "3.x"
@@ -106,8 +106,8 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20'"
@@ -116,8 +116,8 @@ jobs:
  check-lockfile:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: .ci/scripts/check_lockfile.py
@@ -129,7 +129,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -151,13 +151,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -174,7 +174,7 @@ jobs:
      # Cribbed from
      # https://github.com/AustinScola/mypy-cache-github-action/blob/85ea4f2972abed39b33bd02c36e341b28ca59213/src/restore.ts#L10-L17
      - name: Restore/persist mypy's cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
        with:
          path: |
            .mypy_cache
@@ -187,7 +187,7 @@ jobs:
  lint-crlf:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Check line endings
        run: scripts-dev/check_line_terminators.sh

@@ -195,11 +195,11 @@ jobs:
    if: ${{ (github.base_ref == 'develop'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: "pip install 'towncrier>=18.6.0rc1'"
@@ -207,20 +207,40 @@ jobs:
        env:
          PULL_REQUEST_NUMBER: ${{ github.event.number }}

+  lint-pydantic:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: ${{ needs.changes.outputs.linting == 'true' }}
+
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
+        with:
+          toolchain: ${{ env.RUST_VERSION }}
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
+      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
+        with:
+          poetry-version: "2.1.1"
+          extras: "all"
+      - run: poetry run scripts-dev/check_pydantic_models.py
+
  lint-clippy:
    runs-on: ubuntu-latest
    needs: changes
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
            components: clippy
            toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - run: cargo clippy -- -D warnings

@@ -232,14 +252,14 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
            toolchain: nightly-2025-04-23
            components: clippy
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - run: cargo clippy --all-features -- -D warnings

@@ -250,13 +270,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -286,16 +306,16 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          # We use nightly so that we can use some unstable options that we use in
          # `.rustfmt.toml`.
          toolchain: nightly-2025-04-23
          components: rustfmt
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - run: cargo fmt --check

@@ -306,8 +326,8 @@ jobs:
    needs: changes
    if: ${{ needs.changes.outputs.linting_readme == 'true' }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - run: "pip install rstcheck"
@@ -321,6 +341,7 @@ jobs:
      - lint-mypy
      - lint-crlf
      - lint-newsfile
+      - lint-pydantic
      - check-sampleconfig
      - check-schema-delta
      - check-lockfile
@@ -342,6 +363,7 @@ jobs:
            lint
            lint-mypy
            lint-newsfile
+            lint-pydantic
            lint-clippy
            lint-clippy-nightly
            lint-rust
@@ -354,8 +376,8 @@ jobs:
    needs: linting-done
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.x"
      - id: get-matrix
@@ -375,7 +397,7 @@ jobs:
        job:  ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - run: sudo apt-get -qq install xmlsec1
      - name: Set up PostgreSQL ${{ matrix.job.postgres-version }}
        if: ${{ matrix.job.postgres-version }}
@@ -390,10 +412,10 @@ jobs:
            postgres:${{ matrix.job.postgres-version }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@@ -431,13 +453,13 @@ jobs:
      - changes
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      # There aren't wheels for some of the older deps, so we need to install
      # their build dependencies
@@ -446,9 +468,9 @@ jobs:
          sudo apt-get -qq install build-essential libffi-dev python3-dev \
            libxml2-dev libxslt-dev xmlsec1 zlib1g-dev libjpeg-dev libwebp-dev

-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
-          python-version: '3.10'
+          python-version: '3.9'

      - name: Prepare old deps
        if: steps.cache-poetry-old-deps.outputs.cache-hit != 'true'
@@ -492,11 +514,11 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        python-version: ["pypy-3.10"]
+        python-version: ["pypy-3.9"]
        extras: ["all"]

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      # Install libs necessary for PyPy to build binary wheels for dependencies
      - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -546,15 +568,15 @@ jobs:
        job: ${{ fromJson(needs.calculate-test-jobs.outputs.sytest_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Prepare test blacklist
        run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Run SyTest
        run: /bootstrap.sh synapse
@@ -563,7 +585,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.job.*, ', ') }})
@@ -593,7 +615,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - run: sudo apt-get -qq install xmlsec1 postgresql-client
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@@ -616,10 +638,10 @@ jobs:
    strategy:
      matrix:
        include:
-          - python-version: "3.10"
+          - python-version: "3.9"
            postgres-version: "13"

-          - python-version: "3.14"
+          - python-version: "3.13"
            postgres-version: "17"

    services:
@@ -637,7 +659,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - name: Add PostgreSQL apt repository
        # We need a version of pg_dump that can handle the version of
        # PostgreSQL being tested against. The Ubuntu package repository lags
@@ -661,7 +683,7 @@ jobs:
          PGPASSWORD: postgres
          PGDATABASE: postgres
      - name: "Upload schema differences"
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: ${{ failure() && !cancelled() && steps.run_tester_script.outcome == 'failure' }}
        with:
          name: Schema dumps
@@ -692,20 +714,20 @@ jobs:

    steps:
      - name: Checkout synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: synapse

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -728,13 +750,13 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - run: cargo test

@@ -748,13 +770,13 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
            toolchain: nightly-2022-12-01
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - run: cargo bench --no-run

--- a/.github/workflows/triage_labelled.yml
+++ b/.github/workflows/triage_labelled.yml
@@ -6,26 +6,43 @@ on:

 jobs:
  move_needs_info:
+    name: Move X-Needs-Info on the triage board
    runs-on: ubuntu-latest
    if: >
      contains(github.event.issue.labels.*.name, 'X-Needs-Info')
-    permissions:
-      contents: read
-    env:
-      # This token must have the following scopes: ["repo:public_repo", "admin:org->read:org", "user->read:user", "project"]
-      GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
-      PROJECT_OWNER: matrix-org
-      # Backend issue triage board.
-      # https://github.com/orgs/matrix-org/projects/67/views/1
-      PROJECT_NUMBER: 67
-      ISSUE_URL: ${{ github.event.issue.html_url }}
-      # This field is case-sensitive.
-      TARGET_STATUS: Needs info
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/add-to-project@c0c5949b017d0d4a39f7ba888255881bdac2a823 # v1.0.2
+        id: add_project
        with:
-          # Only clone the script file we care about, instead of the whole repo.
-          sparse-checkout: .ci/scripts/triage_labelled_issue.sh
-
-      - name: Ensure issue exists on the board, then set Status
-        run: .ci/scripts/triage_labelled_issue.sh
+          project-url: "https://github.com/orgs/matrix-org/projects/67"
+          github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+        # This action will error if the issue already exists on the project. Which is
+        # common as `X-Needs-Info` will often be added to issues that are already in
+        # the triage queue. Prevent the whole job from failing in this case.
+        continue-on-error: true
+      - name: Set status
+        env:
+          GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
+        run: |
+          gh api graphql -f query='
+          mutation(
+              $project: ID!
+              $item: ID!
+              $fieldid: ID!
+              $columnid: String!
+            )  {
+            updateProjectV2ItemFieldValue(
+              input: {
+               projectId: $project
+                itemId: $item
+                fieldId: $fieldid
+                value: { 
+                  singleSelectOptionId: $columnid
+                  }
+              }
+            ) {
+              projectV2Item {
+                id
+              }
+            }
+          }' -f project="PVT_kwDOAIB0Bs4AFDdZ" -f item=${{ steps.add_project.outputs.itemId }} -f fieldid="PVTSSF_lADOAIB0Bs4AFDdZzgC6ZA4" -f columnid=ba22e43c --silent
--- a/.github/workflows/twisted_trunk.yml
+++ b/.github/workflows/twisted_trunk.yml
@@ -43,13 +43,13 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@@ -70,14 +70,14 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - run: sudo apt-get -qq install xmlsec1

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@@ -108,22 +108,22 @@ jobs:
    if: needs.check_repo.outputs.should_run_workflow == 'true'
    runs-on: ubuntu-latest
    container:
-      # We're using bookworm because that's what Debian oldstable is at the time of writing.
+      # We're using debian:bullseye because it uses Python 3.9 which is our minimum supported Python version.
      # This job is a canary to warn us about unreleased twisted changes that would cause problems for us if
      # they were to be released immediately. For simplicity's sake (and to save CI runners) we use the oldest
      # version, assuming that any incompatibilities on newer versions would also be present on the oldest.
-      image: matrixdotorg/sytest-synapse:bookworm
+      image: matrixdotorg/sytest-synapse:bullseye
      volumes:
        - ${{ github.workspace }}:/src

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
+        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master
        with:
          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0

      - name: Patch dependencies
        # Note: The poetry commands want to create a virtualenv in /src/.venv/,
@@ -147,7 +147,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@@ -175,14 +175,14 @@ jobs:

