build: Update pyproject.toml to follow standards

This now follows [PEP 517](https://peps.python.org/pep-0517/) and [PEP 621](https://peps.python.org/pep-0621/) to define the metadata of the project, as well as its dependencies. As a result, the toolchain now uses [uv](https://github.com/astral-sh/uv) instead of [poetry](https://python-poetry.org/). The build-backend has been switched to [Hatch](https://hatch.pypa.io/latest/). Fixes #677
2025-04-28 18:02:38 +02:00 · 2024-12-19 11:52:13 +01:00 · 2024-12-19 11:52:13 +01:00 · 9d23077a37
commit 9d23077a37
parent aad17a9150
16 changed files with 1274 additions and 1379 deletions
--- a/BUILD.md
+++ b/BUILD.md
@ -50,7 +50,7 @@ Install dependencies:
  sudo apt install -y python3.9
  ```
-  Poetry will automatically pick up the correct version when running.
+  uv will automatically pick up the correct version when running.
 </details>
    </td>
  </tr>
@ -69,10 +69,10 @@ methods](https://python-poetry.org/docs/#installation))_
 ```sh
 pipx ensurepath
-pipx install poetry
+pipx install uv
 ```
-After this, restart the terminal window, for the `poetry` command to be in your
+After this, restart the terminal window, for the `uv` command to be in your
 `$PATH`.
@ -82,44 +82,39 @@ Clone this repository:
 git clone https://github.com/freedomofpress/dangerzone/
 ```
-Change to the `dangerzone` folder, and install the poetry dependencies:
+Change to the `dangerzone` folder, and install the dependencies:
 > **Note**: due to an issue with [poetry](https://github.com/python-poetry/poetry/issues/1917), if it prompts for your keyring, disable the keyring with `keyring --disable` and run the command again.
 ```
 cd dangerzone
-poetry install
+uv sync
 ```
 Build the latest container:
 ```sh
-python3 ./install/common/build-image.py
+uv run ./install/common/build-image.py
 ```
 Download the OCR language data:
 ```sh
-python3 ./install/common/download-tessdata.py
+uv run ./install/common/download-tessdata.py
 ```
 Run from source tree:
 ```sh
 # start a shell in the virtual environment
 poetry shell
 # run the CLI
-./dev_scripts/dangerzone-cli --help
+uv run ./dev_scripts/dangerzone-cli --help
 # run the GUI
-./dev_scripts/dangerzone
+uv run ./dev_scripts/dangerzone
 ```
 Create a .deb:
 ```sh
-./install/linux/build-deb.py
+uv run ./install/linux/build-deb.py
 ```
 ## Fedora
@ -127,7 +122,7 @@ Create a .deb:
 Install dependencies:
 ```sh
-sudo dnf install -y rpm-build podman python3 python3-devel python3-poetry-core \
+sudo dnf install -y rpm-build podman python3 python3-devel python3-uv \
    pipx qt6-qtbase-gui
 ```
--- a/QA.md
+++ b/QA.md
@ -16,14 +16,14 @@ It can run the tasks for you, pausing when it needs manual intervention.
 You can run it with a command like:
 ```bash
-poetry run ./dev_scripts/qa.py {distro}-{version}
+uv run ./dev_scripts/qa.py {distro}-{version}
 ```
 ### The checklist
 - [ ] Create a test build in Windows and make sure it works:
  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -32,7 +32,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in macOS (Intel CPU) and make sure it works:
  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -41,7 +41,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in macOS (M1/2 CPU) and make sure it works:
  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -50,7 +50,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
  as of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -59,7 +59,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in the most recent Fedora platform (Fedora 41 as of
  writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -68,7 +68,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in the most recent Qubes Fedora template (Fedora 40 as
  of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Run the Dangerzone tests.
  - [ ] Create a Qubes .rpm package and install it system-wide.
  - [ ] Ensure that the Dangerzone application appears in the "Applications"
--- a/RELEASE.md
+++ b/RELEASE.md
@ -7,9 +7,9 @@ This section documents how we currently release Dangerzone for the different dis
 Here is a list of tasks that should be done before issuing the release:
 - [ ] Create a new issue named **QA and Release for version \<VERSION\>**, to track the general progress.
-      You can generate its content with the the `poetry run ./dev_scripts/generate-release-tasks.py` command.
+      You can generate its content with the the `uv run ./dev_scripts/generate-release-tasks.py` command.