    steps:
      - name: Run actions/checkout@v4 for synapse
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -217,7 +217,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,372 +1,3 @@
-# Synapse 1.141.0 (2025-10-29)
-
-## Deprecation of MacOS Python wheels
-
-The team has decided to deprecate and eventually stop publishing python wheels
-for MacOS. This is a burden on the team, and we're not aware of any parties
-that use them. Synapse docker images will continue to work on MacOS, as will
-building Synapse from source (though note this requires a Rust compiler).
-
-Publishing MacOS Python wheels will continue for the next few releases. If you
-do make use of these wheels downstream, please reach out to us in
-[#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org). We'd
-love to hear from you!
-
-
-## Docker images now based on Debian `trixie` with Python 3.13
-
-The Docker images are now based on Debian `trixie` and use Python 3.13. If you
-are using the Docker images as a base image you may need to e.g. adjust the
-paths you mount any additional Python packages at.
-
-No significant changes since 1.141.0rc2.
-
-
-
-
-# Synapse 1.141.0rc2 (2025-10-28)
-
-## Bugfixes
-
- Fix users being unable to log in if their password, or the server's configured pepper, was too long. ([\#19101](https://github.com/element-hq/synapse/issues/19101))
-
-
-
-
-# Synapse 1.141.0rc1 (2025-10-21)
-
-## Features
-
- Allow using [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) behavior without the opt-in registration flag. Contributed by @tulir @ Beeper. ([\#19031](https://github.com/element-hq/synapse/issues/19031))
- Stabilized support for [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326): Device masquerading for appservices. Contributed by @tulir @ Beeper. ([\#19033](https://github.com/element-hq/synapse/issues/19033))
-
-## Bugfixes
-
- Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be `reload`-ed more than once when running under systemd. ([\#19060](https://github.com/element-hq/synapse/issues/19060))
- Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long. ([\#19078](https://github.com/element-hq/synapse/issues/19078))
-
-## Updates to the Docker image
-
- Update docker image to use Debian trixie as the base and thus Python 3.13. ([\#19064](https://github.com/element-hq/synapse/issues/19064))
-
-## Internal Changes
-
- Move unique snowflake homeserver background tasks to `start_background_tasks` (the standard pattern for this kind of thing). ([\#19037](https://github.com/element-hq/synapse/issues/19037))
- Drop a deprecated field of the `PyGitHub` dependency in the release script and raise the dependency's minimum version to `1.59.0`. ([\#19039](https://github.com/element-hq/synapse/issues/19039))
- Update TODO list of conflicting areas where we encounter metrics being clobbered (`ApplicationService`). ([\#19040](https://github.com/element-hq/synapse/issues/19040))
-
-
-
-
-# Synapse 1.140.0 (2025-10-14)
-
-## Compatibility notice for users of `synapse-s3-storage-provider`
-
-Deployments that make use of the
-[synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider)
-module must upgrade to
-[v1.6.0](https://github.com/matrix-org/synapse-s3-storage-provider/releases/tag/v1.6.0).
-Using older versions of the module with this release of Synapse will prevent
-users from being able to upload or download media.
-
-
-No significant changes since 1.140.0rc1.
-
-
-
-
-# Synapse 1.140.0rc1 (2025-10-10)
-
-## Features
-
- Add [a new Media Query by ID Admin API](https://element-hq.github.io/synapse/v1.140/admin_api/media_admin_api.html#query-a-piece-of-media-by-id) that allows server admins to query and investigate the metadata of local or cached remote media via
-  the `origin/media_id` identifier found in a [Matrix Content URI](https://spec.matrix.org/v1.14/client-server-api/#matrix-content-mxc-uris). ([\#18911](https://github.com/element-hq/synapse/issues/18911))
- Add [a new Fetch Event Admin API](https://element-hq.github.io/synapse/v1.140/admin_api/fetch_event.html) to fetch an event by ID. ([\#18963](https://github.com/element-hq/synapse/issues/18963))
- Update [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support signatures when available. ([\#18934](https://github.com/element-hq/synapse/issues/18934))
- Add experimental implementation of the `GET /_matrix/client/v1/rtc/transports` endpoint for the latest draft of [MSC4143: MatrixRTC](https://github.com/matrix-org/matrix-spec-proposals/pull/4143). ([\#18967](https://github.com/element-hq/synapse/issues/18967))
- Expose a `defer_to_threadpool` function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. ([\#19032](https://github.com/element-hq/synapse/issues/19032))
-
-## Bugfixes
-
- Fix room upgrade `room_config` argument and documentation for `user_may_create_room` spam-checker callback. ([\#18721](https://github.com/element-hq/synapse/issues/18721))
- Compute a user's last seen timestamp from their devices' last seen timestamps instead of IPs, because the latter are automatically cleared according to `user_ips_max_age`. ([\#18948](https://github.com/element-hq/synapse/issues/18948))
- Fix bug where ephemeral events were not filtered by room ID. Contributed by @frastefanini. ([\#19002](https://github.com/element-hq/synapse/issues/19002))
- Update Synapse main process version string to include git info. ([\#19011](https://github.com/element-hq/synapse/issues/19011))
-
-## Improved Documentation
-
- Explain how `Deferred` callbacks interact with logcontexts. ([\#18914](https://github.com/element-hq/synapse/issues/18914))
- Fix documentation for `rc_room_creation` and `rc_reports` to clarify that a `per_user` rate limit is not supported. ([\#18998](https://github.com/element-hq/synapse/issues/18998))
-
-## Deprecations and Removals
-
- Remove deprecated `LoggingContext.set_current_context`/`LoggingContext.current_context` methods which already have equivalent bare methods in `synapse.logging.context`. ([\#18989](https://github.com/element-hq/synapse/issues/18989))
- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
-
-## Internal Changes
-
- Cleanly shutdown `SynapseHomeServer` object, allowing artifacts of embedded small hosts to be properly garbage collected. ([\#18828](https://github.com/element-hq/synapse/issues/18828))
- Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @HammyHavoc. ([\#18767](https://github.com/element-hq/synapse/issues/18767))
- Fix `server_name` in logging context for multiple Synapse instances in one process. ([\#18868](https://github.com/element-hq/synapse/issues/18868))
- Wrap the Rust HTTP client with `make_deferred_yieldable` so it follows Synapse logcontext rules. ([\#18903](https://github.com/element-hq/synapse/issues/18903))
- Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board. ([\#18913](https://github.com/element-hq/synapse/issues/18913))
- Disconnect background process work from request trace. ([\#18932](https://github.com/element-hq/synapse/issues/18932))
- Reduce overall number of calls to `_get_e2e_cross_signing_signatures_for_devices` by increasing the batch size of devices the query is called with, reducing DB load. ([\#18939](https://github.com/element-hq/synapse/issues/18939))
- Update error code used when an appservice tries to masquerade as an unknown device using [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326). Contributed by @tulir @ Beeper. ([\#18947](https://github.com/element-hq/synapse/issues/18947))
- Fix `no active span when trying to log` tracing error on startup (when OpenTracing is enabled). ([\#18959](https://github.com/element-hq/synapse/issues/18959))
- Fix `run_coroutine_in_background(...)` incorrectly handling logcontext. ([\#18964](https://github.com/element-hq/synapse/issues/18964))
- Add debug logs wherever we change current logcontext. ([\#18966](https://github.com/element-hq/synapse/issues/18966))
- Update dockerfile metadata to fix broken link; point to documentation website. ([\#18971](https://github.com/element-hq/synapse/issues/18971))
- Note that the code is additionally licensed under the [Element Commercial license](https://github.com/element-hq/synapse/blob/develop/LICENSE-COMMERCIAL) in SPDX expression field configs. ([\#18973](https://github.com/element-hq/synapse/issues/18973))
- Fix logcontext handling in `timeout_deferred` tests. ([\#18974](https://github.com/element-hq/synapse/issues/18974))
- Remove internal `ReplicationUploadKeysForUserRestServlet` as a follow-up to the work in https://github.com/element-hq/synapse/pull/18581 that moved device changes off the main process. ([\#18988](https://github.com/element-hq/synapse/issues/18988))
- Switch task scheduler from raw logcontext manipulation to using the dedicated logcontext utils. ([\#18990](https://github.com/element-hq/synapse/issues/18990))
- Remove `MockClock()` in tests. ([\#18992](https://github.com/element-hq/synapse/issues/18992))
- Switch back to our own custom `LogContextScopeManager` instead of OpenTracing's `ContextVarsScopeManager` which was causing problems when using the experimental `SYNAPSE_ASYNC_IO_REACTOR` option with tracing enabled. ([\#19007](https://github.com/element-hq/synapse/issues/19007))
- Remove `version_string` argument from `HomeServer` since it's always the same. ([\#19012](https://github.com/element-hq/synapse/issues/19012))
- Remove duplicate call to `hs.start_background_tasks()` introduced from a bad merge. ([\#19013](https://github.com/element-hq/synapse/issues/19013))
- Split homeserver creation (`create_homeserver`) and setup (`setup`). ([\#19015](https://github.com/element-hq/synapse/issues/19015))
- Swap near-end-of-life `macos-13` GitHub Actions runner for the `macos-15-intel` variant. ([\#19025](https://github.com/element-hq/synapse/issues/19025))
- Introduce `RootConfig.validate_config()` which can be subclassed in `HomeServerConfig` to do cross-config class validation. ([\#19027](https://github.com/element-hq/synapse/issues/19027))
- Allow any command of the `release.py` script to accept a `--gh-token` argument. ([\#19035](https://github.com/element-hq/synapse/issues/19035))
-
-
-
-### Updates to locked dependencies
-
-* Bump Swatinem/rust-cache from 2.8.0 to 2.8.1. ([\#18949](https://github.com/element-hq/synapse/issues/18949))
-* Bump actions/cache from 4.2.4 to 4.3.0. ([\#18983](https://github.com/element-hq/synapse/issues/18983))
-* Bump anyhow from 1.0.99 to 1.0.100. ([\#18950](https://github.com/element-hq/synapse/issues/18950))
-* Bump authlib from 1.6.3 to 1.6.4. ([\#18957](https://github.com/element-hq/synapse/issues/18957))
-* Bump authlib from 1.6.4 to 1.6.5. ([\#19019](https://github.com/element-hq/synapse/issues/19019))
-* Bump bcrypt from 4.3.0 to 5.0.0. ([\#18984](https://github.com/element-hq/synapse/issues/18984))
-* Bump docker/login-action from 3.5.0 to 3.6.0. ([\#18978](https://github.com/element-hq/synapse/issues/18978))
-* Bump lxml from 6.0.0 to 6.0.2. ([\#18979](https://github.com/element-hq/synapse/issues/18979))
-* Bump phonenumbers from 9.0.13 to 9.0.14. ([\#18954](https://github.com/element-hq/synapse/issues/18954))
-* Bump phonenumbers from 9.0.14 to 9.0.15. ([\#18991](https://github.com/element-hq/synapse/issues/18991))
-* Bump prometheus-client from 0.22.1 to 0.23.1. ([\#19016](https://github.com/element-hq/synapse/issues/19016))
-* Bump pydantic from 2.11.9 to 2.11.10. ([\#19017](https://github.com/element-hq/synapse/issues/19017))
-* Bump pygithub from 2.7.0 to 2.8.1. ([\#18952](https://github.com/element-hq/synapse/issues/18952))
-* Bump regex from 1.11.2 to 1.11.3. ([\#18981](https://github.com/element-hq/synapse/issues/18981))
-* Bump serde from 1.0.224 to 1.0.226. ([\#18953](https://github.com/element-hq/synapse/issues/18953))
-* Bump serde from 1.0.226 to 1.0.228. ([\#18982](https://github.com/element-hq/synapse/issues/18982))
-* Bump setuptools-rust from 1.11.1 to 1.12.0. ([\#18980](https://github.com/element-hq/synapse/issues/18980))
-* Bump twine from 6.1.0 to 6.2.0. ([\#18985](https://github.com/element-hq/synapse/issues/18985))
-* Bump types-pyyaml from 6.0.12.20250809 to 6.0.12.20250915. ([\#19018](https://github.com/element-hq/synapse/issues/19018))
-* Bump types-requests from 2.32.4.20250809 to 2.32.4.20250913. ([\#18951](https://github.com/element-hq/synapse/issues/18951))
-* Bump typing-extensions from 4.14.1 to 4.15.0. ([\#18956](https://github.com/element-hq/synapse/issues/18956))
-
-# Synapse 1.139.2 (2025-10-07)
-
-## Bugfixes
-
- Fix a bug introduced in 1.139.1 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload). ([\#19023](https://github.com/element-hq/synapse/issues/19023))
-
-
-
-
-# Synapse 1.139.1 (2025-10-07)
-
-## Security Fixes
-
- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
-
-## Deprecations and Removals
-
- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
-
-
-
-# Synapse 1.138.4 (2025-10-07)
-
-## Bugfixes
-
- Fix a bug introduced in 1.138.3 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload). ([\#19023](https://github.com/element-hq/synapse/issues/19023))
-
-
-
-
-# Synapse 1.138.3 (2025-10-07)
-
-## Security Fixes
-
- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
-
-## Deprecations and Removals
-
- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
-
-# Synapse 1.139.0 (2025-09-30)
-
-### `/register` requests from old application service implementations may break when using MAS
-
-If you are using Matrix Authentication Service (MAS), as of this release any
-Application Services that do not set `inhibit_login=true` when calling `POST
-/_matrix/client/v3/register` will receive the error
-`IO.ELEMENT.MSC4190.M_APPSERVICE_LOGIN_UNSUPPORTED` in response. Please see [the
-upgrade
-notes](https://element-hq.github.io/synapse/develop/upgrade.html#register-requests-from-old-application-service-implementations-may-break-when-using-mas)
-for more information.
-
-No significant changes since 1.139.0rc3.
-
-
-# Synapse 1.139.0rc3 (2025-09-25)
-
-## Bugfixes
-
- Fix a bug introduced in 1.139.0rc1 where `run_coroutine_in_background(...)` incorrectly handled logcontexts, resulting in partially broken logging. ([\#18964](https://github.com/element-hq/synapse/issues/18964))
-
-
-
-
-# Synapse 1.139.0rc2 (2025-09-23)
-
-## Internal Changes
-
- Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. This change was applied on top of 1.139.0rc1. ([\#18962](https://github.com/element-hq/synapse/issues/18962))
-
-
-
-# Synapse 1.139.0rc1 (2025-09-23)
-
-## Features
-
- Add experimental support for [MSC4308: Thread Subscriptions extension to Sliding Sync](https://github.com/matrix-org/matrix-spec-proposals/pull/4308) when [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-spec-proposals/pull/4306) and [MSC4186: Simplified Sliding Sync](https://github.com/matrix-org/matrix-spec-proposals/pull/4186) are enabled. ([\#18695](https://github.com/element-hq/synapse/issues/18695))
- Update push rules for experimental [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-doc/issues/4306) to follow a newer draft. ([\#18846](https://github.com/element-hq/synapse/issues/18846))
- Add `get_media_upload_limits_for_user` and `on_media_upload_limit_exceeded` module API callbacks to the media repository. ([\#18848](https://github.com/element-hq/synapse/issues/18848))
- Support [MSC4169](https://github.com/matrix-org/matrix-spec-proposals/pull/4169) for backwards-compatible redaction sending using the `/send` endpoint. Contributed by @SpiritCroc @ Beeper. ([\#18898](https://github.com/element-hq/synapse/issues/18898))
- Add an in-memory cache to `_get_e2e_cross_signing_signatures_for_devices` to reduce DB load. ([\#18899](https://github.com/element-hq/synapse/issues/18899))
- Update [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication. Contributed by @tulir @ Beeper. ([\#18946](https://github.com/element-hq/synapse/issues/18946))
-
-## Bugfixes
-
- Ensure all PDUs sent via `/send` pass canonical JSON checks. ([\#18641](https://github.com/element-hq/synapse/issues/18641))
- Fix bug where we did not send invite revocations over federation. ([\#18823](https://github.com/element-hq/synapse/issues/18823))
- Fix prefixed support for [MSC4133](https://github.com/matrix-org/matrix-spec-proposals/pull/4133). ([\#18875](https://github.com/element-hq/synapse/issues/18875))
- Fix open redirect in legacy SSO flow with the `idp` query parameter. ([\#18909](https://github.com/element-hq/synapse/issues/18909))
- Fix a performance regression related to the experimental Delayed Events ([MSC4140](https://github.com/matrix-org/matrix-spec-proposals/pull/4140)) feature. ([\#18926](https://github.com/element-hq/synapse/issues/18926))
-
-## Updates to the Docker image
-
- Suppress "Applying schema" log noise bulk when `SYNAPSE_LOG_TESTING` is set. ([\#18878](https://github.com/element-hq/synapse/issues/18878))
-
-## Improved Documentation
-
- Clarify Python dependency constraints in our deprecation policy. ([\#18856](https://github.com/element-hq/synapse/issues/18856))
- Clarify necessary `jwt_config` parameter in OIDC documentation for authentik. Contributed by @maxkratz. ([\#18931](https://github.com/element-hq/synapse/issues/18931))
-
-## Deprecations and Removals
-
- Remove obsolete and experimental `/sync/e2ee` endpoint. ([\#18583](https://github.com/element-hq/synapse/issues/18583))
-
-## Internal Changes
-
- Fix `LaterGauge` metrics to collect from all servers. ([\#18791](https://github.com/element-hq/synapse/issues/18791))
- Configure Synapse to run [MSC4306: Thread Subscriptions](https://github.com/matrix-org/matrix-spec-proposals/pull/4306) Complement tests. ([\#18819](https://github.com/element-hq/synapse/issues/18819))
- Remove `sentinel` logcontext usage where we log in `setup`, `start` and `exit`. ([\#18870](https://github.com/element-hq/synapse/issues/18870))
- Use the `Enum`'s value for the dictionary key when responding to an admin request for experimental features. ([\#18874](https://github.com/element-hq/synapse/issues/18874))
- Start background tasks after we fork the process (daemonize). ([\#18886](https://github.com/element-hq/synapse/issues/18886))
- Better explain how we manage the logcontext in `run_in_background(...)` and `run_as_background_process(...)`. ([\#18900](https://github.com/element-hq/synapse/issues/18900), [\#18906](https://github.com/element-hq/synapse/issues/18906))
- Remove `sentinel` logcontext usage in `Clock` utilities like `looping_call` and `call_later`. ([\#18907](https://github.com/element-hq/synapse/issues/18907))
- Replace usages of the deprecated `pkg_resources` interface in preparation of setuptools dropping it soon. ([\#18910](https://github.com/element-hq/synapse/issues/18910))
- Split loading config from homeserver `setup`. ([\#18933](https://github.com/element-hq/synapse/issues/18933))
- Fix `run_in_background` not being awaited properly in some tests causing `LoggingContext` problems. ([\#18937](https://github.com/element-hq/synapse/issues/18937))
- Fix `run_as_background_process` not being awaited properly causing `LoggingContext` problems in experimental [MSC4140](https://github.com/matrix-org/matrix-spec-proposals/pull/4140): Delayed events implementation. ([\#18938](https://github.com/element-hq/synapse/issues/18938))
- Introduce `Clock.call_when_running(...)` to wrap startup code in a logcontext, ensuring we can identify which server generated the logs. ([\#18944](https://github.com/element-hq/synapse/issues/18944))
- Introduce `Clock.add_system_event_trigger(...)` to wrap system event callback code in a logcontext, ensuring we can identify which server generated the logs. ([\#18945](https://github.com/element-hq/synapse/issues/18945))
-
-
-
-### Updates to locked dependencies
-
-* Bump actions/setup-go from 5.5.0 to 6.0.0. ([\#18891](https://github.com/element-hq/synapse/issues/18891))
-* Bump actions/setup-python from 5.6.0 to 6.0.0. ([\#18890](https://github.com/element-hq/synapse/issues/18890))
-* Bump authlib from 1.6.1 to 1.6.3. ([\#18921](https://github.com/element-hq/synapse/issues/18921))
-* Bump jsonschema from 4.25.0 to 4.25.1. ([\#18897](https://github.com/element-hq/synapse/issues/18897))
-* Bump log from 0.4.27 to 0.4.28. ([\#18892](https://github.com/element-hq/synapse/issues/18892))
-* Bump phonenumbers from 9.0.12 to 9.0.13. ([\#18893](https://github.com/element-hq/synapse/issues/18893))
-* Bump pydantic from 2.11.7 to 2.11.9. ([\#18922](https://github.com/element-hq/synapse/issues/18922))
-* Bump serde from 1.0.219 to 1.0.223. ([\#18920](https://github.com/element-hq/synapse/issues/18920))
-* Bump serde_json from 1.0.143 to 1.0.145. ([\#18919](https://github.com/element-hq/synapse/issues/18919))
-* Bump sigstore/cosign-installer from 3.9.2 to 3.10.0. ([\#18917](https://github.com/element-hq/synapse/issues/18917))
-* Bump towncrier from 24.8.0 to 25.8.0. ([\#18894](https://github.com/element-hq/synapse/issues/18894))
-* Bump types-psycopg2 from 2.9.21.20250809 to 2.9.21.20250915. ([\#18918](https://github.com/element-hq/synapse/issues/18918))
-* Bump types-requests from 2.32.4.20250611 to 2.32.4.20250809. ([\#18895](https://github.com/element-hq/synapse/issues/18895))
-* Bump types-setuptools from 80.9.0.20250809 to 80.9.0.20250822. ([\#18924](https://github.com/element-hq/synapse/issues/18924))
-
-# Synapse 1.138.2 (2025-09-24)
-
-## Internal Changes
-
- Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. This change was applied on top of 1.138.1. ([\#18962](https://github.com/element-hq/synapse/issues/18962))
-
-
-
-# Synapse 1.138.1 (2025-09-24)
-
-## Bugfixes
-
- Fix a performance regression related to the experimental Delayed Events ([MSC4140](https://github.com/matrix-org/matrix-spec-proposals/pull/4140)) feature. ([\#18926](https://github.com/element-hq/synapse/issues/18926))
-
-
-
-
-# Synapse 1.138.0 (2025-09-09)
-
-No significant changes since 1.138.0rc1.
-
-
-
-
-# Synapse 1.138.0rc1 (2025-09-02)
-
-### Features
-
- Support for the stable endpoint and scopes of [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) & co. ([\#18549](https://github.com/element-hq/synapse/issues/18549))
-
-### Bugfixes
-
- Improve database performance of [MSC4293](https://github.com/matrix-org/matrix-spec-proposals/pull/4293) - Redact on Kick/Ban. ([\#18851](https://github.com/element-hq/synapse/issues/18851))
- Do not throw an error when fetching a rejected delayed state event on startup. ([\#18858](https://github.com/element-hq/synapse/issues/18858))
-
-### Improved Documentation
-
- Fix worker documentation incorrectly indicating all room Admin API requests were capable of being handled by workers. ([\#18853](https://github.com/element-hq/synapse/issues/18853))
-
-### Internal Changes
-
- Instrument `_ByteProducer` with tracing to measure potential dead time while writing bytes to the request. ([\#18804](https://github.com/element-hq/synapse/issues/18804))
- Switch to OpenTracing's `ContextVarsScopeManager` instead of our own custom `LogContextScopeManager`. ([\#18849](https://github.com/element-hq/synapse/issues/18849))
- Trace how much work is being done while "recursively fetching redactions". ([\#18854](https://github.com/element-hq/synapse/issues/18854))
- Link [upstream Twisted bug](https://github.com/twisted/twisted/issues/12498) tracking the problem that explains why we have to use a `Producer` to write bytes to the request. ([\#18855](https://github.com/element-hq/synapse/issues/18855))
- Introduce `EventPersistencePair` type. ([\#18857](https://github.com/element-hq/synapse/issues/18857))
-
-
-
-### Updates to locked dependencies
-
-* Bump actions/add-to-project from c0c5949b017d0d4a39f7ba888255881bdac2a823 to 4515659e2b458b27365e167605ac44f219494b66. ([\#18863](https://github.com/element-hq/synapse/issues/18863))
-* Bump actions/checkout from 4.3.0 to 5.0.0. ([\#18834](https://github.com/element-hq/synapse/issues/18834))
-* Bump anyhow from 1.0.98 to 1.0.99. ([\#18841](https://github.com/element-hq/synapse/issues/18841))
-* Bump docker/login-action from 3.4.0 to 3.5.0. ([\#18835](https://github.com/element-hq/synapse/issues/18835))
-* Bump dtolnay/rust-toolchain from b3b07ba8b418998c39fb20f53e8b695cdcc8de1b to e97e2d8cc328f1b50210efc529dca0028893a2d9. ([\#18862](https://github.com/element-hq/synapse/issues/18862))
-* Bump phonenumbers from 9.0.11 to 9.0.12. ([\#18837](https://github.com/element-hq/synapse/issues/18837))
-* Bump regex from 1.11.1 to 1.11.2. ([\#18864](https://github.com/element-hq/synapse/issues/18864))
-* Bump reqwest from 0.12.22 to 0.12.23. ([\#18842](https://github.com/element-hq/synapse/issues/18842))
-* Bump ruff from 0.12.7 to 0.12.10. ([\#18865](https://github.com/element-hq/synapse/issues/18865))
-* Bump serde_json from 1.0.142 to 1.0.143. ([\#18866](https://github.com/element-hq/synapse/issues/18866))
-* Bump types-bleach from 6.2.0.20250514 to 6.2.0.20250809. ([\#18838](https://github.com/element-hq/synapse/issues/18838))
-* Bump types-jsonschema from 4.25.0.20250720 to 4.25.1.20250822. ([\#18867](https://github.com/element-hq/synapse/issues/18867))
-* Bump types-psycopg2 from 2.9.21.20250718 to 2.9.21.20250809. ([\#18836](https://github.com/element-hq/synapse/issues/18836))
-
-# Synapse 1.137.0 (2025-08-26)
-
-No significant changes since 1.137.0rc1.
-
-
-
-
 # Synapse 1.137.0rc1 (2025-08-19)

 ### Bugfixes
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,6 +2,21 @@
 # It is not intended for manual editing.
 version = 3

+[[package]]
+name = "addr2line"
+version = "0.24.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
 [[package]]
 name = "aho-corasick"
 version = "1.1.3"
@@ -13,9 +28,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.100"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"

 [[package]]
 name = "arc-swap"
@@ -35,6 +50,21 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

+[[package]]
+name = "backtrace"
+version = "0.3.75"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
+dependencies = [
+ "addr2line",
+ "cfg-if",
+ "libc",
+ "miniz_oxide",
+ "object",
+ "rustc-demangle",
+ "windows-targets",
+]
+
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -311,6 +341,12 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "gimli"
+version = "0.31.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
+
 [[package]]
 name = "h2"
 version = "0.4.11"
@@ -648,6 +684,17 @@ version = "2.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f4c7245a08504955605670dbf141fceab975f15ca21570696aebe9d2e71576bd"

+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "ipnet"
 version = "2.11.0"
@@ -706,9 +753,9 @@ checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"

 [[package]]
 name = "log"
-version = "0.4.28"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"

 [[package]]
 name = "lru-slab"
@@ -737,6 +784,15 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"

+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+]
+
 [[package]]
 name = "mio"
 version = "1.0.4"
@@ -748,6 +804,15 @@ dependencies = [
 "windows-sys 0.59.0",
 ]

+[[package]]
+name = "object"
+version = "0.36.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -814,9 +879,9 @@ dependencies = [

 [[package]]
 name = "pyo3"
-version = "0.26.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ba0117f4212101ee6544044dae45abe1083d30ce7b29c4b5cbdfa2354e07383"
+checksum = "8970a78afe0628a3e3430376fc5fd76b6b45c4d43360ffd6cdd40bdde72b682a"
 dependencies = [
 "anyhow",
 "indoc",
@@ -832,18 +897,19 @@ dependencies = [

 [[package]]
 name = "pyo3-build-config"
-version = "0.26.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fc6ddaf24947d12a9aa31ac65431fb1b851b8f4365426e182901eabfb87df5f"
+checksum = "458eb0c55e7ece017adeba38f2248ff3ac615e53660d7c71a238d7d2a01c7598"
 dependencies = [
+ "once_cell",
 "target-lexicon",
 ]

 [[package]]
 name = "pyo3-ffi"
-version = "0.26.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "025474d3928738efb38ac36d4744a74a400c901c7596199e20e45d98eb194105"
+checksum = "7114fe5457c61b276ab77c5055f206295b812608083644a5c5b2640c3102565c"
 dependencies = [
 "libc",
 "pyo3-build-config",
@@ -851,9 +917,9 @@ dependencies = [

 [[package]]
 name = "pyo3-log"
-version = "0.13.1"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d359e20231345f21a3b5b6aea7e73f4dc97e1712ef3bfe2d88997ac6a308d784"
+checksum = "45192e5e4a4d2505587e27806c7b710c231c40c56f3bfc19535d0bb25df52264"
 dependencies = [
 "arc-swap",
 "log",
@@ -862,9 +928,9 @@ dependencies = [

 [[package]]
 name = "pyo3-macros"
-version = "0.26.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e64eb489f22fe1c95911b77c44cc41e7c19f3082fc81cce90f657cdc42ffded"
+checksum = "a8725c0a622b374d6cb051d11a0983786448f7785336139c3c94f5aa6bef7e50"
 dependencies = [
 "proc-macro2",
 "pyo3-macros-backend",
@@ -874,9 +940,9 @@ dependencies = [

 [[package]]
 name = "pyo3-macros-backend"
-version = "0.26.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "100246c0ecf400b475341b8455a9213344569af29a3c841d29270e53102e0fcf"
+checksum = "4109984c22491085343c05b0dbc54ddc405c3cf7b4374fc533f5c3313a572ccc"
 dependencies = [
 "heck",
 "proc-macro2",
@@ -887,9 +953,9 @@ dependencies = [

 [[package]]
 name = "pythonize"
-version = "0.26.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11e06e4cff9be2bbf2bddf28a486ae619172ea57e79787f856572878c62dcfe2"
+checksum = "597907139a488b22573158793aa7539df36ae863eba300c75f3a0d65fc475e27"
 dependencies = [
 "pyo3",
 "serde",
@@ -996,9 +1062,9 @@ dependencies = [

 [[package]]
 name = "regex"
-version = "1.12.2"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -1008,9 +1074,9 @@ dependencies = [

 [[package]]
 name = "regex-automata"
-version = "0.4.13"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -1025,9 +1091,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"

 [[package]]
 name = "reqwest"
-version = "0.12.24"
+version = "0.12.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
+checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
 dependencies = [
 "base64",
 "bytes",
@@ -1079,6 +1145,12 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "rustc-demangle"
+version = "0.1.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace"
+
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -1178,28 +1250,18 @@ dependencies = [

 [[package]]
 name = "serde"
-version = "1.0.228"
+version = "1.0.219"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
-dependencies = [
- "serde_core",
- "serde_derive",
-]
-
-[[package]]
-name = "serde_core"
-version = "1.0.228"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
 dependencies = [
 "serde_derive",
 ]

 [[package]]
 name = "serde_derive"
-version = "1.0.228"
+version = "1.0.219"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -1208,15 +1270,14 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.145"
+version = "1.0.142"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
+checksum = "030fedb782600dcbd6f02d479bf0d817ac3bb40d644745b769d6a96bc3afc5a7"
 dependencies = [
 "itoa",
 "memchr",
 "ryu",
 "serde",
- "serde_core",
 ]

 [[package]]
@@ -1417,16 +1478,19 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.48.0"
+version = "1.47.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408"
+checksum = "89e49afdadebb872d3145a5638b59eb0691ea23e46ca484037cfab3b76b95038"
 dependencies = [
+ "backtrace",
 "bytes",
+ "io-uring",
 "libc",
 "mio",
 "pin-project-lite",
+ "slab",
 "socket2 0.6.0",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -1707,12 +1771,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "windows-link"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
-
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -1731,15 +1789,6 @@ dependencies = [
 "windows-targets",
 ]

-[[package]]
-name = "windows-sys"
-version = "0.61.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
-dependencies = [
- "windows-link",
-]
-
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
--- a/README.rst
+++ b/README.rst
@@ -265,8 +265,6 @@ This software is dual-licensed by New Vector Ltd (Element). It can be used eithe

 Unless required by applicable law or agreed to in writing, software distributed under the Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.

-Please contact `licensing@element.io <mailto:licensing@element.io>`_ to purchase an Element commercial license for this software.
-

 .. |support| image:: https://img.shields.io/badge/matrix-community%20support-success
  :alt: (get community support in #synapse:matrix.org)
--- a/build_rust.py
+++ b/build_rust.py
@@ -2,13 +2,13 @@

 import itertools
 import os
-from typing import Any
+from typing import Any, Dict

 from packaging.specifiers import SpecifierSet
 from setuptools_rust import Binding, RustExtension


-def build(setup_kwargs: dict[str, Any]) -> None:
+def build(setup_kwargs: Dict[str, Any]) -> None:
    original_project_dir = os.path.dirname(os.path.realpath(__file__))
    cargo_toml_path = os.path.join(original_project_dir, "rust", "Cargo.toml")

@@ -27,12 +27,12 @@ def build(setup_kwargs: dict[str, Any]) -> None:
    setup_kwargs["zip_safe"] = False

    # We look up the minimum supported Python version with
-    # `python_requires` (e.g. ">=3.10.0,<4.0.0") and finding the first Python
+    # `python_requires` (e.g. ">=3.9.0,<4.0.0") and finding the first Python
    # version that matches. We then convert that into the `py_limited_api` form,
-    # e.g. cp310 for Python 3.10.
+    # e.g. cp39 for Python 3.9.
    py_limited_api: str
    python_bounds = SpecifierSet(setup_kwargs["python_requires"])
-    for minor_version in itertools.count(start=10):
+    for minor_version in itertools.count(start=8):
        if f"3.{minor_version}.0" in python_bounds:
            py_limited_api = f"cp3{minor_version}"
            break
--- a/changelog.d/18856.doc
+++ b/changelog.d/18856.doc
@@ -0,0 +1 @@
+Clarify Python dependency constraints in our deprecation policy.
--- a/changelog.d/19020.misc
+++ b/changelog.d/19020.misc
@@ -1 +0,0 @@
-Fix CI linter for schema delta files to correctly handle all types of `CREATE TABLE` syntax.
--- a/changelog.d/19021.feature
+++ b/changelog.d/19021.feature
@@ -1,2 +0,0 @@
-Add an [Admin API](https://element-hq.github.io/synapse/latest/usage/administration/admin_api/index.html)
-to allow an admin to fetch the space/room hierarchy for a given space.
--- a/changelog.d/19046.misc
+++ b/changelog.d/19046.misc
@@ -1 +0,0 @@
-Use type hinting generics in standard collections, as per PEP 585, added in Python 3.9.
--- a/changelog.d/19047.doc
+++ b/changelog.d/19047.doc
@@ -1 +0,0 @@
-Update the link to the Debian oldstable package for SQLite.
--- a/changelog.d/19047.misc
+++ b/changelog.d/19047.misc
@@ -1 +0,0 @@
-Always treat `RETURNING` as supported by SQL engines, now that the minimum-supported versions of both SQLite and PostgreSQL support it.
--- a/changelog.d/19047.removal
+++ b/changelog.d/19047.removal
@@ -1 +0,0 @@
-Remove support for SQLite < 3.37.2.
--- a/changelog.d/19055.misc
+++ b/changelog.d/19055.misc
@@ -1 +0,0 @@
-Add support for Python 3.14.
--- a/changelog.d/19058.misc
+++ b/changelog.d/19058.misc
@@ -1 +0,0 @@
-Remove logcontext problems caused by awaiting raw `deferLater(...)`.
--- a/changelog.d/19062.bugfix
+++ b/changelog.d/19062.bugfix
@@ -1 +0,0 @@
-Fix a bug introduced in 1.111.0 where failed attempts to download authenticated remote media would not be handled correctly.
--- a/changelog.d/19067.misc
+++ b/changelog.d/19067.misc
@@ -1 +0,0 @@
-Prevent duplicate logging setup when running multiple Synapse instances.
--- a/changelog.d/19068.misc
+++ b/changelog.d/19068.misc
@@ -1 +0,0 @@
-Be mindful of other logging context filters in 3rd-party code and avoid overwriting log record fields unless we know the log record is relevant to Synapse.
--- a/changelog.d/19071.misc
+++ b/changelog.d/19071.misc
@@ -1 +0,0 @@
-Update pydantic to v2.
--- a/changelog.d/19073.doc
+++ b/changelog.d/19073.doc
@@ -1 +0,0 @@
-Point out additional Redis configuration options available in the worker docs. Contributed by @servisbryce.
--- a/changelog.d/19079.bugfix
+++ b/changelog.d/19079.bugfix
@@ -1 +0,0 @@
-Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.
--- a/changelog.d/19080.misc
+++ b/changelog.d/19080.misc
@@ -1 +0,0 @@
-Update deprecated code in the release script to prevent a warning message from being printed.
--- a/changelog.d/19081.misc
+++ b/changelog.d/19081.misc
@@ -1 +0,0 @@
-Update the deprecated poetry development dependencies group name in `pyproject.toml`.
--- a/changelog.d/19085.misc
+++ b/changelog.d/19085.misc
@@ -1 +0,0 @@
-Remove `pp38*` skip selector from cibuildwheel to silence warning.
--- a/changelog.d/19088.misc
+++ b/changelog.d/19088.misc
@@ -1 +0,0 @@
-Don't immediately exit the release script if the checkout is dirty. Instead, allow the user to clear the dirty changes and retry.
--- a/changelog.d/19089.misc
+++ b/changelog.d/19089.misc
@@ -1 +0,0 @@
-Update the release script's generated announcement text to include a title and extra text for RC's.
--- a/changelog.d/19090.bugfix
+++ b/changelog.d/19090.bugfix
@@ -1 +0,0 @@
-Fix lost logcontext warnings from timeouts in sync and requests made by Synapse itself.
--- a/changelog.d/19092.misc
+++ b/changelog.d/19092.misc
@@ -1 +0,0 @@
-Fix lints on main branch.
--- a/changelog.d/19094.misc
+++ b/changelog.d/19094.misc
@@ -1 +0,0 @@
-Use cheaper random string function in logcontext utilities.
--- a/changelog.d/19095.misc
+++ b/changelog.d/19095.misc
@@ -1 +0,0 @@
-Avoid clobbering other `SIGHUP` handlers in 3rd-party code.
--- a/changelog.d/19096.misc
+++ b/changelog.d/19096.misc
@@ -1 +0,0 @@
-Prevent duplicate GitHub draft releases being created during the Synapse release process.
--- a/changelog.d/19098.misc
+++ b/changelog.d/19098.misc
@@ -1 +0,0 @@
-Use Pillow's `Image.getexif` method instead of the experimental `Image._getexif`.
--- a/changelog.d/19099.removal
+++ b/changelog.d/19099.removal
@@ -1 +0,0 @@
-Drop support for Python 3.9.
--- a/changelog.d/19100.doc
+++ b/changelog.d/19100.doc
@@ -1 +0,0 @@
-Update the list of Debian releases that the downstream Debian package is maintained for.
--- a/changelog.d/19107.misc
+++ b/changelog.d/19107.misc
@@ -1 +0,0 @@
-Prevent uv `/usr/local/.lock` file from appearing in built Synapse docker images.
--- a/changelog.d/19109.doc
+++ b/changelog.d/19109.doc
@@ -1 +0,0 @@
-Add [a page](https://element-hq.github.io/synapse/latest/development/internal_documentation/release_notes_review_checklist.html) to the documentation describing the steps the Synapse team takes to review the release notes before publishing them.
--- a/changelog.d/19110.misc
+++ b/changelog.d/19110.misc
@@ -1 +0,0 @@
-Allow Synapse's runtime dependency checking code to take packaging markers (i.e. `python <= 3.14`) into account when checking dependencies.
--- a/changelog.d/19118.misc
+++ b/changelog.d/19118.misc
@@ -1 +0,0 @@
-Fix a lint error related to lifetimes in Rust 1.90.
--- a/contrib/graph/graph.py
+++ b/contrib/graph/graph.py
@@ -24,6 +24,7 @@ import datetime
 import html
 import json
 import urllib.request
+from typing import List

 import pydot

@@ -32,7 +33,7 @@ def make_name(pdu_id: str, origin: str) -> str:
    return f"{pdu_id}@{origin}"


-def make_graph(pdus: list[dict], filename_prefix: str) -> None:
+def make_graph(pdus: List[dict], filename_prefix: str) -> None:
    """
    Generate a dot and SVG file for a graph of events in the room based on the
    topological ordering by querying a homeserver.
@@ -126,7 +127,7 @@ def make_graph(pdus: list[dict], filename_prefix: str) -> None:
    graph.write_svg("%s.svg" % filename_prefix, prog="dot")


-def get_pdus(host: str, room: str) -> list[dict]:
+def get_pdus(host: str, room: str) -> List[dict]:
    transaction = json.loads(
        urllib.request.urlopen(
            f"http://{host}/_matrix/federation/v1/context/{room}/"
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,107 +1,3 @@
-matrix-synapse-py3 (1.141.0) stable; urgency=medium
-
-  * New Synapse release 1.141.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Wed, 29 Oct 2025 11:01:43 +0000
-
-matrix-synapse-py3 (1.141.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.141.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 28 Oct 2025 10:20:26 +0000
-
-matrix-synapse-py3 (1.141.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.141.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 21 Oct 2025 11:01:44 +0100
-
-matrix-synapse-py3 (1.140.0) stable; urgency=medium
-
-  * New Synapse release 1.140.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 14 Oct 2025 15:22:36 +0100
-
-matrix-synapse-py3 (1.140.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.140.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Fri, 10 Oct 2025 10:56:51 +0100
-
-matrix-synapse-py3 (1.139.2) stable; urgency=medium
-
-  * New Synapse release 1.139.2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 16:29:47 +0100
-
-matrix-synapse-py3 (1.139.1) stable; urgency=medium
-
-  * New Synapse release 1.139.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 11:46:51 +0100
-
-matrix-synapse-py3 (1.138.4) stable; urgency=medium
-
-  * New Synapse release 1.138.4.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 16:28:38 +0100
-
-matrix-synapse-py3 (1.138.3) stable; urgency=medium
-
-  * New Synapse release 1.138.3.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 12:54:18 +0100
-
-matrix-synapse-py3 (1.139.0) stable; urgency=medium
-
-  * New Synapse release 1.139.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 30 Sep 2025 11:58:55 +0100
-
-matrix-synapse-py3 (1.139.0~rc3) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc3.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 25 Sep 2025 12:13:23 +0100
-
-matrix-synapse-py3 (1.138.2) stable; urgency=medium
-
-  * The licensing specifier has been updated to add an optional
-    `LicenseRef-Element-Commercial` license. The code was already licensed in
-    this manner - the debian metadata was just not updated to reflect it.
-
- -- Synapse Packaging team <packages@matrix.org>  Thu, 25 Sep 2025 12:17:17 +0100
-
-matrix-synapse-py3 (1.138.1) stable; urgency=medium
-
-  * New Synapse release 1.138.1.
-
- -- Synapse Packaging team <packages@matrix.org>  Wed, 24 Sep 2025 11:32:38 +0100
-
-matrix-synapse-py3 (1.139.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Sep 2025 15:31:42 +0100
-
-matrix-synapse-py3 (1.139.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.139.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Sep 2025 13:24:50 +0100
-
-matrix-synapse-py3 (1.138.0~rc1) stable; urgency=medium
-
-  * New synapse release 1.138.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 02 Sep 2025 12:16:14 +0000
-
-matrix-synapse-py3 (1.137.0) stable; urgency=medium
-
-  * New Synapse release 1.137.0.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 26 Aug 2025 10:23:41 +0100
-
 matrix-synapse-py3 (1.137.0~rc1) stable; urgency=medium

  * New Synapse release 1.137.0rc1.
--- a/debian/copyright
+++ b/debian/copyright
@@ -8,7 +8,7 @@ License: Apache-2.0

 Files: *
 Copyright: 2023 New Vector Ltd
-License: AGPL-3.0-or-later or LicenseRef-Element-Commercial
+License: AGPL-3.0-or-later

 Files: synapse/config/saml2.py
 Copyright: 2015, Ericsson
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -20,8 +20,8 @@
 # `poetry export | pip install -r /dev/stdin`, but beware: we have experienced bugs in
 # in `poetry export` in the past.

-ARG DEBIAN_VERSION=trixie
-ARG PYTHON_VERSION=3.13
+ARG DEBIAN_VERSION=bookworm
+ARG PYTHON_VERSION=3.12
 ARG POETRY_VERSION=2.1.1

 ###
@@ -142,10 +142,10 @@ RUN \
      libwebp7 \
      xmlsec1 \
      libjemalloc2 \
+      libicu \
    | grep '^\w' > /tmp/pkg-list && \
  for arch in arm64 amd64; do \
    mkdir -p /tmp/debs-${arch} && \
-    chown _apt:root /tmp/debs-${arch} && \
    cd /tmp/debs-${arch} && \
    apt-get -o APT::Architecture="${arch}" download $(cat /tmp/pkg-list); \
  done
@@ -171,20 +171,20 @@ FROM docker.io/library/python:${PYTHON_VERSION}-slim-${DEBIAN_VERSION}

 ARG TARGETARCH

-LABEL org.opencontainers.image.url='https://github.com/element-hq/synapse'
-LABEL org.opencontainers.image.documentation='https://element-hq.github.io/synapse/latest/'
+LABEL org.opencontainers.image.url='https://matrix.org/docs/projects/server/synapse'
+LABEL org.opencontainers.image.documentation='https://github.com/element-hq/synapse/blob/master/docker/README.md'
 LABEL org.opencontainers.image.source='https://github.com/element-hq/synapse.git'
-LABEL org.opencontainers.image.licenses='AGPL-3.0-or-later OR LicenseRef-Element-Commercial'
+LABEL org.opencontainers.image.licenses='AGPL-3.0-or-later'

+# On the runtime image, /lib is a symlink to /usr/lib, so we need to copy the
+# libraries to the right place, else the `COPY` won't work.
+# On amd64, we'll also have a /lib64 folder with ld-linux-x86-64.so.2, which is
+# already present in the runtime image.
+COPY --from=runtime-deps /install-${TARGETARCH}/lib /usr/lib
 COPY --from=runtime-deps /install-${TARGETARCH}/etc /etc
 COPY --from=runtime-deps /install-${TARGETARCH}/usr /usr
 COPY --from=runtime-deps /install-${TARGETARCH}/var /var
-
-# Copy the installed python packages from the builder stage.
-#
-# uv will generate a `.lock` file when installing packages, which we don't want
-# to copy to the final image.
-COPY --from=builder  --exclude=.lock /install /usr/local
+COPY --from=builder /install /usr/local
 COPY ./docker/start.py /start.py
 COPY ./docker/conf /conf

--- a/docker/Dockerfile-workers
+++ b/docker/Dockerfile-workers
@@ -1,10 +1,9 @@
-# syntax=docker/dockerfile:1-labs
+# syntax=docker/dockerfile:1

 ARG SYNAPSE_VERSION=latest
 ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION
-ARG DEBIAN_VERSION=trixie
-ARG PYTHON_VERSION=3.13
-ARG REDIS_VERSION=7.2
+ARG DEBIAN_VERSION=bookworm
+ARG PYTHON_VERSION=3.12

 # first of all, we create a base image with dependencies which we can copy into the
 # target image. For repeated rebuilds, this is much faster than apt installing
@@ -12,27 +11,15 @@ ARG REDIS_VERSION=7.2

 FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base

-    ARG DEBIAN_VERSION
-    ARG REDIS_VERSION
-
    # Tell apt to keep downloaded package files, as we're using cache mounts.
    RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

-    # The upstream redis-server deb has fewer dynamic libraries than Debian's package which makes it easier to copy later on
-    RUN \
-      curl -fsSL https://packages.redis.io/gpg | gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg && \
-      chmod 644 /usr/share/keyrings/redis-archive-keyring.gpg && \
-      echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb ${DEBIAN_VERSION} main" | tee /etc/apt/sources.list.d/redis.list
-
    RUN \
       --mount=type=cache,target=/var/cache/apt,sharing=locked \
       --mount=type=cache,target=/var/lib/apt,sharing=locked \
      apt-get update -qq && \
      DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \
-          nginx-light \
-          redis-server="6:${REDIS_VERSION}.*" redis-tools="6:${REDIS_VERSION}.*" \
-          # libicu is required by postgres, see `docker/complement/Dockerfile`
-          libicu76
+          nginx-light

    RUN \
    # remove default page
@@ -48,12 +35,19 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base

    RUN mkdir -p /uv/etc/supervisor/conf.d

+# Similarly, a base to copy the redis server from.
+#
+# The redis docker image has fewer dynamic libraries than the debian package,
+# which makes it much easier to copy (but we need to make sure we use an image
+# based on the same debian version as the synapse image, to make sure we get
+# the expected version of libc.
+FROM docker.io/library/redis:7-${DEBIAN_VERSION} AS redis_base
+
 # now build the final image, based on the the regular Synapse docker image
 FROM $FROM

    # Copy over dependencies
-    COPY --from=deps_base --parents /usr/lib/*-linux-gnu/libicu* /
-    COPY --from=deps_base /usr/bin/redis-server /usr/local/bin
+    COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin
    COPY --from=deps_base /uv /
    COPY --from=deps_base /usr/sbin/nginx /usr/sbin
    COPY --from=deps_base /usr/share/nginx /usr/share/nginx
--- a/docker/complement/Dockerfile
+++ b/docker/complement/Dockerfile
@@ -9,7 +9,7 @@
 ARG SYNAPSE_VERSION=latest
 # This is an intermediate image, to be built locally (not pulled from a registry).
 ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION
-ARG DEBIAN_VERSION=trixie
+ARG DEBIAN_VERSION=bookworm

 FROM docker.io/library/postgres:13-${DEBIAN_VERSION} AS postgres_base

@@ -18,10 +18,10 @@ FROM $FROM
 # since for repeated rebuilds, this is much faster than apt installing
 # postgres each time.

-# This trick only works because we use a postgres image based on the same
-# debian version as Synapse's docker image (so the versions of the shared
-# libraries match). Any missing libraries need to be added to either the
-# Synapse image or docker/Dockerfile-workers.
+# This trick only works because (a) the Synapse image happens to have all the
+# shared libraries that postgres wants, (b) we use a postgres image based on
+# the same debian version as Synapse's docker image (so the versions of the
+# shared libraries match).
 RUN adduser --system --uid 999 postgres --home /var/lib/postgresql
 COPY --from=postgres_base /usr/lib/postgresql /usr/lib/postgresql
 COPY --from=postgres_base /usr/share/postgresql /usr/share/postgresql
--- a/docker/complement/conf/workers-shared-extra.yaml.j2
+++ b/docker/complement/conf/workers-shared-extra.yaml.j2
@@ -133,8 +133,6 @@ experimental_features:
  msc3984_appservice_key_query: true
  # Invite filtering
  msc4155_enabled: true
-  # Thread Subscriptions
-  msc4306_enabled: true

 server_notices:
  system_mxid_localpart: _server
--- a/docker/conf/log.config
+++ b/docker/conf/log.config
@@ -77,13 +77,6 @@ loggers:
    #}
    synapse.visibility.filtered_event_debug:
        level: DEBUG
-
-    {#
-      If Synapse is under test, we don't care about seeing the "Applying schema" log
-      lines at the INFO level every time we run the tests (it's 100 lines of bulk)
-    #}
-    synapse.storage.prepare_database:
-      level: WARN
    {% endif %}

 root:
--- a/docker/configure_workers_and_start.py
+++ b/docker/configure_workers_and_start.py
@@ -65,10 +65,13 @@ from itertools import chain
 from pathlib import Path
 from typing import (
    Any,
+    Dict,
+    List,
    Mapping,
    MutableMapping,
    NoReturn,
    Optional,
+    Set,
    SupportsIndex,
 )

@@ -93,7 +96,7 @@ WORKER_PLACEHOLDER_NAME = "placeholder_name"
 # Watching /_matrix/media and related needs a "media" listener
 # Stream Writers require "client" and "replication" listeners because they
 #   have to attach by instance_map to the master process and have client endpoints.
-WORKERS_CONFIG: dict[str, dict[str, Any]] = {
+WORKERS_CONFIG: Dict[str, Dict[str, Any]] = {
    "pusher": {
        "app": "synapse.app.generic_worker",
        "listener_resources": [],
@@ -405,7 +408,7 @@ def convert(src: str, dst: str, **template_vars: object) -> None:

 def add_worker_roles_to_shared_config(
    shared_config: dict,
-    worker_types_set: set[str],
+    worker_types_set: Set[str],
    worker_name: str,
    worker_port: int,
 ) -> None:
@@ -468,9 +471,9 @@ def add_worker_roles_to_shared_config(


 def merge_worker_template_configs(
-    existing_dict: Optional[dict[str, Any]],
-    to_be_merged_dict: dict[str, Any],
-) -> dict[str, Any]:
+    existing_dict: Optional[Dict[str, Any]],
+    to_be_merged_dict: Dict[str, Any],
+) -> Dict[str, Any]:
    """When given an existing dict of worker template configuration consisting with both
        dicts and lists, merge new template data from WORKERS_CONFIG(or create) and
        return new dict.
@@ -481,7 +484,7 @@ def merge_worker_template_configs(
            existing_dict.
    Returns: The newly merged together dict values.
    """
-    new_dict: dict[str, Any] = {}
+    new_dict: Dict[str, Any] = {}
    if not existing_dict:
        # It doesn't exist yet, just use the new dict(but take a copy not a reference)
        new_dict = to_be_merged_dict.copy()
@@ -506,8 +509,8 @@ def merge_worker_template_configs(


 def insert_worker_name_for_worker_config(
-    existing_dict: dict[str, Any], worker_name: str
-) -> dict[str, Any]:
+    existing_dict: Dict[str, Any], worker_name: str
+) -> Dict[str, Any]:
    """Insert a given worker name into the worker's configuration dict.