 - [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-platforms-and-remove-obsolete-ones)
- [ ] Bump the Python dependencies using `poetry lock`
+- [ ] Bump the Python dependencies using `uv lock`
 - [ ] Update `version` in `pyproject.toml`
 - [ ] Update `share/version.txt`
 - [ ] Update the "Version" field in `install/linux/dangerzone.spec`
@ -112,11 +112,8 @@ Here is what you need to do:
  ```bash
  # In case of a new Python installation or minor version upgrade, e.g., from
-  # 3.11 to 3.12, reinstall Poetry
+  # 3.11 to 3.12, reinstall uv
-  python3 -m pip install poetry
+  python3 -m pip install uv
  # You can verify the correct Python version is used
  poetry debug info
  # Replace with the actual version
  export DZ_VERSION=$(cat share/version.txt)
@ -127,18 +124,15 @@ Here is what you need to do:
  # Clean the git repository
  git clean -df
  # Clean up the environment
  poetry env remove --all
  # Install the dependencies
-  poetry install --sync
+  uv sync
  ```
 - [ ] Build the container image and the OCR language data
  ```bash
-  poetry run ./install/common/build-image.py
+  uv run ./install/common/build-image.py
-  poetry run ./install/common/download-tessdata.py
+  uv run ./install/common/download-tessdata.py
  # Copy the container image to the assets folder
  cp share/container.tar.gz ~dz/release-assets/$VERSION/dangerzone-$VERSION-arm64.tar.gz
@ -148,7 +142,7 @@ Here is what you need to do:
 - [ ] Build the app bundle
  ```bash
-  poetry run ./install/macos/build-app.py
+  uv run ./install/macos/build-app.py
  ```
 - [ ] Sign the application bundle, and notarize it
@ -161,7 +155,7 @@ Here is what you need to do:
  ```bash
  # Sign the .App and make it a .dmg
-  poetry run ./install/macos/build-app.py --only-codesign
+  uv run ./install/macos/build-app.py --only-codesign
  # Notarize it. You must run this command from the MacOS UI
  # from a terminal application.
@ -194,11 +188,11 @@ The Windows release is performed in a Windows 11 virtual machine (as opposed to
 - [ ] Checkout the dependencies, and clean your local copy:
  ```bash
  # In case of a new Python installation or minor version upgrade, e.g., from
-  # 3.11 to 3.12, reinstall Poetry
+  # 3.11 to 3.12, reinstall uv
-  python3 -m pip install poetry
+  python3 -m pip install uv
  # You can verify the correct Python version is used
-  poetry debug info
+  uv debug info
  # Replace with the actual version
  export DZ_VERSION=$(cat share/version.txt)
@ -210,16 +204,16 @@ The Windows release is performed in a Windows 11 virtual machine (as opposed to
  git clean -df
  # Clean up the environment
-  poetry env remove --all
+  uv env remove --all
  # Install the dependencies
-  poetry install --sync
+  uv install --sync
  ```
 - [ ] Copy the container image into the VM
  > [!IMPORTANT]
  > Instead of running `python .\install\windows\build-image.py` in the VM, run the build image script on the host (making sure to build for `linux/amd64`). Copy `share/container.tar.gz` and `share/image-id.txt` from the host into the `share` folder in the VM.
- [ ] Run `poetry run .\install\windows\build-app.bat`
+- [ ] Run `uv run .\install\windows\build-app.bat`
 - [ ] When you're done you will have `dist\Dangerzone.msi`
 Rename `Dangerzone.msi` to `Dangerzone-$VERSION.msi`.
@ -253,7 +247,7 @@ or create your own locally with:
 ./dev_scripts/env.py --distro debian --version bookworm run --dev bash
 # Build the latest container
-./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && poetry run ./install/common/build-image.py"
+./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && uv run ./install/common/build-image.py"
 # Create a .deb
 ./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && ./install/linux/build-deb.py"
@ -277,7 +271,7 @@ or create your own locally with:
 ./dev_scripts/env.py --distro fedora --version 41 build-dev
 # Build the latest container (skip if already built):
-./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && poetry run ./install/common/build-image.py"
+./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && uv run ./install/common/build-image.py"
 # Create a .rpm:
 ./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && ./install/linux/build-rpm.py"
--- a/dev_scripts/dangerzone-cli.bat
+++ b/dev_scripts/dangerzone-cli.bat
@ -1,2 +1,2 @@
 set DANGERZONE_MODE=cli
-poetry run python .\dev_scripts\dangerzone %*
+uv run python .\dev_scripts\dangerzone %*
--- a/dev_scripts/dangerzone.bat
+++ b/dev_scripts/dangerzone.bat
@ -1,2 +1,2 @@
 set DANGERZONE_MODE=gui
-poetry run python .\dev_scripts\dangerzone %*
+uv run python .\dev_scripts\dangerzone %*
--- a/dev_scripts/env.py
+++ b/dev_scripts/env.py
@ -53,7 +53,7 @@ Run Dangerzone in the development environment:
    env.py --distro ubuntu --version 22.04 run --dev bash
    user@dangerzone-dev:~$ cd dangerzone/
-    user@dangerzone-dev:~$ poetry run ./dev_scripts/dangerzone
+    user@dangerzone-dev:~$ uv run ./dev_scripts/dangerzone
 Run Dangerzone in the end-user environment:
--- a/dev_scripts/qa.py
+++ b/dev_scripts/qa.py
@ -35,14 +35,14 @@ It can run the tasks for you, pausing when it needs manual intervention.