    Args:
@@ -523,7 +526,7 @@ def insert_worker_name_for_worker_config(
    return dict_to_edit


-def apply_requested_multiplier_for_worker(worker_types: list[str]) -> list[str]:
+def apply_requested_multiplier_for_worker(worker_types: List[str]) -> List[str]:
    """
    Apply multiplier(if found) by returning a new expanded list with some basic error
    checking.
@@ -584,7 +587,7 @@ def is_sharding_allowed_for_worker_type(worker_type: str) -> bool:

 def split_and_strip_string(
    given_string: str, split_char: str, max_split: SupportsIndex = -1
-) -> list[str]:
+) -> List[str]:
    """
    Helper to split a string on split_char and strip whitespace from each end of each
        element.
@@ -613,8 +616,8 @@ def generate_base_homeserver_config() -> None:


 def parse_worker_types(
-    requested_worker_types: list[str],
-) -> dict[str, set[str]]:
+    requested_worker_types: List[str],
+) -> Dict[str, Set[str]]:
    """Read the desired list of requested workers and prepare the data for use in
        generating worker config files while also checking for potential gotchas.

@@ -630,14 +633,14 @@ def parse_worker_types(
    # A counter of worker_base_name -> int. Used for determining the name for a given
    # worker when generating its config file, as each worker's name is just
    # worker_base_name followed by instance number
-    worker_base_name_counter: dict[str, int] = defaultdict(int)
+    worker_base_name_counter: Dict[str, int] = defaultdict(int)

    # Similar to above, but more finely grained. This is used to determine we don't have
    # more than a single worker for cases where multiples would be bad(e.g. presence).
-    worker_type_shard_counter: dict[str, int] = defaultdict(int)
+    worker_type_shard_counter: Dict[str, int] = defaultdict(int)

    # The final result of all this processing
-    dict_to_return: dict[str, set[str]] = {}
+    dict_to_return: Dict[str, Set[str]] = {}

    # Handle any multipliers requested for given workers.
    multiple_processed_worker_types = apply_requested_multiplier_for_worker(
@@ -681,7 +684,7 @@ def parse_worker_types(

        # Split the worker_type_string on "+", remove whitespace from ends then make
        # the list a set so it's deduplicated.
-        worker_types_set: set[str] = set(
+        worker_types_set: Set[str] = set(
            split_and_strip_string(worker_type_string, "+")
        )

@@ -740,7 +743,7 @@ def generate_worker_files(
    environ: Mapping[str, str],
    config_path: str,
    data_dir: str,
-    requested_worker_types: dict[str, set[str]],
+    requested_worker_types: Dict[str, Set[str]],
 ) -> None:
    """Read the desired workers(if any) that is passed in and generate shared
        homeserver, nginx and supervisord configs.
@@ -761,7 +764,7 @@ def generate_worker_files(
    # First read the original config file and extract the listeners block. Then we'll
    # add another listener for replication. Later we'll write out the result to the
    # shared config file.
-    listeners: list[Any]
+    listeners: List[Any]
    if using_unix_sockets:
        listeners = [
            {
@@ -789,12 +792,12 @@ def generate_worker_files(
    # base shared worker jinja2 template. This config file will be passed to all
    # workers, included Synapse's main process. It is intended mainly for disabling
    # functionality when certain workers are spun up, and adding a replication listener.
-    shared_config: dict[str, Any] = {"listeners": listeners}
+    shared_config: Dict[str, Any] = {"listeners": listeners}

    # List of dicts that describe workers.
    # We pass this to the Supervisor template later to generate the appropriate
    # program blocks.
-    worker_descriptors: list[dict[str, Any]] = []
+    worker_descriptors: List[Dict[str, Any]] = []

    # Upstreams for load-balancing purposes. This dict takes the form of the worker
    # type to the ports of each worker. For example:
@@ -802,14 +805,14 @@ def generate_worker_files(
    #   worker_type: {1234, 1235, ...}}
    # }
    # and will be used to construct 'upstream' nginx directives.
-    nginx_upstreams: dict[str, set[int]] = {}
+    nginx_upstreams: Dict[str, Set[int]] = {}

    # A map of: {"endpoint": "upstream"}, where "upstream" is a str representing what
    # will be placed after the proxy_pass directive. The main benefit to representing
    # this data as a dict over a str is that we can easily deduplicate endpoints
    # across multiple instances of the same worker. The final rendering will be combined
    # with nginx_upstreams and placed in /etc/nginx/conf.d.
-    nginx_locations: dict[str, str] = {}
+    nginx_locations: Dict[str, str] = {}

    # Create the worker configuration directory if it doesn't already exist
    os.makedirs("/conf/workers", exist_ok=True)
@@ -843,7 +846,7 @@ def generate_worker_files(
    # yaml config file
    for worker_name, worker_types_set in requested_worker_types.items():
        # The collected and processed data will live here.
-        worker_config: dict[str, Any] = {}
+        worker_config: Dict[str, Any] = {}

        # Merge all worker config templates for this worker into a single config
        for worker_type in worker_types_set:
@@ -1026,7 +1029,7 @@ def generate_worker_log_config(
    Returns: the path to the generated file
    """
    # Check whether we should write worker logs to disk, in addition to the console
-    extra_log_template_args: dict[str, Optional[str]] = {}
+    extra_log_template_args: Dict[str, Optional[str]] = {}
    if environ.get("SYNAPSE_WORKERS_WRITE_LOGS_TO_DISK"):
        extra_log_template_args["LOG_FILE_PATH"] = f"{data_dir}/logs/{worker_name}.log"

@@ -1050,7 +1053,7 @@ def generate_worker_log_config(
    return log_config_filepath


-def main(args: list[str], environ: MutableMapping[str, str]) -> None:
+def main(args: List[str], environ: MutableMapping[str, str]) -> None:
    parser = ArgumentParser()
    parser.add_argument(
        "--generate-only",
@@ -1084,7 +1087,7 @@ def main(args: list[str], environ: MutableMapping[str, str]) -> None:
        if not worker_types_env:
            # No workers, just the main process
            worker_types = []
-            requested_worker_types: dict[str, Any] = {}
+            requested_worker_types: Dict[str, Any] = {}
        else:
            # Split type names by comma, ignoring whitespace.
            worker_types = split_and_strip_string(worker_types_env, ",")
--- a/docker/editable.Dockerfile
+++ b/docker/editable.Dockerfile
@@ -3,14 +3,14 @@
 #
 # Used by `complement.sh`. Not suitable for production use.

-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.9

 ###
 ### Stage 0: generate requirements.txt
 ###
-# We hardcode the use of Debian trixie here because this could change upstream
-# and other Dockerfiles used for testing are expecting trixie.
-FROM docker.io/library/python:${PYTHON_VERSION}-slim-trixie
+# We hardcode the use of Debian bookworm here because this could change upstream
+# and other Dockerfiles used for testing are expecting bookworm.
+FROM docker.io/library/python:${PYTHON_VERSION}-slim-bookworm

 # Install Rust and other dependencies (stolen from normal Dockerfile)
 # install the OS build deps
--- a/docker/start.py
+++ b/docker/start.py
@@ -6,7 +6,7 @@ import os
 import platform
 import subprocess
 import sys
-from typing import Any, Mapping, MutableMapping, NoReturn, Optional
+from typing import Any, Dict, List, Mapping, MutableMapping, NoReturn, Optional

 import jinja2

@@ -69,7 +69,7 @@ def generate_config_from_template(
            )

    # populate some params from data files (if they exist, else create new ones)
-    environ: dict[str, Any] = dict(os_environ)
+    environ: Dict[str, Any] = dict(os_environ)
    secrets = {
        "registration": "SYNAPSE_REGISTRATION_SHARED_SECRET",
        "macaroon": "SYNAPSE_MACAROON_SECRET_KEY",
@@ -200,7 +200,7 @@ def run_generate_config(environ: Mapping[str, str], ownership: Optional[str]) ->
    subprocess.run(args, check=True)


-def main(args: list[str], environ: MutableMapping[str, str]) -> None:
+def main(args: List[str], environ: MutableMapping[str, str]) -> None:
    mode = args[1] if len(args) > 1 else "run"

    # if we were given an explicit user to switch to, do so
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -60,7 +60,6 @@
    - [Admin API](usage/administration/admin_api/README.md)
      - [Account Validity](admin_api/account_validity.md)
      - [Background Updates](usage/administration/admin_api/background_updates.md)
-      - [Fetch Event](admin_api/fetch_event.md)
      - [Event Reports](admin_api/event_reports.md)
      - [Experimental Features](admin_api/experimental_features.md)
      - [Media](admin_api/media_admin_api.md)
@@ -116,8 +115,6 @@
      - [The Auth Chain Difference Algorithm](auth_chain_difference_algorithm.md)
    - [Media Repository](media_repository.md)
    - [Room and User Statistics](room_and_user_statistics.md)
-    - [Releasing]()
-      - [Release Notes Review Checklist](development/internal_documentation/release_notes_review_checklist.md)
  - [Scripts]()

 # Other
--- a/docs/admin_api/fetch_event.md
+++ b/docs/admin_api/fetch_event.md
@@ -1,53 +0,0 @@
-# Fetch Event API
-
-The fetch event API allows admins to fetch an event regardless of their membership in the room it
-originated in.
-
-To use it, you will need to authenticate by providing an `access_token`
-for a server admin: see [Admin API](../usage/administration/admin_api/).
-
-Request:
-```http
-GET /_synapse/admin/v1/fetch_event/<event_id>
-```
-
-The API returns a JSON body like the following:
-
-Response:
-```json
-{
-    "event": {
-        "auth_events": [
-            "$WhLChbYg6atHuFRP7cUd95naUtc8L0f7fqeizlsUVvc",
-            "$9Wj8dt02lrNEWweeq-KjRABUYKba0K9DL2liRvsAdtQ",
-            "$qJxBFxBt8_ODd9b3pgOL_jXP98S_igc1_kizuPSZFi4"
-        ],
-        "content": {
-            "body": "Hey now",
-            "msgtype": "m.text"
-        },
-        "depth": 6,
-        "event_id": "$hJ_kcXbVMcI82JDrbqfUJIHu61tJD86uIFJ_8hNHi7s",
-        "hashes": {
-            "sha256": "LiNw8DtrRVf55EgAH8R42Wz7WCJUqGsPt2We6qZO5Rg"
-        },
-        "origin_server_ts": 799,
-        "prev_events": [
-            "$cnSUrNMnC3Ywh9_W7EquFxYQjC_sT3BAAVzcUVxZq1g"
-        ],
-        "room_id": "!aIhKToCqgPTBloWMpf:test",
-        "sender": "@user:test",
-        "signatures": {
-            "test": {
-                "ed25519:a_lPym": "7mqSDwK1k7rnw34Dd8Fahu0rhPW7jPmcWPRtRDoEN9Yuv+BCM2+Rfdpv2MjxNKy3AYDEBwUwYEuaKMBaEMiKAQ"
-            }
-        },
-        "type": "m.room.message",
-        "unsigned": {
-            "age_ts": 799
-        }
-    }
-}
-```
-
-
--- a/docs/admin_api/media_admin_api.md
+++ b/docs/admin_api/media_admin_api.md
@@ -39,40 +39,6 @@ the use of the
 [List media uploaded by a user](user_admin_api.md#list-media-uploaded-by-a-user)
 Admin API.

-## Query a piece of media by ID
-
-This API returns information about a piece of local or cached remote media given the origin server name and media id. If
-information is requested for remote media which is not cached the endpoint will return 404. 
-
-Request:
-```http
-GET /_synapse/admin/v1/media/<origin>/<media_id>
-```
-
-The API returns a JSON body with media info like the following:
-
-Response:
-```json
-{
-  "media_info": {
-    "media_origin": "remote.com",
-    "user_id": null,
-    "media_id": "sdginwegWEG",
-    "media_type": "img/png",
-    "media_length": 67,
-    "upload_name":  "test.png",
-    "created_ts":  300,
-    "filesystem_id":  "wgeweg",
-    "url_cache": null,
-    "last_access_ts": 400,
-    "quarantined_by":  null,
-    "authenticated":  false,
-    "safe_from_quarantine": null,
-    "sha256": "ebf4f635a17d10d6eb46ba680b70142419aa3220f228001a036d311a22ee9d2a"
-  }
-}
-```
-
 # Quarantine media

 Quarantining media means that it is marked as inaccessible by users. It applies
--- a/docs/admin_api/rooms.md
+++ b/docs/admin_api/rooms.md
@@ -1115,76 +1115,3 @@ Example response:
  ]
 }
 ```
-
-# Admin Space Hierarchy Endpoint
-
-This API allows an admin to fetch the space/room hierarchy for a given space, 
-returning details about that room and any children the room may have, paginating
-over the space tree in a depth-first manner to locate child rooms. This is
-functionally similar to the [CS Hierarchy](https://spec.matrix.org/v1.16/client-server-api/#get_matrixclientv1roomsroomidhierarchy) endpoint but does not check for
-room membership when returning room summaries.
-
-The endpoint does not query other servers over federation about remote rooms
-that the server has not joined. This is a deliberate trade-off: while this
-means it will leave some holes in the hierarchy that we could otherwise
-sometimes fill in, it significantly improves the endpoint's response time and
-the admin endpoint is designed for managing rooms local to the homeserver
-anyway.
-
-**Parameters**
-
-The following query parameters are available:
-
-* `from` - An optional pagination token, provided when there are more rooms to 
-    return than the limit. 
-* `limit` - Maximum amount of rooms to return. Must be a non-negative integer,
-   defaults to `50`.
-* `max_depth` - The maximum depth in the tree to explore, must be a non-negative
-   integer. 0 would correspond to just the root room, 1 would include just the
-   root room's children, etc.  If not provided will recurse into the space tree without limit.
-
-Request:
-
-```http
-GET /_synapse/admin/v1/rooms/<room_id>/hierarchy
-```
-
-Response:
-
-```json
-{
-  "rooms":
-      [
-        { "children_state": [
-            {
-              "content": {
-                "via": ["local_test_server"]
-              },
-              "origin_server_ts": 1500,
-              "sender": "@user:test",
-              "state_key": "!QrMkkqBSwYRIFNFCso:test",
-              "type": "m.space.child"
-            }
-        ],
-        "name": "space room",
-        "guest_can_join": false,
-        "join_rule": "public",
-        "num_joined_members": 1,
-        "room_id": "!sPOpNyMHbZAoAOsOFL:test",
-        "room_type": "m.space",
-        "world_readable": false
-      },
-
-      {
-        "children_state": [],
-        "guest_can_join": true,
-        "join_rule": "invite",
-        "name": "nefarious",
-        "num_joined_members": 1,
-        "room_id": "!QrMkkqBSwYRIFNFCso:test",
-        "topic": "being bad",
-        "world_readable": false}
-    ],
-  "next_batch": "KUYmRbeSpAoaAIgOKGgyaCEn"
-}
-```
--- a/docs/deprecation_policy.md
+++ b/docs/deprecation_policy.md
@@ -21,7 +21,7 @@ people building from source should ensure they can fetch recent versions of Rust
 (e.g. by using [rustup](https://rustup.rs/)).

 The oldest supported version of SQLite is the version
-[provided](https://packages.debian.org/oldstable/libsqlite3-0) by
+[provided](https://packages.debian.org/bullseye/libsqlite3-0) by
 [Debian oldstable](https://wiki.debian.org/DebianOldStable).


--- a/docs/development/contributing_guide.md
+++ b/docs/development/contributing_guide.md
@@ -320,7 +320,7 @@ The following command will let you run the integration test with the most common
 configuration:

 ```sh
-$ docker run --rm -it -v /path/where/you/have/cloned/the/repository\:/src:ro -v /path/to/where/you/want/logs\:/logs matrixdotorg/sytest-synapse:bookworm
+$ docker run --rm -it -v /path/where/you/have/cloned/the/repository\:/src:ro -v /path/to/where/you/want/logs\:/logs matrixdotorg/sytest-synapse:bullseye
 ```
 (Note that the paths must be full paths! You could also write `$(realpath relative/path)` if needed.)

--- a/docs/development/dependencies.md
+++ b/docs/development/dependencies.md
@@ -79,17 +79,17 @@ phonenumbers = [
 We can see this pinned version inside the docker image for that release:

 ```
-$ docker pull matrixdotorg/synapse:latest
+$ docker pull vectorim/synapse:v1.97.0
 ...
-$ docker run --entrypoint pip matrixdotorg/synapse:latest show phonenumbers
+$ docker run --entrypoint pip vectorim/synapse:v1.97.0 show phonenumbers
 Name: phonenumbers
-Version: 9.0.15
+Version: 8.12.44
 Summary: Python version of Google's common library for parsing, formatting, storing and validating international phone numbers.
 Home-page: https://github.com/daviddrysdale/python-phonenumbers
 Author: David Drysdale
 Author-email: dmd@lurklurk.org
 License: Apache License 2.0
-Location: /usr/local/lib/python3.12/site-packages
+Location: /usr/local/lib/python3.9/site-packages
 Requires:
 Required-by: matrix-synapse
 ```
--- a/docs/development/internal_documentation/release_notes_review_checklist.md
+++ b/docs/development/internal_documentation/release_notes_review_checklist.md
@@ -1,12 +0,0 @@
-# Release notes review checklist
-
-The Synapse release process includes a step to review the changelog before
-publishing it. The following is a list of common points to check for:
-
-1. Check whether any similar entries that can be merged together (make sure to include all mentioned PRs at the end of the line, i.e. (#1234, #1235, ...)).
-2. Link any MSCXXXX lines to the Matrix Spec Change itself: <https://github.com/matrix-org/matrix-spec-proposals/pull/xxxx>.
-3. Wrap any class names, variable names, etc. in back-ticks, if needed.
-4. Hoist any relevant security, deprecation, etc. announcements to the top of this version's changelog for visibility. This includes any announcements in RCs for this release.
-5. Check the upgrade notes for any important announcements, and link to them from the changelog if warranted.
-6. Quickly skim and check that each entry is in the appropriate section.
-7. Entries under the Bugfixes section should ideally state what Synapse version the bug was introduced in. For example: "Fixed a bug introduced in v1.x.y" or if no version can be identified, "Fixed a long-standing bug ...".
--- a/docs/log_contexts.md
+++ b/docs/log_contexts.md
@@ -59,28 +59,6 @@ def do_request_handling():
    logger.debug("phew")
 ```

-### The `sentinel` context
-
-The default logcontext is `synapse.logging.context.SENTINEL_CONTEXT`, which is an empty
-sentinel value to represent the root logcontext. This is what is used when there is no
-other logcontext set. The phrase "clear/reset the logcontext" means to set the current
-logcontext to the `sentinel` logcontext.
-
-No CPU/database usage metrics are recorded against the `sentinel` logcontext.
-
-Ideally, nothing from the Synapse homeserver would be logged against the `sentinel`
-logcontext as we want to know which server the logs came from. In practice, this is not
-always the case yet especially outside of request handling.
-
-Global things outside of Synapse (e.g. Twisted reactor code) should run in the
-`sentinel` logcontext. It's only when it calls into application code that a logcontext
-gets activated. This means the reactor should be started in the `sentinel` logcontext,
-and any time an awaitable yields control back to the reactor, it should reset the
-logcontext to be the `sentinel` logcontext. This is important to avoid leaking the
-current logcontext to the reactor (which would then get picked up and associated with
-the next thing the reactor does).
-
-
 ## Using logcontexts with awaitables

 Awaitables break the linear flow of code so that there is no longer a single entry point
@@ -143,7 +121,8 @@ cares about.
 The following sections describe pitfalls and helpful patterns when
 implementing these rules.

-## Always await your awaitables
+Always await your awaitables
+----------------------------

 Whenever you get an awaitable back from a function, you should `await` on
 it as soon as possible. Do not pass go; do not do any logging; do not
@@ -202,171 +181,6 @@ async def sleep(seconds):
    return await context.make_deferred_yieldable(get_sleep_deferred(seconds))
 ```

-## Deferred callbacks
-
-When a deferred callback is called, it inherits the current logcontext. The deferred
-callback chain can resume a coroutine, which if following our logcontext rules, will
-restore its own logcontext, then run:
-
- - until it yields control back to the reactor, setting the sentinel logcontext
- - or until it finishes, restoring the logcontext it was started with (calling context)
-
-This behavior creates two specific issues:
-
-**Issue 1:** The first issue is that the callback may have reset the logcontext to the
-sentinel before returning. This means our calling function will continue with the
-sentinel logcontext instead of the logcontext it was started with (bad).
-
-**Issue 2:** The second issue is that the current logcontext that called the deferred
-callback could finish before the callback finishes (bad).
-
-In the following example, the deferred callback is called with the "main" logcontext and
-runs until we yield control back to the reactor in the `await` inside `clock.sleep(0)`.
-Since `clock.sleep(0)` follows our logcontext rules, it sets the logcontext to the
-sentinel before yielding control back to the reactor. Our `main` function continues with
-the sentinel logcontext (first bad thing) instead of the "main" logcontext. Then the
-`with LoggingContext("main")` block exits, finishing the "main" logcontext and yielding
-control back to the reactor again. Finally, later on when `clock.sleep(0)` completes,
-our `with LoggingContext("competing")` block exits, and restores the previous "main"
-logcontext which has already finished, resulting in `WARNING: Re-starting finished log
-context main` and leaking the `main` logcontext into the reactor which will then
-erronously be associated with the next task the reactor picks up.
-
-```python
-async def competing_callback():
-    # Since this is run with the "main" logcontext, when the "competing"
-    # logcontext exits, it will restore the previous "main" logcontext which has
-    # already finished and results in "WARNING: Re-starting finished log context main"
-    # and leaking the `main` logcontext into the reactor.
-    with LoggingContext("competing"):
-        await clock.sleep(0)
-
-def main():
-    with LoggingContext("main"):
-        d = defer.Deferred()
-        d.addCallback(lambda _: defer.ensureDeferred(competing_callback()))
-        # Call the callback within the "main" logcontext.
-        d.callback(None)
-        # Bad: This will be logged against sentinel logcontext
-        logger.debug("ugh")
-
-main()
-```
-
-**Solution 1:** We could of course fix this by following the general rule of "always
-await your awaitables":
-
-```python
-async def main():
-    with LoggingContext("main"):
-        d = defer.Deferred()
-        d.addCallback(lambda _: defer.ensureDeferred(competing_callback()))
-        d.callback(None)
-        # Wait for `d` to finish before continuing so the "main" logcontext is
-        # still active. This works because `d` already follows our logcontext
-        # rules. If not, we would also have to use `make_deferred_yieldable(d)`.
-        await d
-        # Good: This will be logged against the "main" logcontext
-        logger.debug("phew")
-``` 
-
-**Solution 2:** We could also fix this by surrounding the call to `d.callback` with a
-`PreserveLoggingContext`, which will reset the logcontext to the sentinel before calling
-the callback, and restore the "main" logcontext afterwards before continuing the `main`
-function. This solves the problem because when the "competing" logcontext exits, it will
-restore the sentinel logcontext which is never finished by its nature, so there is no
-warning and no leakage into the reactor.
-
-```python
-async def main():
-    with LoggingContext("main"):
-        d = defer.Deferred()
-        d.addCallback(lambda _: defer.ensureDeferred(competing_callback()))
-        d.callback(None)
-        with PreserveLoggingContext():
-            # Call the callback with the sentinel logcontext.
-            d.callback(None)
-        # Good: This will be logged against the "main" logcontext
-        logger.debug("phew")
-```
-
-**Solution 3:** But let's say you *do* want to run (fire-and-forget) the deferred
-callback in the current context without running into issues:
-
-We can solve the first issue by using `run_in_background(...)` to run the callback in
-the current logcontext and it handles the magic behind the scenes of a) restoring the
-calling logcontext before returning to the caller and b) resetting the logcontext to the
-sentinel after the deferred completes and we yield control back to the reactor to avoid
-leaking the logcontext into the reactor.
-
-To solve the second issue, we can extend the lifetime of the "main" logcontext by
-avoiding the `LoggingContext`'s context manager lifetime methods
-(`__enter__`/`__exit__`). We can still set "main" as the current logcontext by using
-`PreserveLoggingContext` and passing in the "main" logcontext.
-
-
-```python
-async def main():
-    main_context = LoggingContext("main")
-    with PreserveLoggingContext(main_context):
-        d = defer.Deferred()
-        d.addCallback(lambda _: defer.ensureDeferred(competing_callback()))
-        # The whole lambda will be run in the "main" logcontext. But we're using
-        # a trick to return the deferred `d` itself so that `run_in_background`
-        # will wait on that to complete and reset the logcontext to the sentinel
-        # when it does to avoid leaking the "main" logcontext into the reactor.
-        run_in_background(lambda: (d.callback(None), d)[1])
-        # Good: This will be logged against the "main" logcontext
-        logger.debug("phew")
-
-...
-
-# Wherever possible, it's best to finish the logcontext by calling `__exit__` at some
-# point. This allows us to catch bugs if we later try to erroneously restart a finished
-# logcontext.
-#
-# Since the "main" logcontext stores the `LoggingContext.previous_context` when it is
-# created, we can wrap this call in `PreserveLoggingContext()` to restore the correct
-# previous logcontext. Our goal is to have the calling context remain unchanged after
-# finishing the "main" logcontext.
-with PreserveLoggingContext():
-    # Finish the "main" logcontext
-    with main_context:
-        # Empty block - We're just trying to call `__exit__` on the "main" context
-        # manager to finish it. We can't call `__exit__` directly as the code expects us
-        # to `__enter__` before calling `__exit__` to `start`/`stop` things
-        # appropriately. And in any case, it's probably best not to call the internal
-        # methods directly.
-        pass
-```
-
-The same thing applies if you have some deferreds stored somewhere which you want to
-callback in the current logcontext.
-
-
-### Deferred errbacks and cancellations
-
-The same care should be taken when calling errbacks on deferreds. An errback and
-callback act the same in this regard (see section above).
-
-```python
-d = defer.Deferred()
-d.addErrback(some_other_function)
-d.errback(failure)
-```
-
-Additionally, cancellation is the same as directly calling the errback with a
-`twisted.internet.defer.CancelledError`:
-
-```python
-d = defer.Deferred()
-d.addErrback(some_other_function)
-d.cancel()
-```
-
-
-
-
 ## Fire-and-forget

 Sometimes you want to fire off a chain of execution, but not wait for
@@ -548,19 +362,3 @@ chain are dropped. Dropping the the reference to an awaitable you're
 supposed to be awaiting is bad practice, so this doesn't
 actually happen too much. Unfortunately, when it does happen, it will
 lead to leaked logcontexts which are incredibly hard to track down.
-
-
-## Debugging logcontext issues
-
-Debugging logcontext issues can be tricky as leaking or losing a logcontext will surface
-downstream and can point to an unrelated part of the codebase. It's best to enable debug
-logging for `synapse.logging.context.debug` (needs to be explicitly configured) and go
-backwards in the logs from the point where the issue is observed to find the root cause.
-
-`log.config.yaml`
-```yaml
-loggers:
-    # Unlike other loggers, this one needs to be explicitly configured to see debug logs.
-    synapse.logging.context.debug:
-        level: DEBUG
-```
--- a/docs/modules/media_repository_callbacks.md
+++ b/docs/modules/media_repository_callbacks.md
@@ -64,68 +64,3 @@ If multiple modules implement this callback, they will be considered in order. I
 returns `True`, Synapse falls through to the next one. The value of the first callback that
 returns `False` will be used. If this happens, Synapse will not call any of the subsequent
 implementations of this callback.
-
-### `get_media_upload_limits_for_user`
-
-_First introduced in Synapse v1.139.0_
-
-```python
-async def get_media_upload_limits_for_user(user_id: str, size: int) -> Optional[List[synapse.module_api.MediaUploadLimit]]
-```
-
-**<span style="color:red">
-Caution: This callback is currently experimental. The method signature or behaviour
-may change without notice.
-</span>**
-
-Called when processing a request to store content in the media repository. This can be used to dynamically override
-the [media upload limits configuration](../usage/configuration/config_documentation.html#media_upload_limits).
-
-The arguments passed to this callback are:
-
-* `user_id`: The Matrix user ID of the user (e.g. `@alice:example.com`) making the request.
-
-If the callback returns a list then it will be used as the limits instead of those in the configuration (if any).
-
-If an empty list is returned then no limits are applied (**warning:** users will be able
-to upload as much data as they desire).
-
-If multiple modules implement this callback, they will be considered in order. If a
-callback returns `None`, Synapse falls through to the next one. The value of the first
-callback that does not return `None` will be used. If this happens, Synapse will not call
-any of the subsequent implementations of this callback.
-
-If there are no registered modules, or if all modules return `None`, then
-the default
-[media upload limits configuration](../usage/configuration/config_documentation.html#media_upload_limits)
-will be used.
-
-### `on_media_upload_limit_exceeded`
-
-_First introduced in Synapse v1.139.0_
-
-```python
-async def on_media_upload_limit_exceeded(user_id: str, limit: synapse.module_api.MediaUploadLimit, sent_bytes: int, attempted_bytes: int) -> None
-```
-
-**<span style="color:red">
-Caution: This callback is currently experimental. The method signature or behaviour
-may change without notice.
-</span>**
-
-Called when a user attempts to upload media that would exceed a
-[configured media upload limit](../usage/configuration/config_documentation.html#media_upload_limits).
-
-This callback will only be called on workers which handle
-[POST /_matrix/media/v3/upload](https://spec.matrix.org/v1.15/client-server-api/#post_matrixmediav3upload)
-requests.
-
-This could be used to inform the user that they have reached a media upload limit through
-some external method.
-
-The arguments passed to this callback are:
-
-* `user_id`: The Matrix user ID of the user (e.g. `@alice:example.com`) making the request.
-* `limit`: The `synapse.module_api.MediaUploadLimit` representing the limit that was reached.
-* `sent_bytes`: The number of bytes already sent during the period of the limit.
-* `attempted_bytes`: The number of bytes that the user attempted to send.
--- a/docs/modules/spam_checker_callbacks.md
+++ b/docs/modules/spam_checker_callbacks.md
@@ -195,15 +195,12 @@ _Changed in Synapse v1.132.0: Added the `room_config` argument. Callbacks that o
 async def user_may_create_room(user_id: str, room_config: synapse.module_api.JsonDict) -> Union["synapse.module_api.NOT_SPAM", "synapse.module_api.errors.Codes", bool]
 ```

-Called when processing a room creation or room upgrade request.
+Called when processing a room creation request.

 The arguments passed to this callback are:

 * `user_id`: The Matrix user ID of the user (e.g. `@alice:example.com`).
-* `room_config`: The contents of the body of the [`/createRoom` request](https://spec.matrix.org/v1.15/client-server-api/#post_matrixclientv3createroom) as a dictionary.
-  For a [room upgrade request](https://spec.matrix.org/v1.15/client-server-api/#post_matrixclientv3roomsroomidupgrade) it is a synthesised subset of what an equivalent
-  `/createRoom` request would have looked like. Specifically, it contains the `creation_content` (linking to the previous room) and `initial_state` (containing a
-  subset of the state of the previous room).
+* `room_config`: The contents of the body of a [/createRoom request](https://spec.matrix.org/latest/client-server-api/#post_matrixclientv3createroom) as a dictionary.

 The callback must return one of:
  - `synapse.module_api.NOT_SPAM`, to allow the operation. Other callbacks may still 
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -186,7 +186,6 @@ oidc_providers:
 4. Note the slug of your application, Client ID and Client Secret.

 Note: RSA keys must be used for signing for Authentik, ECC keys do not work.
-Note: The provider must have a signing key set and must not use an encryption key.

 Synapse config:
 ```yaml
@@ -205,12 +204,6 @@ oidc_providers:
      config:
        localpart_template: "{{ user.preferred_username }}"
        display_name_template: "{{ user.preferred_username|capitalize }}" # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
-[...]
-jwt_config:
-    enabled: true
-    secret: "your client secret" # TO BE FILLED (same as `client_secret` above)
-    algorithm: "RS256"
-    # (...other fields)
 ```

 ### Dex
--- a/docs/setup/installation.md
+++ b/docs/setup/installation.md
@@ -87,13 +87,17 @@ file when you upgrade the Debian package to a later version.
 Andrej Shadura maintains a
 [`matrix-synapse`](https://packages.debian.org/sid/matrix-synapse) package in
 the Debian repositories.
-For `forky` (14) and `sid` (rolling release), it can be installed simply with:
+For `bookworm` and `sid`, it can be installed simply with:

 ```sh
 sudo apt install matrix-synapse
 ```

-The downstream Debian `matrix-synapse` package is not available for `trixie` (13) and older. Consider using the Matrix.org packages (above).
+Synapse is also available in `bullseye-backports`.  Please
+see the [Debian documentation](https://backports.debian.org/Instructions/)
+for information on how to use backports.
+
+`matrix-synapse` is no longer maintained for `buster` and older.

 ##### Downstream Ubuntu packages

@@ -204,7 +208,7 @@ When following this route please make sure that the [Platform-specific prerequis
 System requirements:

 - POSIX-compliant system (tested on Linux & OS X)
- Python 3.10 or later, up to Python 3.13.
+- Python 3.9 or later, up to Python 3.13.
 - At least 1GB of free RAM if you want to join large public rooms like #matrix:matrix.org

 If building on an uncommon architecture for which pre-built wheels are
@@ -307,16 +311,11 @@ sudo dnf group install "Development Tools"

 ##### Red Hat Enterprise Linux / Rocky Linux / Oracle Linux

-*Note: The term "RHEL" below refers to Red Hat Enterprise Linux, Oracle Linux and Rocky Linux.
-The distributions are 1:1 binary compatible.*
+*Note: The term "RHEL" below refers to Red Hat Enterprise Linux, Oracle Linux and Rocky Linux. The distributions are 1:1 binary compatible.*

 It's recommended to use the latest Python versions.

-RHEL 8 & 9 in particular ship with Python 3.6 & 3.9 respectively by default
-which are EOL and therefore no longer supported by Synapse.
-However, newer Python versions provide significant performance improvements
-and they're available in official distributions' repositories.
-Therefore it's recommended to use them.
+RHEL 8 in particular ships with Python 3.6 by default which is EOL and therefore no longer supported by Synapse. RHEL 9 ships with Python 3.9 which is still supported by the Python core team as of this writing. However, newer Python versions provide significant performance improvements and they're available in official distributions' repositories. Therefore it's recommended to use them.

 Python 3.11 and 3.12 are available for both RHEL 8 and 9.

--- a/docs/structured_logging.md
+++ b/docs/structured_logging.md
@@ -35,7 +35,7 @@ handlers:
 loggers:
    synapse:
        level: INFO
-        handlers: [file]
+        handlers: [remote]
    synapse.storage.SQL:
        level: WARNING
 ```
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@@ -117,63 +117,6 @@ each upgrade are complete before moving on to the next upgrade, to avoid
 stacking them up. You can monitor the currently running background updates with
 [the Admin API](usage/administration/admin_api/background_updates.html#status).

-# Upgrading to v1.142.0
-
-## Minimum supported Python version
-
-The minimum supported Python version has been increased from v3.9 to v3.10.
-You will need Python 3.10+ to run Synapse v1.142.0.
-
-If you use current versions of the
-[matrixorg/synapse](setup/installation.html#docker-images-and-ansible-playbooks)
-Docker images, no action is required.
-
-
-# Upgrading to v1.141.0
-
-## Docker images now based on Debian `trixie` with Python 3.13
-
-The Docker images are now based on Debian `trixie` and use Python 3.13. If you
-are using the Docker images as a base image you may need to e.g. adjust the
-paths you mount any additional Python packages at.
-
-# Upgrading to v1.140.0
-
-## Users of `synapse-s3-storage-provider` must update the module to `v1.6.0`
-
-Deployments that make use of the
-[synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider/)
-module must update it to
-[v1.6.0](https://github.com/matrix-org/synapse-s3-storage-provider/releases/tag/v1.6.0),
-otherwise users will be unable to upload or download media.
-
-# Upgrading to v1.139.0
-
-## `/register` requests from old application service implementations may break when using MAS
-
-Application Services that do not set `inhibit_login=true` when calling `POST
-/_matrix/client/v3/register` will receive the error
-`IO.ELEMENT.MSC4190.M_APPSERVICE_LOGIN_UNSUPPORTED` in response. This is a
-result of [MSC4190: Device management for application
-services](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) which
-adds new endpoints for application services to create encryption-ready devices
-with other than `/login` or `/register` without `inhibit_login=true`.
-
-If an application service you use starts to fail with the mentioned error,
-ensure it is up to date. If it is, then kindly let the author know that they
-need to update their implementation to call `/register` with
-`inhibit_login=true`.
-
-# Upgrading to v1.138.2
-
-## Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin
-
-Ubuntu 24.10 Oracular Oriole [has been end-of-life since 10 Jul
-2025](https://endoflife.date/ubuntu). This release drops support for Ubuntu
-24.10, and in its place adds support for Ubuntu 25.04 Plucky Puffin.
-
-This notice also applies to the v1.139.0 release.
-
 # Upgrading to v1.136.0

 ## Deprecate `run_as_background_process` exported as part of the module API interface in favor of `ModuleApi.run_as_background_process`
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -2006,8 +2006,9 @@ This setting has the following sub-options:
 Default configuration:
 ```yaml
 rc_reports:
-  per_second: 1.0
-  burst_count: 5.0
+  per_user:
+    per_second: 1.0
+    burst_count: 5.0
 ```

 Example configuration:
@@ -2030,8 +2031,9 @@ This setting has the following sub-options:
 Default configuration:
 ```yaml
 rc_room_creation:
-  per_second: 0.016
-  burst_count: 10.0
+  per_user:
+    per_second: 0.016
+    burst_count: 10.0
 ```

 Example configuration:
@@ -2166,12 +2168,9 @@ max_upload_size: 60M
 ### `media_upload_limits`

 *(array)* A list of media upload limits defining how much data a given user can upload in a given time period.
-These limits are applied in addition to the `max_upload_size` limit above (which applies to individual uploads).

 An empty list means no limits are applied.

-These settings can be overridden using the `get_media_upload_limits_for_user` module API [callback](../../modules/media_repository_callbacks.md#get_media_upload_limits_for_user).
-
 Defaults to `[]`.

 Example configuration:
@@ -2573,28 +2572,6 @@ Example configuration:
 turn_allow_guests: false
 ```
 ---
-### `matrix_rtc`
-
-*(object)* Options related to MatrixRTC. Defaults to `{}`.
-
-This setting has the following sub-options:
-
-* `transports` (array): A list of transport types and arguments to use for MatrixRTC connections. Defaults to `[]`.
-
-  Options for each entry include:
-
-  * `type` (string): The type of transport to use to connect to the selective forwarding unit (SFU).
-
-  * `livekit_service_url` (string): The base URL of the LiveKit service. Should only be used with LiveKit-based transports.
-
-Example configuration:
-```yaml
-matrix_rtc:
-  transports:
-  - type: livekit
-    livekit_service_url: https://matrix-rtc.example.com/livekit/jwt
-```
---
 ## Registration

 Registration can be rate-limited using the parameters in the [Ratelimiting](#ratelimiting) section of this manual.
@@ -3815,7 +3792,7 @@ This setting has the following sub-options:

 * `localdb_enabled` (boolean): Set to false to disable authentication against the local password database. This is ignored if `enabled` is false, and is only useful if you have other `password_providers`. Defaults to `true`.

-* `pepper` (string|null): A secret random string that will be appended to user's passwords before they are hashed. This improves the security of short passwords. DO NOT CHANGE THIS AFTER INITIAL SETUP! Defaults to `null`.
+* `pepper` (string|null): Set the value here to a secret random string for extra security. DO NOT CHANGE THIS AFTER INITIAL SETUP! Defaults to `null`.

 * `policy` (object): Define and enforce a password policy, such as minimum lengths for passwords, etc. This is an implementation of MSC2000.

--- a/docs/workers.md
+++ b/docs/workers.md
@@ -120,9 +120,6 @@ worker_replication_secret: ""

 redis:
    enabled: true
-    # For additional Redis configuration options (TLS, authentication, etc.), 
-    # see the Synapse configuration documentation:
-    # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#redis

 instance_map:
    main:
@@ -255,7 +252,7 @@ information.
    ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$
    ^/_matrix/client/(r0|v3|unstable)/capabilities$
    ^/_matrix/client/(r0|v3|unstable)/notifications$
-    ^/_synapse/admin/v1/rooms/[^/]+$
+    ^/_synapse/admin/v1/rooms/

    # Encryption requests
    ^/_matrix/client/(r0|v3|unstable)/keys/query$
--- a/mypy.ini
+++ b/mypy.ini
@@ -37,7 +37,7 @@ strict_equality = True

 # Run mypy type checking with the minimum supported Python version to catch new usage
 # that isn't backwards-compatible (types, overloads, etc).
-python_version = 3.10
+python_version = 3.9

 files =
  docker/,
@@ -69,7 +69,7 @@ warn_unused_ignores = False
 ;;     https://github.com/python/typeshed/tree/master/stubs
 ;; and for each package `foo` there's a corresponding `types-foo` package on PyPI,
 ;; which we can pull in as a dev dependency by adding to `pyproject.toml`'s
-;; `[tool.poetry.group.dev.dependencies]` list.
+;; `[tool.poetry.dev-dependencies]` list.

 # https://github.com/lepture/authlib/issues/460
 [mypy-authlib.*]
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -36,7 +36,7 @@

 [tool.ruff]
 line-length = 88
-target-version = "py310"
+target-version = "py39"

 [tool.ruff.lint]
 # See https://beta.ruff.rs/docs/rules/#error-e
@@ -78,12 +78,6 @@ select = [
    "LOG",
    # flake8-logging-format
    "G",
-    # pyupgrade
-    "UP006",
-]
-extend-safe-fixes = [
-    # pyupgrade
-    "UP006"
 ]

 [tool.ruff.lint.isort]
@@ -107,10 +101,10 @@ module-name = "synapse.synapse_rust"

 [tool.poetry]
 name = "matrix-synapse"
-version = "1.141.0"
+version = "1.137.0rc1"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
-license = "AGPL-3.0-or-later OR LicenseRef-Element-Commercial"
+license = "AGPL-3.0-or-later"
 readme = "README.rst"
 repository = "https://github.com/element-hq/synapse"
 packages = [
@@ -165,16 +159,12 @@ synapse_review_recent_signups = "synapse._scripts.review_recent_signups:main"
 update_synapse_database = "synapse._scripts.update_synapse_database:main"

 [tool.poetry.dependencies]
-python = "^3.10.0"
+python = "^3.9.0"

 # Mandatory Dependencies
 # ----------------------
 # we use the TYPE_CHECKER.redefine method added in jsonschema 3.0.0
 jsonschema = ">=3.0.0"
-# 0.25.0 is the first version to support Python 3.14.
-# We can remove this once https://github.com/python-jsonschema/jsonschema/issues/1426 is fixed
-# and included in a release.
-rpds-py = ">=0.25.0"
 # We choose 2.0 as a lower bound: the most recent backwards incompatible release.
 # It seems generally available, judging by https://pkgs.org/search/?q=immutabledict
 immutabledict = ">=2.0"
@@ -205,8 +195,7 @@ bcrypt = ">=3.1.7"
 # Packagers that already took care of libwebp can lower that down to 5.4.0.
 Pillow = ">=10.0.1"
 # We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
-# 2.0.5 updates collections.abc imports to avoid Python 3.10 incompatibility.
-sortedcontainers = ">=2.0.5"
+sortedcontainers = ">=1.5.2"
 pymacaroons = ">=0.13.0"
 msgpack = ">=0.5.2"
 phonenumbers = ">=8.2.0"
@@ -222,10 +211,9 @@ netaddr = ">=0.7.18"
 # end up with a broken installation, with recent MarkupSafe but old Jinja, we
 # add a lower bound to the Jinja2 dependency.
 Jinja2 = ">=3.0"
-# 3.2.0 updates collections.abc imports to avoid Python 3.10 incompatibility.
-bleach = ">=3.2.0"
-# pydantic 2.12 depends on typing-extensions>=4.14.1
-typing-extensions = ">=4.14.1"
+bleach = ">=1.4.3"
+# We use `assert_never`, which were added in `typing-extensions` 4.1.
+typing-extensions = ">=4.1"
 # We enforce that we have a `cryptography` version that bundles an `openssl`
 # with the latest security patches.
 cryptography = ">=3.4.7"
@@ -234,10 +222,9 @@ ijson = ">=3.1.4"
 matrix-common = "^1.3.0"
 # We need packaging.verison.Version(...).major added in 20.0.
 packaging = ">=20.0"
-pydantic = [
-    { version = "~=2.8", python = "<3.14" },
-    { version = "~=2.12", python = ">=3.14" },
-]
+# We support pydantic v1 and pydantic v2 via the pydantic.v1 compat module.
+# See https://github.com/matrix-org/synapse/issues/15858
+pydantic = ">=1.7.4, <3"

 # This is for building the rust components during "poetry install", which
 # currently ignores the `build-system.requires` directive (c.f.
@@ -265,12 +252,10 @@ authlib = { version = ">=0.15.1", optional = true }
 # `contrib/systemd/log_config.yaml`.
 # Note: systemd-python 231 appears to have been yanked from pypi
 systemd-python = { version = ">=231", optional = true }
-# 4.6.3 removes usage of _PyGen_Send which is unavailable in CPython as of Python 3.10.
-lxml = { version = ">=4.6.3", optional = true }
+lxml = { version = ">=4.5.2", optional = true }
 sentry-sdk = { version = ">=0.7.2", optional = true }
 opentracing = { version = ">=2.2.0", optional = true }
-# 4.2.0 updates collections.abc imports to avoid Python 3.10 incompatibility.
-jaeger-client = { version = ">=4.2.0", optional = true }
+jaeger-client = { version = ">=4.0.0", optional = true }
 txredisapi = { version = ">=1.4.7", optional = true }
 hiredis = { version = "*", optional = true }
 Pympler = { version = "*", optional = true }
@@ -334,12 +319,14 @@ all = [
    #   - systemd: this is a system-based requirement
 ]

-[tool.poetry.group.dev.dependencies]
+[tool.poetry.dev-dependencies]
 # We pin development dependencies in poetry.lock so that our tests don't start
 # failing on new releases. Keeping lower bounds loose here means that dependabot
 # can bump versions without having to update the content-hash in the lockfile.
 # This helps prevents merge conflicts when running a batch of dependabot updates.
-ruff = "0.12.10"
+ruff = "0.12.7"
+# Type checking only works with the pydantic.v1 compat module from pydantic v2
+pydantic = "^2"

 # Typechecking
 lxml-stubs = ">=0.4.0"
@@ -369,7 +356,7 @@ click = ">=8.1.3"
 # GitPython was == 3.1.14; bumped to 3.1.20, the first release with type hints.
 GitPython = ">=3.1.20"
 markdown-it-py = ">=3.0.0"
-pygithub = ">=1.59"
+pygithub = ">=1.55"
 # The following are executed as commands by the release script.
 twine = "*"
 # Towncrier min version comes from https://github.com/matrix-org/synapse/pull/3425. Rationale unclear.
@@ -394,10 +381,10 @@ build-backend = "poetry.core.masonry.api"
 # Skip unsupported platforms (by us or by Rust).
 # See https://cibuildwheel.readthedocs.io/en/stable/options/#build-skip for the list of build targets.
 # We skip:
-#  - CPython 3.8: EOLed
+#  - CPython and PyPy 3.8: EOLed
 #  - musllinux i686: excluded to reduce number of wheels we build.
 #    c.f. https://github.com/matrix-org/synapse/pull/12595#discussion_r963107677
-skip = "cp38* *-musllinux_i686"
+skip = "cp38* pp38* *-musllinux_i686"
 # Enable non-default builds.
 # "pypy" used to be included by default up until cibuildwheel 3.
 enable = "pypy"
--- a/rust/Cargo.toml
+++ b/rust/Cargo.toml
@@ -30,14 +30,14 @@ http = "1.1.0"
 lazy_static = "1.4.0"
 log = "0.4.17"
 mime = "0.3.17"
-pyo3 = { version = "0.26.0", features = [
+pyo3 = { version = "0.25.1", features = [
    "macros",
    "anyhow",
    "abi3",
-    "abi3-py310",
+    "abi3-py39",
 ] }
-pyo3-log = "0.13.1"
-pythonize = "0.26.0"
+pyo3-log = "0.12.4"
+pythonize = "0.25.0"
 regex = "1.6.0"
 sha2 = "0.10.8"
 serde = { version = "1.0.144", features = ["derive"] }
--- a/rust/src/events/internal_metadata.rs
+++ b/rust/src/events/internal_metadata.rs
@@ -41,7 +41,7 @@ use pyo3::{
    pybacked::PyBackedStr,
    pyclass, pymethods,
    types::{PyAnyMethods, PyDict, PyDictMethods, PyString},
-    Bound, IntoPyObject, Py, PyAny, PyResult, Python,
+    Bound, IntoPyObject, PyAny, PyObject, PyResult, Python,
 };

 use crate::UnwrapInfallible;
@@ -289,7 +289,7 @@ impl EventInternalMetadata {
    /// Get a dict holding the data stored in the `internal_metadata` column in the database.
    ///
    /// Note that `outlier` and `stream_ordering` are stored in separate columns so are not returned here.
-    fn get_dict(&self, py: Python<'_>) -> PyResult<Py<PyAny>> {
+    fn get_dict(&self, py: Python<'_>) -> PyResult<PyObject> {
        let dict = PyDict::new(py);

        for entry in &self.data {
--- a/rust/src/http_client.rs
+++ b/rust/src/http_client.rs
@@ -12,7 +12,7 @@
 * <https://www.gnu.org/licenses/agpl-3.0.html>.
 */

-use std::{collections::HashMap, future::Future, sync::OnceLock};
+use std::{collections::HashMap, future::Future};

 use anyhow::Context;
 use futures::TryStreamExt;
@@ -134,10 +134,10 @@ fn get_runtime<'a>(reactor: &Bound<'a, PyAny>) -> PyResult<PyRef<'a, PyTokioRunt
 }

 /// A reference to the `twisted.internet.defer` module.
-static DEFER: OnceCell<Py<PyAny>> = OnceCell::new();
+static DEFER: OnceCell<PyObject> = OnceCell::new();

 /// Access to the `twisted.internet.defer` module.
-fn defer(py: Python<'_>) -> PyResult<&Bound<'_, PyAny>> {
+fn defer(py: Python<'_>) -> PyResult<&Bound<PyAny>> {
    Ok(DEFER
        .get_or_try_init(|| py.import("twisted.internet.defer").map(Into::into))?
        .bind(py))
@@ -165,7 +165,7 @@ pub fn register_module(py: Python<'_>, m: &Bound<'_, PyModule>) -> PyResult<()>
 #[pyclass]
 struct HttpClient {
    client: reqwest::Client,
-    reactor: Py<PyAny>,
+    reactor: PyObject,
 }

 #[pymethods]
@@ -237,7 +237,7 @@ impl HttpClient {
                return Err(HttpResponseException::new(status, buffer));
            }

-            let r = Python::attach(|py| buffer.into_pyobject(py).map(|o| o.unbind()))?;
+            let r = Python::with_gil(|py| buffer.into_pyobject(py).map(|o| o.unbind()))?;

            Ok(r)
        })
@@ -270,7 +270,7 @@ where
    handle.spawn(async move {
        let res = task.await;

-        Python::attach(move |py| {
+        Python::with_gil(move |py| {
            // Flatten the panic into standard python error
            let res = match res {
                Ok(r) => r,
@@ -299,22 +299,5 @@ where
        });
    });

-    // Make the deferred follow the Synapse logcontext rules
-    make_deferred_yieldable(py, &deferred)
-}
-
-static MAKE_DEFERRED_YIELDABLE: OnceLock<pyo3::Py<pyo3::PyAny>> = OnceLock::new();
-
-/// Given a deferred, make it follow the Synapse logcontext rules
-fn make_deferred_yieldable<'py>(
-    py: Python<'py>,
-    deferred: &Bound<'py, PyAny>,
-) -> PyResult<Bound<'py, PyAny>> {
-    let make_deferred_yieldable = MAKE_DEFERRED_YIELDABLE.get_or_init(|| {
-        let sys = PyModule::import(py, "synapse.logging.context").unwrap();
-        let func = sys.getattr("make_deferred_yieldable").unwrap().unbind();
-        func
-    });
-
-    make_deferred_yieldable.call1(py, (deferred,))?.extract(py)
+    Ok(deferred)
 }
--- a/rust/src/push/base_rules.rs
+++ b/rust/src/push/base_rules.rs
@@ -289,10 +289,10 @@ pub const BASE_APPEND_CONTENT_RULES: &[PushRule] = &[PushRule {
    default_enabled: true,
 }];

-pub const BASE_APPEND_POSTCONTENT_RULES: &[PushRule] = &[
+pub const BASE_APPEND_UNDERRIDE_RULES: &[PushRule] = &[
    PushRule {
-        rule_id: Cow::Borrowed("global/postcontent/.io.element.msc4306.rule.unsubscribed_thread"),
-        priority_class: 6,
+        rule_id: Cow::Borrowed("global/content/.io.element.msc4306.rule.unsubscribed_thread"),
+        priority_class: 1,
        conditions: Cow::Borrowed(&[Condition::Known(
            KnownCondition::Msc4306ThreadSubscription { subscribed: false },
        )]),
@@ -301,8 +301,8 @@ pub const BASE_APPEND_POSTCONTENT_RULES: &[PushRule] = &[
        default_enabled: true,
    },
    PushRule {
-        rule_id: Cow::Borrowed("global/postcontent/.io.element.msc4306.rule.subscribed_thread"),
-        priority_class: 6,
+        rule_id: Cow::Borrowed("global/content/.io.element.msc4306.rule.subscribed_thread"),
+        priority_class: 1,
        conditions: Cow::Borrowed(&[Condition::Known(
            KnownCondition::Msc4306ThreadSubscription { subscribed: true },
        )]),
@@ -310,9 +310,6 @@ pub const BASE_APPEND_POSTCONTENT_RULES: &[PushRule] = &[
        default: true,
        default_enabled: true,
    },
-];
-
-pub const BASE_APPEND_UNDERRIDE_RULES: &[PushRule] = &[
    PushRule {
        rule_id: Cow::Borrowed("global/underride/.m.rule.call"),
        priority_class: 1,
@@ -729,7 +726,6 @@ lazy_static! {
            .iter()
            .chain(BASE_APPEND_OVERRIDE_RULES.iter())
            .chain(BASE_APPEND_CONTENT_RULES.iter())
-            .chain(BASE_APPEND_POSTCONTENT_RULES.iter())
            .chain(BASE_APPEND_UNDERRIDE_RULES.iter())
            .map(|rule| { (&*rule.rule_id, rule) })
            .collect();
--- a/rust/src/push/mod.rs
+++ b/rust/src/push/mod.rs
@@ -527,7 +527,6 @@ impl PushRules {
            .chain(base_rules::BASE_APPEND_OVERRIDE_RULES.iter())
            .chain(self.content.iter())
            .chain(base_rules::BASE_APPEND_CONTENT_RULES.iter())
-            .chain(base_rules::BASE_APPEND_POSTCONTENT_RULES.iter())
            .chain(self.room.iter())
            .chain(self.sender.iter())
            .chain(self.underride.iter())
--- a/rust/src/rendezvous/mod.rs
+++ b/rust/src/rendezvous/mod.rs
@@ -29,7 +29,7 @@ use pyo3::{
    exceptions::PyValueError,
    pyclass, pymethods,
    types::{PyAnyMethods, PyModule, PyModuleMethods},
-    Bound, IntoPyObject, Py, PyAny, PyResult, Python,
+    Bound, IntoPyObject, Py, PyAny, PyObject, PyResult, Python,
 };
 use ulid::Ulid;

@@ -56,7 +56,7 @@ fn prepare_headers(headers: &mut HeaderMap, session: &Session) {
 #[pyclass]
 struct RendezvousHandler {
    base: Uri,
-    clock: Py<PyAny>,
+    clock: PyObject,
    sessions: BTreeMap<Ulid, Session>,
    capacity: usize,
    max_content_length: u64,
--- a/schema/synapse-config.schema.yaml
+++ b/schema/synapse-config.schema.yaml
@@ -1,5 +1,5 @@
 $schema: https://element-hq.github.io/synapse/latest/schema/v1/meta.schema.json
-$id: https://element-hq.github.io/synapse/schema/synapse/v1.141/synapse-config.schema.json
+$id: https://element-hq.github.io/synapse/schema/synapse/v1.137/synapse-config.schema.json
 type: object
 properties:
  modules:
@@ -2259,8 +2259,9 @@ properties:
      Setting this to a high value allows users to report content quickly, possibly in
      duplicate. This can result in higher database usage.
    default:
-      per_second: 1.0
-      burst_count: 5.0
+      per_user:
+        per_second: 1.0
+        burst_count: 5.0
    examples:
      - per_second: 2.0
        burst_count: 20.0
@@ -2269,8 +2270,9 @@ properties:
    description: >-
      Sets rate limits for how often users are able to create rooms.
    default:
-      per_second: 0.016
-      burst_count: 10.0
+      per_user:
+        per_second: 0.016
+        burst_count: 10.0
    examples:
      - per_second: 1.0
        burst_count: 5.0
@@ -2413,15 +2415,8 @@ properties:
      A list of media upload limits defining how much data a given user can
      upload in a given time period.

-      These limits are applied in addition to the `max_upload_size` limit above
-      (which applies to individual uploads).
-

      An empty list means no limits are applied.
-
-
-      These settings can be overridden using the `get_media_upload_limits_for_user`
-      module API [callback](../../modules/media_repository_callbacks.md#get_media_upload_limits_for_user).
    default: []
    items:
      time_period:
@@ -2884,35 +2879,6 @@ properties:
    default: true
    examples:
      - false
-  matrix_rtc:
-    type: object 
-    description: >-
-      Options related to MatrixRTC.
-    properties:
-      transports:
-        type: array
-        items:
-          type: object
-          required:
-            - type
-          properties:
-            type:
-              type: string
-              description: The type of transport to use to connect to the selective forwarding unit (SFU).
-              example: livekit
-            livekit_service_url:
-              type: string
-              description: >-
-                The base URL of the LiveKit service. Should only be used with LiveKit-based transports.
-              example: https://matrix-rtc.example.com/livekit/jwt
-        description:
-          A list of transport types and arguments to use for MatrixRTC connections.
-        default: []
-    default: {}
-    examples:
-      - transports:
-        - type: livekit
-          livekit_service_url: https://matrix-rtc.example.com/livekit/jwt
  enable_registration:
    type: boolean
    description: >-
@@ -4695,9 +4661,8 @@ properties:
      pepper:
        type: ["string", "null"]
        description: >-
-          A secret random string that will be appended to user's passwords
-          before they are hashed. This improves the security of short passwords.
-          DO NOT CHANGE THIS AFTER INITIAL SETUP!
+          Set the value here to a secret random string for extra security. DO
+          NOT CHANGE THIS AFTER INITIAL SETUP!
        default: null
      policy:
        type: object
--- a/scripts-dev/build_debian_packages.py
+++ b/scripts-dev/build_debian_packages.py
@@ -18,20 +18,21 @@ import sys
 import threading
 from concurrent.futures import ThreadPoolExecutor
 from types import FrameType
-from typing import Collection, Optional, Sequence
+from typing import Collection, Optional, Sequence, Set

 # These are expanded inside the dockerfile to be a fully qualified image name.
-# e.g. docker.io/library/debian:bookworm
+# e.g. docker.io/library/debian:bullseye
 #
 # If an EOL is forced by a Python version and we're dropping support for it, make sure
-# to remove references to the distibution across Synapse (search for "bookworm" for
+# to remove references to the distibution across Synapse (search for "bullseye" for
 # example)
 DISTS = (
+    "debian:bullseye",  # (EOL ~2024-07) (our EOL forced by Python 3.9 is 2025-10-05)
    "debian:bookworm",  # (EOL 2026-06) (our EOL forced by Python 3.11 is 2027-10-24)
    "debian:sid",  # (rolling distro, no EOL)
    "ubuntu:jammy",  # 22.04 LTS (EOL 2027-04) (our EOL forced by Python 3.10 is 2026-10-04)
    "ubuntu:noble",  # 24.04 LTS (EOL 2029-06)
-    "ubuntu:plucky",  # 25.04 (EOL 2026-01)
+    "ubuntu:oracular",  # 24.10 (EOL 2025-07)
    "debian:trixie",  # (EOL not specified yet)
 )

@@ -53,7 +54,7 @@ class Builder:
    ):
        self.redirect_stdout = redirect_stdout
        self._docker_build_args = tuple(docker_build_args or ())
-        self.active_containers: set[str] = set()
+        self.active_containers: Set[str] = set()
        self._lock = threading.Lock()
        self._failed = False

--- a/scripts-dev/check_locked_deps_have_sdists.py
+++ b/scripts-dev/check_locked_deps_have_sdists.py
@@ -21,6 +21,7 @@
 #
 import sys
 from pathlib import Path
+from typing import Dict, List

 import tomli

@@ -32,7 +33,7 @@ def main() -> None:

    # Poetry 1.3+ lockfile format:
    # There's a `files` inline table in each [[package]]
-    packages_to_assets: dict[str, list[dict[str, str]]] = {
+    packages_to_assets: Dict[str, List[Dict[str, str]]] = {
        package["name"]: package["files"] for package in lockfile_content["package"]
    }

--- a/scripts-dev/check_pydantic_models.py
+++ b/scripts-dev/check_pydantic_models.py
@@ -0,0 +1,478 @@
+#! /usr/bin/env python
+#
+# This file is licensed under the Affero General Public License (AGPL) version 3.
+#
+# Copyright 2022 The Matrix.org Foundation C.I.C.
+# Copyright (C) 2023 New Vector, Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# See the GNU Affero General Public License for more details:
+# <https://www.gnu.org/licenses/agpl-3.0.html>.
+#
+# Originally licensed under the Apache License, Version 2.0:
+# <http://www.apache.org/licenses/LICENSE-2.0>.
+#
+# [This file includes modifications made by New Vector Limited]
+#
+#
+"""
+A script which enforces that Synapse always uses strict types when defining a Pydantic
+model.
+
+Pydantic does not yet offer a strict mode, but it is planned for pydantic v2. See
+
+    https://github.com/pydantic/pydantic/issues/1098
+    https://pydantic-docs.helpmanual.io/blog/pydantic-v2/#strict-mode
+
+until then, this script is a best effort to stop us from introducing type coersion bugs
+(like the infamous stringy power levels fixed in room version 10).
+"""
+
+import argparse
+import contextlib
+import functools
+import importlib
+import logging
+import os
+import pkgutil
+import sys
+import textwrap
+import traceback
+import unittest.mock
+from contextlib import contextmanager
+from typing import (
+    Any,
+    Callable,
+    Dict,
+    Generator,
+    List,
+    Set,
+    Type,
+    TypeVar,
+)
+
+from parameterized import parameterized
+from typing_extensions import ParamSpec
+
+from synapse._pydantic_compat import (
+    BaseModel as PydanticBaseModel,
+    conbytes,
+    confloat,
+    conint,
+    constr,
+    get_args,
+)
+
+logger = logging.getLogger(__name__)
+
+CONSTRAINED_TYPE_FACTORIES_WITH_STRICT_FLAG: List[Callable] = [
+    constr,
+    conbytes,
+    conint,
+    confloat,
+]
+
+TYPES_THAT_PYDANTIC_WILL_COERCE_TO = [
+    str,
+    bytes,
+    int,
+    float,
+    bool,
+]
+
+
+P = ParamSpec("P")
+R = TypeVar("R")
+
+
+class ModelCheckerException(Exception):
+    """Dummy exception. Allows us to detect unwanted types during a module import."""
+
+
+class MissingStrictInConstrainedTypeException(ModelCheckerException):
+    factory_name: str
+
+    def __init__(self, factory_name: str):
+        self.factory_name = factory_name
+
+
+class FieldHasUnwantedTypeException(ModelCheckerException):
+    message: str
+
+    def __init__(self, message: str):
+        self.message = message
+
+
+def make_wrapper(factory: Callable[P, R]) -> Callable[P, R]:
+    """We patch `constr` and friends with wrappers that enforce strict=True."""
+
+    @functools.wraps(factory)
+    def wrapper(*args: P.args, **kwargs: P.kwargs) -> R:
+        if "strict" not in kwargs:
+            raise MissingStrictInConstrainedTypeException(factory.__name__)
+        if not kwargs["strict"]:
+            raise MissingStrictInConstrainedTypeException(factory.__name__)
+        return factory(*args, **kwargs)
+
+    return wrapper
+
+
+def field_type_unwanted(type_: Any) -> bool:
+    """Very rough attempt to detect if a type is unwanted as a Pydantic annotation.
+
+    At present, we exclude types which will coerce, or any generic type involving types
+    which will coerce."""
+    logger.debug("Is %s unwanted?")
+    if type_ in TYPES_THAT_PYDANTIC_WILL_COERCE_TO:
+        logger.debug("yes")
+        return True
+    logger.debug("Maybe. Subargs are %s", get_args(type_))
+    rv = any(field_type_unwanted(t) for t in get_args(type_))
+    logger.debug("Conclusion: %s %s unwanted", type_, "is" if rv else "is not")
+    return rv
+
+
+class PatchedBaseModel(PydanticBaseModel):
+    """A patched version of BaseModel that inspects fields after models are defined.
+
+    We complain loudly if we see an unwanted type.
+
+    Beware: ModelField.type_ is presumably private; this is likely to be very brittle.
+    """
+
+    @classmethod
+    def __init_subclass__(cls: Type[PydanticBaseModel], **kwargs: object):
+        for field in cls.__fields__.values():
+            # Note that field.type_ and field.outer_type are computed based on the
+            # annotation type, see pydantic.fields.ModelField._type_analysis
+            if field_type_unwanted(field.outer_type_):
+                # TODO: this only reports the first bad field. Can we find all bad ones
+                #  and report them all?
+                raise FieldHasUnwantedTypeException(
+                    f"{cls.__module__}.{cls.__qualname__} has field '{field.name}' "
+                    f"with unwanted type `{field.outer_type_}`"
+                )
+
+
+@contextmanager
+def monkeypatch_pydantic() -> Generator[None, None, None]:
+    """Patch pydantic with our snooping versions of BaseModel and the con* functions.
+
+    If the snooping functions see something they don't like, they'll raise a
+    ModelCheckingException instance.
+    """
+    with contextlib.ExitStack() as patches:
+        # Most Synapse code ought to import the patched objects directly from
+        # `pydantic`. But we also patch their containing modules `pydantic.main` and
+        # `pydantic.types` for completeness.
+        patch_basemodel = unittest.mock.patch(
+            "synapse._pydantic_compat.BaseModel", new=PatchedBaseModel
+        )
+        patches.enter_context(patch_basemodel)
+        for factory in CONSTRAINED_TYPE_FACTORIES_WITH_STRICT_FLAG:
+            wrapper: Callable = make_wrapper(factory)
+            patch = unittest.mock.patch(
+                f"synapse._pydantic_compat.{factory.__name__}", new=wrapper
+            )
+            patches.enter_context(patch)
+        yield
+
+
+def format_model_checker_exception(e: ModelCheckerException) -> str:
+    """Work out which line of code caused e. Format the line in a human-friendly way."""
+    # TODO. FieldHasUnwantedTypeException gives better error messages. Can we ditch the
+    #   patches of constr() etc, and instead inspect fields to look for ConstrainedStr
+    #   with strict=False? There is some difficulty with the inheritance hierarchy
+    #   because StrictStr < ConstrainedStr < str.
+    if isinstance(e, FieldHasUnwantedTypeException):
+        return e.message
+    elif isinstance(e, MissingStrictInConstrainedTypeException):
+        frame_summary = traceback.extract_tb(e.__traceback__)[-2]
+        return (
+            f"Missing `strict=True` from {e.factory_name}() call \n"
+            + traceback.format_list([frame_summary])[0].lstrip()
+        )
+    else:
+        raise ValueError(f"Unknown exception {e}") from e
+
+
+def lint() -> int:
+    """Try to import all of Synapse and see if we spot any Pydantic type coercions.
+
+    Print any problems, then return a status code suitable for sys.exit."""
+    failures = do_lint()
+    if failures:
+        print(f"Found {len(failures)} problem(s)")
+    for failure in sorted(failures):
+        print(failure)
+    return os.EX_DATAERR if failures else os.EX_OK
+
+
+def do_lint() -> Set[str]:
+    """Try to import all of Synapse and see if we spot any Pydantic type coercions."""
+    failures = set()
+
+    with monkeypatch_pydantic():
+        logger.debug("Importing synapse")
+        try:
+            # TODO: make "synapse" an argument so we can target this script at
+            # a subpackage
+            module = importlib.import_module("synapse")
+        except ModelCheckerException as e:
+            logger.warning("Bad annotation found when importing synapse")
+            failures.add(format_model_checker_exception(e))
+            return failures
+
+        try:
+            logger.debug("Fetching subpackages")
+            module_infos = list(
+                pkgutil.walk_packages(module.__path__, f"{module.__name__}.")
+            )
+        except ModelCheckerException as e:
+            logger.warning("Bad annotation found when looking for modules to import")
+            failures.add(format_model_checker_exception(e))
+            return failures
+
+        for module_info in module_infos:
+            logger.debug("Importing %s", module_info.name)
+            try:
+                importlib.import_module(module_info.name)
+            except ModelCheckerException as e:
+                logger.warning(
+                    "Bad annotation found when importing %s", module_info.name
+                )
+                failures.add(format_model_checker_exception(e))
+
+    return failures
+
+
+def run_test_snippet(source: str) -> None:
+    """Exec a snippet of source code in an isolated environment."""
+    # To emulate `source` being called at the top level of the module,
+    # the globals and locals we provide apparently have to be the same mapping.
+    #
+    # > Remember that at the module level, globals and locals are the same dictionary.
+    # > If exec gets two separate objects as globals and locals, the code will be
+    # > executed as if it were embedded in a class definition.
+    globals_: Dict[str, object]
+    locals_: Dict[str, object]
+    globals_ = locals_ = {}
+    exec(textwrap.dedent(source), globals_, locals_)
+
+
+class TestConstrainedTypesPatch(unittest.TestCase):
+    def test_expression_without_strict_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import constr
+                except ImportError:
+                    from pydantic import constr
+                constr()
+                """
+            )
+
+    def test_called_as_module_attribute_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                import pydantic
+                pydantic.constr()
+                """
+            )
+
+    def test_wildcard_import_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import *
+                except ImportError:
+                    from pydantic import *
+                constr()
+                """
+            )
+
+    def test_alternative_import_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1.types import constr
+                except ImportError:
+                    from pydantic.types import constr
+                constr()
+                """
+            )
+
+    def test_alternative_import_attribute_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import types as pydantic_types
+                except ImportError:
+                    from pydantic import types as pydantic_types
+                pydantic_types.constr()
+                """
+            )
+
+    def test_kwarg_but_no_strict_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import constr
+                except ImportError:
+                    from pydantic import constr
+                constr(min_length=10)
+                """
+            )
+
+    def test_kwarg_strict_False_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import constr
+                except ImportError:
+                    from pydantic import constr
+                constr(strict=False)
+                """
+            )
+
+    def test_kwarg_strict_True_doesnt_raise(self) -> None:
+        with monkeypatch_pydantic():
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import constr
+                except ImportError:
+                    from pydantic import constr
+                constr(strict=True)
+                """
+            )
+
+    def test_annotation_without_strict_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import constr
+                except ImportError:
+                    from pydantic import constr
+                x: constr()
+                """
+            )
+
+    def test_field_annotation_without_strict_raises(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1 import BaseModel, conint
+                except ImportError:
+                    from pydantic import BaseModel, conint
+                class C:
+                    x: conint()
+                """
+            )
+
+
+class TestFieldTypeInspection(unittest.TestCase):
+    @parameterized.expand(
+        [
+            ("str",),
+            ("bytes"),
+            ("int",),
+            ("float",),
+            ("bool"),
+            ("Optional[str]",),
+            ("Union[None, str]",),
+            ("List[str]",),
+            ("List[List[str]]",),
+            ("Dict[StrictStr, str]",),
+            ("Dict[str, StrictStr]",),
+            ("TypedDict('D', x=int)",),
+        ]
+    )
+    def test_field_holding_unwanted_type_raises(self, annotation: str) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                f"""
+                from typing import *
+                try:
+                    from pydantic.v1 import *
+                except ImportError:
+                    from pydantic import *
+                class C(BaseModel):
+                    f: {annotation}
+                """
+            )
+
+    @parameterized.expand(
+        [
+            ("StrictStr",),
+            ("StrictBytes"),
+            ("StrictInt",),
+            ("StrictFloat",),
+            ("StrictBool"),
+            ("constr(strict=True, min_length=10)",),
+            ("Optional[StrictStr]",),
+            ("Union[None, StrictStr]",),
+            ("List[StrictStr]",),
+            ("List[List[StrictStr]]",),
+            ("Dict[StrictStr, StrictStr]",),
+            ("TypedDict('D', x=StrictInt)",),
+        ]
+    )
+    def test_field_holding_accepted_type_doesnt_raise(self, annotation: str) -> None:
+        with monkeypatch_pydantic():
+            run_test_snippet(
+                f"""
+                from typing import *
+                try:
+                    from pydantic.v1 import *
+                except ImportError:
+                    from pydantic import *
+                class C(BaseModel):
+                    f: {annotation}
+                """
+            )
+
+    def test_field_holding_str_raises_with_alternative_import(self) -> None:
+        with monkeypatch_pydantic(), self.assertRaises(ModelCheckerException):
+            run_test_snippet(
+                """
+                try:
+                    from pydantic.v1.main import BaseModel
+                except ImportError:
+                    from pydantic.main import BaseModel
+                class C(BaseModel):
+                    f: str
+                """
+            )
+
+
+parser = argparse.ArgumentParser()
+parser.add_argument("mode", choices=["lint", "test"], default="lint", nargs="?")
+parser.add_argument("-v", "--verbose", action="store_true")
+
+
+if __name__ == "__main__":
+    args = parser.parse_args(sys.argv[1:])
+    logging.basicConfig(
+        format="%(asctime)s %(name)s:%(lineno)d %(levelname)s %(message)s",
+        level=logging.DEBUG if args.verbose else logging.INFO,
+    )
+    # suppress logs we don't care about
+    logging.getLogger("xmlschema").setLevel(logging.WARNING)
+    if args.mode == "lint":
+        sys.exit(lint())
+    elif args.mode == "test":
+        unittest.main(argv=sys.argv[:1])
--- a/scripts-dev/check_schema_delta.py
+++ b/scripts-dev/check_schema_delta.py
@@ -5,19 +5,15 @@
 # Also checks that schema deltas do not try and create or drop indices.

 import re
-from typing import Any
+from typing import Any, Dict, List

 import click
 import git

 SCHEMA_FILE_REGEX = re.compile(r"^synapse/storage/schema/(.*)/delta/(.*)/(.*)$")
-INDEX_CREATION_REGEX = re.compile(
-    r"CREATE .*INDEX .*ON ([a-z_0-9]+)", flags=re.IGNORECASE
-)
-INDEX_DELETION_REGEX = re.compile(r"DROP .*INDEX ([a-z_0-9]+)", flags=re.IGNORECASE)
-TABLE_CREATION_REGEX = re.compile(
-    r"CREATE .*TABLE.* ([a-z_0-9]+)\s*\(", flags=re.IGNORECASE
-)
+INDEX_CREATION_REGEX = re.compile(r"CREATE .*INDEX .*ON ([a-z_]+)", flags=re.IGNORECASE)
+INDEX_DELETION_REGEX = re.compile(r"DROP .*INDEX ([a-z_]+)", flags=re.IGNORECASE)
+TABLE_CREATION_REGEX = re.compile(r"CREATE .*TABLE ([a-z_]+)", flags=re.IGNORECASE)

 # The base branch we want to check against. We use the main development branch
 # on the assumption that is what we are developing against.
@@ -52,16 +48,16 @@ def main(force_colors: bool) -> None:

    r = repo.git.show(f"origin/{DEVELOP_BRANCH}:synapse/storage/schema/__init__.py")

-    locals: dict[str, Any] = {}
+    locals: Dict[str, Any] = {}
    exec(r, locals)
    current_schema_version = locals["SCHEMA_VERSION"]

-    diffs: list[git.Diff] = repo.remote().refs[DEVELOP_BRANCH].commit.diff(None)
+    diffs: List[git.Diff] = repo.remote().refs[DEVELOP_BRANCH].commit.diff(None)

    # Get the schema version of the local file to check against current schema on develop
    with open("synapse/storage/schema/__init__.py") as file:
        local_schema = file.read()
-    new_locals: dict[str, Any] = {}
+    new_locals: Dict[str, Any] = {}
    exec(local_schema, new_locals)
    local_schema_version = new_locals["SCHEMA_VERSION"]

@@ -177,14 +173,11 @@ def main(force_colors: bool) -> None:
                clause = match.group()

                click.secho(
-                    f"Found delta with index deletion: '{clause}' in {delta_file}",
+                    f"Found delta with index deletion: '{clause}' in {delta_file}\nThese should be in background updates.",
                    fg="red",
                    bold=True,
                    color=force_colors,
                )
-                click.secho(
-                    " ↪ These should be in background updates.",
-                )
                return_code = 1

            # Check for index creation, which is only allowed for tables we've
@@ -195,14 +188,11 @@ def main(force_colors: bool) -> None:
                table_name = match.group(1)
                if table_name not in created_tables:
                    click.secho(
-                        f"Found delta with index creation for existing table: '{clause}' in {delta_file}",
+                        f"Found delta with index creation: '{clause}' in {delta_file}\nThese should be in background updates.",
                        fg="red",
                        bold=True,
                        color=force_colors,
                    )
-                    click.secho(
-                        " ↪ These should be in background updates (or the table should be created in the same delta).",
-                    )
                    return_code = 1

    click.get_current_context().exit(return_code)
--- a/scripts-dev/complement.sh
+++ b/scripts-dev/complement.sh
@@ -230,7 +230,6 @@ test_packages=(
    ./tests/msc3967
    ./tests/msc4140
    ./tests/msc4155
-    ./tests/msc4306
 )

 # Enable dirty runs, so tests will reuse the same container where possible.
--- a/scripts-dev/federation_client.py
+++ b/scripts-dev/federation_client.py
@@ -43,7 +43,7 @@ import argparse
 import base64
 import json
 import sys
-from typing import Any, Mapping, Optional, Union
+from typing import Any, Dict, Mapping, Optional, Tuple, Union
 from urllib import parse as urlparse

 import requests
@@ -147,7 +147,7 @@ def request(
    s = requests.Session()
    s.mount("matrix-federation://", MatrixConnectionAdapter())

-    headers: dict[str, str] = {
+    headers: Dict[str, str] = {
        "Authorization": authorization_headers[0],
    }

@@ -303,7 +303,7 @@ class MatrixConnectionAdapter(HTTPAdapter):
        request: PreparedRequest,
        verify: Optional[Union[bool, str]],
        proxies: Optional[Mapping[str, str]] = None,
-        cert: Optional[Union[tuple[str, str], str]] = None,
+        cert: Optional[Union[Tuple[str, str], str]] = None,
    ) -> HTTPConnectionPool:
        # overrides the get_connection_with_tls_context() method in the base class
        parsed = urlparse.urlsplit(request.url)
@@ -326,7 +326,7 @@ class MatrixConnectionAdapter(HTTPAdapter):
        )

    @staticmethod
-    def _lookup(server_name: str) -> tuple[str, int, str]:
+    def _lookup(server_name: str) -> Tuple[str, int, str]:
        """
        Do an SRV lookup on a server name and return the host:port to connect to
        Given the server_name (after any .well-known lookup), return the host, port and
--- a/scripts-dev/lint.sh
+++ b/scripts-dev/lint.sh
@@ -134,6 +134,9 @@ fi
 # Ensure the formatting of Rust code.
 cargo-fmt

+# Ensure all Pydantic models use strict types.
+./scripts-dev/check_pydantic_models.py lint
+
 # Ensure type hints are correct.
 mypy

--- a/scripts-dev/mypy_synapse_plugin.py
+++ b/scripts-dev/mypy_synapse_plugin.py
@@ -24,7 +24,7 @@ can crop up, e.g the cache descriptors.
 """

 import enum
-from typing import Callable, Mapping, Optional, Union
+from typing import Callable, Mapping, Optional, Tuple, Type, Union

 import attr
 import mypy.types
@@ -68,42 +68,6 @@ PROMETHEUS_METRIC_MISSING_FROM_LIST_TO_CHECK = ErrorCode(
    category="per-homeserver-tenant-metrics",
 )

-PREFER_SYNAPSE_CLOCK_CALL_LATER = ErrorCode(
-    "call-later-not-tracked",
-    "Prefer using `synapse.util.Clock.call_later` instead of `reactor.callLater`",
-    category="synapse-reactor-clock",
-)
-
-PREFER_SYNAPSE_CLOCK_LOOPING_CALL = ErrorCode(
-    "prefer-synapse-clock-looping-call",
-    "Prefer using `synapse.util.Clock.looping_call` instead of `task.LoopingCall`",
-    category="synapse-reactor-clock",
-)
-
-PREFER_SYNAPSE_CLOCK_CALL_WHEN_RUNNING = ErrorCode(
-    "prefer-synapse-clock-call-when-running",
-    "Prefer using `synapse.util.Clock.call_when_running` instead of `reactor.callWhenRunning`",
-    category="synapse-reactor-clock",
-)
-
-PREFER_SYNAPSE_CLOCK_ADD_SYSTEM_EVENT_TRIGGER = ErrorCode(
-    "prefer-synapse-clock-add-system-event-trigger",
-    "Prefer using `synapse.util.Clock.add_system_event_trigger` instead of `reactor.addSystemEventTrigger`",
-    category="synapse-reactor-clock",
-)
-
-MULTIPLE_INTERNAL_CLOCKS_CREATED = ErrorCode(
-    "multiple-internal-clocks",
-    "Only one instance of `clock.Clock` should be created",
-    category="synapse-reactor-clock",
-)
-
-UNTRACKED_BACKGROUND_PROCESS = ErrorCode(
-    "untracked-background-process",
-    "Prefer using `HomeServer.run_as_background_process` method over the bare `run_as_background_process`",
-    category="synapse-tracked-calls",
-)
-

 class Sentinel(enum.Enum):
    # defining a sentinel in this way allows mypy to correctly handle the
@@ -184,8 +148,8 @@ should be in the source code.

 # Unbound at this point because we don't know the mypy version yet.
 # This is set in the `plugin(...)` function below.
-MypyPydanticPluginClass: type[Plugin]
-MypyZopePluginClass: type[Plugin]
+MypyPydanticPluginClass: Type[Plugin]
+MypyZopePluginClass: Type[Plugin]


 class SynapsePlugin(Plugin):
@@ -246,18 +210,6 @@ class SynapsePlugin(Plugin):
            # callback, let's just pass it in while we have it.
            return lambda ctx: check_prometheus_metric_instantiation(ctx, fullname)

-        if fullname == "twisted.internet.task.LoopingCall":
-            return check_looping_call
-
-        if fullname == "synapse.util.clock.Clock":
-            return check_clock_creation
-
-        if (
-            fullname
-            == "synapse.metrics.background_process_metrics.run_as_background_process"
-        ):
-            return check_background_process
-
        return None

    def get_method_signature_hook(
@@ -277,177 +229,9 @@ class SynapsePlugin(Plugin):
        ):
            return check_is_cacheable_wrapper

-        if fullname in (
-            "twisted.internet.interfaces.IReactorTime.callLater",
-            "synapse.types.ISynapseThreadlessReactor.callLater",
-            "synapse.types.ISynapseReactor.callLater",
-        ):
-            return check_call_later
-
-        if fullname in (
-            "twisted.internet.interfaces.IReactorCore.callWhenRunning",
-            "synapse.types.ISynapseThreadlessReactor.callWhenRunning",
-            "synapse.types.ISynapseReactor.callWhenRunning",
-        ):
-            return check_call_when_running
-
-        if fullname in (
-            "twisted.internet.interfaces.IReactorCore.addSystemEventTrigger",
-            "synapse.types.ISynapseThreadlessReactor.addSystemEventTrigger",
-            "synapse.types.ISynapseReactor.addSystemEventTrigger",
-        ):
-            return check_add_system_event_trigger
-
        return None


-def check_clock_creation(ctx: FunctionSigContext) -> CallableType:
-    """
-    Ensure that the only `clock.Clock` instance is the one used by the `HomeServer`.
-    This is so that the `HomeServer` can cancel any tracked delayed or looping calls
-    during server shutdown.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        "Expected the only `clock.Clock` instance to be the one used by the `HomeServer`. "
-        "This is so that the `HomeServer` can cancel any tracked delayed or looping calls "
-        "during server shutdown",
-        ctx.context,
-        code=MULTIPLE_INTERNAL_CLOCKS_CREATED,
-    )
-
-    return signature
-
-
-def check_call_later(ctx: MethodSigContext) -> CallableType:
-    """
-    Ensure that the `reactor.callLater` callsites aren't used.
-
-    `synapse.util.Clock.call_later` should always be used instead of `reactor.callLater`.
-    This is because the `synapse.util.Clock` tracks delayed calls in order to cancel any
-    outstanding calls during server shutdown. Delayed calls which are either short lived
-    (<~60s) or frequently called and can be tracked via other means could be candidates for
-    using `synapse.util.Clock.call_later` with `call_later_cancel_on_shutdown` set to
-    `False`. There shouldn't be a need to use `reactor.callLater` outside of tests or the
-    `Clock` class itself. If a need arises, you can use a type ignore comment to disable the
-    check, e.g. `# type: ignore[call-later-not-tracked]`.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        "Expected all `reactor.callLater` calls to use `synapse.util.Clock.call_later` "
-        "instead. This is so that long lived calls can be tracked for cancellation during "
-        "server shutdown",
-        ctx.context,
-        code=PREFER_SYNAPSE_CLOCK_CALL_LATER,
-    )
-
-    return signature
-
-
-def check_looping_call(ctx: FunctionSigContext) -> CallableType:
-    """
-    Ensure that the `task.LoopingCall` callsites aren't used.
-
-    `synapse.util.Clock.looping_call` should always be used instead of `task.LoopingCall`.
-    `synapse.util.Clock` tracks looping calls in order to cancel any outstanding calls
-    during server shutdown.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        "Expected all `task.LoopingCall` instances to use `synapse.util.Clock.looping_call` "
-        "instead. This is so that long lived calls can be tracked for cancellation during "
-        "server shutdown",
-        ctx.context,
-        code=PREFER_SYNAPSE_CLOCK_LOOPING_CALL,
-    )
-
-    return signature
-
-
-def check_call_when_running(ctx: MethodSigContext) -> CallableType:
-    """
-    Ensure that the `reactor.callWhenRunning` callsites aren't used.
-
-    `synapse.util.Clock.call_when_running` should always be used instead of
-    `reactor.callWhenRunning`.
-
-    Since `reactor.callWhenRunning` is a reactor callback, the callback will start out
-    with the sentinel logcontext. `synapse.util.Clock` starts a default logcontext as we
-    want to know which server the logs came from.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        (
-            "Expected all `reactor.callWhenRunning` calls to use `synapse.util.Clock.call_when_running` instead. "
-            "This is so all Synapse code runs with a logcontext as we want to know which server the logs came from."
-        ),
-        ctx.context,
-        code=PREFER_SYNAPSE_CLOCK_CALL_WHEN_RUNNING,
-    )
-
-    return signature
-
-
-def check_add_system_event_trigger(ctx: MethodSigContext) -> CallableType:
-    """
-    Ensure that the `reactor.addSystemEventTrigger` callsites aren't used.
-
-    `synapse.util.Clock.add_system_event_trigger` should always be used instead of
-    `reactor.addSystemEventTrigger`.
-
-    Since `reactor.addSystemEventTrigger` is a reactor callback, the callback will start out
-    with the sentinel logcontext. `synapse.util.Clock` starts a default logcontext as we
-    want to know which server the logs came from.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        (
-            "Expected all `reactor.addSystemEventTrigger` calls to use `synapse.util.Clock.add_system_event_trigger` instead. "
-            "This is so all Synapse code runs with a logcontext as we want to know which server the logs came from."
-        ),
-        ctx.context,
-        code=PREFER_SYNAPSE_CLOCK_ADD_SYSTEM_EVENT_TRIGGER,
-    )
-
-    return signature
-
-
-def check_background_process(ctx: FunctionSigContext) -> CallableType:
-    """
-    Ensure that calls to `run_as_background_process` use the `HomeServer` method.
-    This is so that the `HomeServer` can cancel any running background processes during
-    server shutdown.
-
-    Args:
-        ctx: The `FunctionSigContext` from mypy.
-    """
-    signature: CallableType = ctx.default_signature
-    ctx.api.fail(
-        "Prefer using `HomeServer.run_as_background_process` method over the bare "
-        "`run_as_background_process`. This is so that the `HomeServer` can cancel "
-        "any background processes during server shutdown",
-        ctx.context,
-        code=UNTRACKED_BACKGROUND_PROCESS,
-    )
-
-    return signature
-
-
 def analyze_prometheus_metric_classes(ctx: ClassDefContext) -> None:
    """
    Cross-check the list of Prometheus metric classes against the
@@ -795,7 +579,7 @@ AT_CACHED_MUTABLE_RETURN = ErrorCode(

 def is_cacheable(
    rt: mypy.types.Type, signature: CallableType, verbose: bool
-) -> tuple[bool, Optional[str]]:
+) -> Tuple[bool, Optional[str]]:
    """
    Check if a particular type is cachable.

@@ -905,7 +689,7 @@ def is_cacheable(
        return False, f"Don't know how to handle {type(rt).__qualname__} return type"


-def plugin(version: str) -> type[SynapsePlugin]:
+def plugin(version: str) -> Type[SynapsePlugin]:
    global MypyPydanticPluginClass, MypyZopePluginClass
    # This is the entry point of the plugin, and lets us deal with the fact
    # that the mypy plugin interface is *not* stable by looking at the version
--- a/scripts-dev/release.py
+++ b/scripts-dev/release.py
@@ -32,13 +32,11 @@ import time
 import urllib.request
 from os import path
 from tempfile import TemporaryDirectory
-from typing import Any, Match, Optional, Union
+from typing import Any, List, Match, Optional, Union

 import attr
 import click
 import git
-import github
-import github.Auth
 from click.exceptions import ClickException
 from git import GitCommandError, Repo
 from github import BadCredentialsException, Github
@@ -316,10 +314,7 @@ def _prepare() -> None:
    )

    print("Opening the changelog in your browser...")
-    print(
-        "Please review it using the release notes review checklist: https://element-hq.github.io/synapse/develop/development/internal_documentation/release_notes_review_checklist.html"
-    )
-    print("And post it in #synapse-dev for cursory review from the team.")
+    print("Please ask #synapse-dev to give it a check.")
    click.launch(
        f"https://github.com/element-hq/synapse/blob/{synapse_repo.active_branch.name}/CHANGES.md"
    )
@@ -402,7 +397,7 @@ def _tag(gh_token: Optional[str]) -> None:
        return

    # Create a new draft release
-    gh = Github(auth=github.Auth.Token(token=gh_token))
+    gh = Github(gh_token)
    gh_repo = gh.get_repo("element-hq/synapse")
    release = gh_repo.create_git_release(
        tag=tag_name,
@@ -433,7 +428,7 @@ def _publish(gh_token: str) -> None:

    if gh_token:
        # Test that the GH Token is valid before continuing.
-        gh = Github(auth=github.Auth.Token(token=gh_token))
+        gh = Github(gh_token)
        gh.get_user()

    # Make sure we're in a git repo.
@@ -446,7 +441,7 @@ def _publish(gh_token: str) -> None:
        return

    # Publish the draft release
-    gh = Github(auth=github.Auth.Token(token=gh_token))
+    gh = Github(gh_token)
    gh_repo = gh.get_repo("element-hq/synapse")
    for release in gh_repo.get_releases():
        if release.title == tag_name:
@@ -491,13 +486,8 @@ def _upload(gh_token: Optional[str]) -> None:
        click.echo(f"Tag {tag_name} ({tag.commit}) is not currently checked out!")
        click.get_current_context().abort()

-    if gh_token:
-        gh = Github(auth=github.Auth.Token(token=gh_token))
-    else:
-        # Use github anonymously.
-        gh = Github()
-
    # Query all the assets corresponding to this release.
+    gh = Github(gh_token)
    gh_repo = gh.get_repo("element-hq/synapse")
    gh_release = gh_repo.get_release(tag_name)

@@ -649,16 +639,7 @@ def _notify(message: str) -> None:


@cli.command()
-# Although this option is not used, allow it anyways. Otherwise the user will
-# receive an error when providing it, which is annoying as other commands accept
-# it.
-@click.option(
-    "--gh-token",
-    "_gh_token",
-    envvar=["GH_TOKEN", "GITHUB_TOKEN"],
-    required=False,
-)
-def merge_back(_gh_token: Optional[str]) -> None:
+def merge_back() -> None:
    _merge_back()


@@ -706,16 +687,7 @@ def _merge_back() -> None:


@cli.command()
-# Although this option is not used, allow it anyways. Otherwise the user will
-# receive an error when providing it, which is annoying as other commands accept
-# it.
-@click.option(
-    "--gh-token",
-    "_gh_token",
-    envvar=["GH_TOKEN", "GITHUB_TOKEN"],
-    required=False,
-)
-def announce(_gh_token: Optional[str]) -> None:
+def announce() -> None:
    _announce()


@@ -724,31 +696,18 @@ def _announce() -> None:

    current_version = get_package_version()
    tag_name = f"v{current_version}"
-    is_rc = "rc" in tag_name
-
-    release_text = f"""
-### Synapse {current_version} {"🧪" if is_rc else "🚀"}

+    click.echo(
+        f"""
 Hi everyone. Synapse {current_version} has just been released.
-"""

-    if "rc" in tag_name:
-        release_text += (
-            "\nThis is a release candidate. Please help us test it out "
-            "before the final release by deploying it to non-production environments, "
-            "and reporting any issues you find to "
-            "[the issue tracker](https://github.com/element-hq/synapse/issues). Thanks!\n"
-        )
-
-    release_text += f"""
 [notes](https://github.com/element-hq/synapse/releases/tag/{tag_name}) | \
 [docker](https://hub.docker.com/r/matrixdotorg/synapse/tags?name={tag_name}) | \
 [debs](https://packages.matrix.org/debian/) | \
 [pypi](https://pypi.org/project/matrix-synapse/{current_version}/)"""
+    )

-    click.echo(release_text)
-
-    if is_rc:
+    if "rc" in tag_name:
        click.echo(
            """
 Announce the RC in
@@ -773,7 +732,7 @@ Ask the designated people to do the blog and tweets."""
 def full(gh_token: str) -> None:
    if gh_token:
        # Test that the GH Token is valid before continuing.
-        gh = Github(auth=github.Auth.Token(token=gh_token))
+        gh = Github(gh_token)
        gh.get_user()

    click.echo("1. If this is a security release, read the security wiki page.")
@@ -842,12 +801,8 @@ def get_repo_and_check_clean_checkout(
        raise click.ClickException(
            f"{path} is not a git repository (expecting a {name} repository)."
        )
-    while repo.is_dirty():
-        if not click.confirm(
-            f"Uncommitted changes exist in {path}. Commit or stash them. Ready to continue?"
-        ):
-            raise click.ClickException("Aborted.")
-
+    if repo.is_dirty():
+        raise click.ClickException(f"Uncommitted changes exist in {path}.")
    return repo


@@ -859,7 +814,7 @@ def check_valid_gh_token(gh_token: Optional[str]) -> None:
        return

    try:
-        gh = Github(auth=github.Auth.Token(token=gh_token))
+        gh = Github(gh_token)

        # We need to lookup name to trigger a request.
        _name = gh.get_user().name
@@ -906,7 +861,7 @@ def get_changes_for_version(wanted_version: version.Version) -> str:
        start_line: int
        end_line: Optional[int] = None  # Is none if its the last entry

-    headings: list[VersionSection] = []
+    headings: List[VersionSection] = []
    for i, token in enumerate(tokens):
        # We look for level 1 headings (h1 tags).
        if token.type != "heading_open" or token.tag != "h1":
--- a/scripts-dev/schema_versions.py
+++ b/scripts-dev/schema_versions.py
@@ -38,7 +38,7 @@ import io
 import json
 import sys
 from collections import defaultdict
-from typing import Any, Iterator, Optional
+from typing import Any, Dict, Iterator, Optional, Tuple

 import git
 from packaging import version
@@ -57,7 +57,7 @@ SCHEMA_VERSION_FILES = (
 OLDEST_SHOWN_VERSION = version.parse("v1.0")


-def get_schema_versions(tag: git.Tag) -> tuple[Optional[int], Optional[int]]:
+def get_schema_versions(tag: git.Tag) -> Tuple[Optional[int], Optional[int]]:
    """Get the schema and schema compat versions for a tag."""
    schema_version = None
    schema_compat_version = None
@@ -81,7 +81,7 @@ def get_schema_versions(tag: git.Tag) -> tuple[Optional[int], Optional[int]]:
            # SCHEMA_COMPAT_VERSION is sometimes across multiple lines, the easist
            # thing to do is exec the code. Luckily it has only ever existed in
            # a file which imports nothing else from Synapse.
-            locals: dict[str, Any] = {}
+            locals: Dict[str, Any] = {}
            exec(schema_file.data_stream.read().decode("utf-8"), {}, locals)
            schema_version = locals["SCHEMA_VERSION"]
            schema_compat_version = locals.get("SCHEMA_COMPAT_VERSION")
--- a/scripts-dev/sign_json.py
+++ b/scripts-dev/sign_json.py
@@ -30,7 +30,7 @@ from signedjson.sign import sign_json

 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
 from synapse.crypto.event_signing import add_hashes_and_signatures
-from synapse.util.json import json_encoder
+from synapse.util import json_encoder


 def main() -> None:
--- a/stubs/sortedcontainers/sorteddict.pyi
+++ b/stubs/sortedcontainers/sorteddict.pyi
@@ -7,14 +7,18 @@ from __future__ import annotations
 from typing import (
    Any,
    Callable,
+    Dict,
    Hashable,
    ItemsView,
    Iterable,
    Iterator,
    KeysView,
+    List,
    Mapping,
    Optional,
    Sequence,
+    Tuple,
+    Type,
    TypeVar,
    Union,
    ValuesView,
@@ -31,14 +35,14 @@ _VT_co = TypeVar("_VT_co", covariant=True)
 _SD = TypeVar("_SD", bound=SortedDict)
 _Key = Callable[[_T], Any]

-class SortedDict(dict[_KT, _VT]):
+class SortedDict(Dict[_KT, _VT]):
    @overload
    def __init__(self, **kwargs: _VT) -> None: ...
    @overload
    def __init__(self, __map: Mapping[_KT, _VT], **kwargs: _VT) -> None: ...
    @overload
    def __init__(
-        self, __iterable: Iterable[tuple[_KT, _VT]], **kwargs: _VT
+        self, __iterable: Iterable[Tuple[_KT, _VT]], **kwargs: _VT
    ) -> None: ...
    @overload
    def __init__(self, __key: _Key[_KT], **kwargs: _VT) -> None: ...
@@ -48,7 +52,7 @@ class SortedDict(dict[_KT, _VT]):
    ) -> None: ...
    @overload
    def __init__(
-        self, __key: _Key[_KT], __iterable: Iterable[tuple[_KT, _VT]], **kwargs: _VT
+        self, __key: _Key[_KT], __iterable: Iterable[Tuple[_KT, _VT]], **kwargs: _VT
    ) -> None: ...
    @property
    def key(self) -> Optional[_Key[_KT]]: ...
@@ -80,8 +84,8 @@ class SortedDict(dict[_KT, _VT]):
    def pop(self, key: _KT) -> _VT: ...
    @overload
    def pop(self, key: _KT, default: _T = ...) -> Union[_VT, _T]: ...
-    def popitem(self, index: int = ...) -> tuple[_KT, _VT]: ...
-    def peekitem(self, index: int = ...) -> tuple[_KT, _VT]: ...
+    def popitem(self, index: int = ...) -> Tuple[_KT, _VT]: ...
+    def peekitem(self, index: int = ...) -> Tuple[_KT, _VT]: ...
    def setdefault(self, key: _KT, default: Optional[_VT] = ...) -> _VT: ...
    # Mypy now reports the first overload as an error, because typeshed widened the type
    # of `__map` to its internal `_typeshed.SupportsKeysAndGetItem` type in
@@ -98,9 +102,9 @@ class SortedDict(dict[_KT, _VT]):
    # def update(self, **kwargs: _VT) -> None: ...
    def __reduce__(
        self,
-    ) -> tuple[
-        type[SortedDict[_KT, _VT]],
-        tuple[Callable[[_KT], Any], list[tuple[_KT, _VT]]],
+    ) -> Tuple[
+        Type[SortedDict[_KT, _VT]],
+        Tuple[Callable[[_KT], Any], List[Tuple[_KT, _VT]]],
    ]: ...
    def __repr__(self) -> str: ...
    def _check(self) -> None: ...
@@ -117,20 +121,20 @@ class SortedKeysView(KeysView[_KT_co], Sequence[_KT_co]):
    @overload
    def __getitem__(self, index: int) -> _KT_co: ...
    @overload
-    def __getitem__(self, index: slice) -> list[_KT_co]: ...
+    def __getitem__(self, index: slice) -> List[_KT_co]: ...
    def __delitem__(self, index: Union[int, slice]) -> None: ...

-class SortedItemsView(ItemsView[_KT_co, _VT_co], Sequence[tuple[_KT_co, _VT_co]]):
-    def __iter__(self) -> Iterator[tuple[_KT_co, _VT_co]]: ...
+class SortedItemsView(ItemsView[_KT_co, _VT_co], Sequence[Tuple[_KT_co, _VT_co]]):
+    def __iter__(self) -> Iterator[Tuple[_KT_co, _VT_co]]: ...
    @overload
-    def __getitem__(self, index: int) -> tuple[_KT_co, _VT_co]: ...
+    def __getitem__(self, index: int) -> Tuple[_KT_co, _VT_co]: ...
    @overload
-    def __getitem__(self, index: slice) -> list[tuple[_KT_co, _VT_co]]: ...
+    def __getitem__(self, index: slice) -> List[Tuple[_KT_co, _VT_co]]: ...
    def __delitem__(self, index: Union[int, slice]) -> None: ...

 class SortedValuesView(ValuesView[_VT_co], Sequence[_VT_co]):
    @overload
    def __getitem__(self, index: int) -> _VT_co: ...
    @overload
-    def __getitem__(self, index: slice) -> list[_VT_co]: ...
+    def __getitem__(self, index: slice) -> List[_VT_co]: ...
    def __delitem__(self, index: Union[int, slice]) -> None: ...
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Eric Eastwood	9f03797413	Add note about Fedora packaging Rust libraries See https://github.com/element-hq/synapse/pull/18856#discussion_r2330378204	2025-09-08 19:43:10 -05:00
Eric Eastwood	d3ee33398f	Best effort for application dependencies	2025-09-05 15:10:37 -05:00
Eric Eastwood	8eb1c25211	Add changelog	2025-08-21 19:51:38 -05:00
Eric Eastwood	87bc699dcc	Clarify Python dependency constraints	2025-08-21 19:48:05 -05:00
				`@@ -0,0 +1 @@`
				`Clarify Python dependency constraints in our deprecation policy.`
				`@@ -1 +0,0 @@`
				Fix CI linter for schema delta files to correctly handle all types of `CREATE TABLE` syntax.
				`@@ -1 +0,0 @@`
				`Use type hinting generics in standard collections, as per PEP 585, added in Python 3.9.`
				`@@ -1 +0,0 @@`
				`Update the link to the Debian oldstable package for SQLite.`
				`@@ -1 +0,0 @@`
				Always treat `RETURNING` as supported by SQL engines, now that the minimum-supported versions of both SQLite and PostgreSQL support it.
				`@@ -1 +0,0 @@`
				Remove logcontext problems caused by awaiting raw `deferLater(...)`.
				`@@ -1 +0,0 @@`
				`Fix a bug introduced in 1.111.0 where failed attempts to download authenticated remote media would not be handled correctly.`
				`@@ -1 +0,0 @@`
				`Prevent duplicate logging setup when running multiple Synapse instances.`
				`@@ -1 +0,0 @@`
				`Be mindful of other logging context filters in 3rd-party code and avoid overwriting log record fields unless we know the log record is relevant to Synapse.`