 You can run it with a command like:
 ```bash
-poetry run ./dev_scripts/qa.py {distro}-{version}
+uv run ./dev_scripts/qa.py {distro}-{version}
 ```
 ### The checklist
 - [ ] Create a test build in Windows and make sure it works:
  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with uv.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -51,7 +51,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in macOS (Intel CPU) and make sure it works:
  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with `uv`.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -60,7 +60,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in macOS (M1/2 CPU) and make sure it works:
  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with `uv`.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -69,7 +69,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
  as of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with `uv`.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -78,7 +78,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in the most recent Fedora platform (Fedora 41 as of
  writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with `uv`.
  - [ ] Build the container image and ensure the development environment uses
    the new image.
  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
@ -87,7 +87,7 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
 - [ ] Create a test build in the most recent Qubes Fedora template (Fedora 40 as
  of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
+  - [ ] Create a new development environment with `uv`.
  - [ ] Run the Dangerzone tests.
  - [ ] Create a Qubes .rpm package and install it system-wide.
  - [ ] Ensure that the Dangerzone application appears in the "Applications"
@ -267,7 +267,7 @@ Install dependencies:
  sudo apt install -y python3.9
  ```
-  Poetry will automatically pick up the correct version when running.
+  `uv` will automatically pick up the correct version when running.
 </details>
    </td>
  </tr>
@ -279,17 +279,17 @@ sudo apt install -y podman dh-python build-essential make libqt6gui6 \
    pipx python3 python3-dev
 ```
-Install Poetry using `pipx` (recommended) and add it to your `$PATH`:
+Install `uv` using `pipx` (recommended) and add it to your `$PATH`:
 _(See also a list of [alternative installation
-methods](https://python-poetry.org/docs/#installation))_
+methods](https://python-`uv`.org/docs/#installation))_
 ```sh
 pipx ensurepath
-pipx install poetry
+pipx install `uv`
 ```
-After this, restart the terminal window, for the `poetry` command to be in your
+After this, restart the terminal window, for the ``uv command to be in your
 `$PATH`.
@ -299,13 +299,13 @@ Clone this repository:
 git clone https://github.com/freedomofpress/dangerzone/
 ```
-Change to the `dangerzone` folder, and install the poetry dependencies:
+Change to the `dangerzone` folder, and install the `uv` dependencies:
-> **Note**: due to an issue with [poetry](https://github.com/python-poetry/poetry/issues/1917), if it prompts for your keyring, disable the keyring with `keyring --disable` and run the command again.
+> **Note**: due to an issue with [`uv`](https://github.com/python-`uv`/`uv`/issues/1917), if it prompts for your keyring, disable the keyring with `keyring --disable` and run the command again.
 ```
 cd dangerzone
-poetry install
+`uv` install
 ```
 Build the latest container:
@ -324,7 +324,7 @@ Run from source tree:
 ```sh
 # start a shell in the virtual environment
-poetry shell
+`uv` shell
 # run the CLI
 ./dev_scripts/dangerzone-cli --help
@ -345,7 +345,7 @@ CONTENT_BUILD_FEDORA = r"""## Fedora
 Install dependencies:
 ```sh
-sudo dnf install -y rpm-build podman python3 python3-devel python3-poetry-core \
+sudo dnf install -y rpm-build podman python3 python3-devel python3-`uv`-core \
    pipx qt6-qtbase-gui
 ```
@ -365,16 +365,16 @@ sudo dnf install -y rpm-build podman python3 python3-devel python3-poetry-core \
  sudo dnf install -y python3.12
  ```
-  Poetry will automatically pick up the correct version when running.
+  `uv` will automatically pick up the correct version when running.
 </details>
    </td>
  </tr>
 </table>
-Install Poetry using `pipx`:
+Install `uv` using `pipx`:
 ```sh
-pipx install poetry
+pipx install `uv`
 ```
 Clone this repository:
@ -383,13 +383,13 @@ Clone this repository:
 git clone https://github.com/freedomofpress/dangerzone/
 ```
-Change to the `dangerzone` folder, and install the poetry dependencies:
+Change to the `dangerzone` folder, and install the `uv` dependencies:
-> **Note**: due to an issue with [poetry](https://github.com/python-poetry/poetry/issues/1917), if it prompts for your keyring, disable the keyring with `keyring --disable` and run the command again.
+> **Note**: due to an issue with [`uv`](https://github.com/python-`uv`/`uv`/issues/1917), if it prompts for your keyring, disable the keyring with `keyring --disable` and run the command again.
 ```
 cd dangerzone
-poetry install
+`uv` install
 ```
 Build the latest container:
@ -408,7 +408,7 @@ Run from source tree:
 ```sh
 # start a shell in the virtual environment
-poetry shell
+`uv` shell
 # run the CLI
 ./dev_scripts/dangerzone-cli --help
@ -437,10 +437,10 @@ Install the latest version of Python 3.12 (64-bit) [from python.org](https://www
 Install Microsoft Visual C++ 14.0 or greater. Get it with ["Microsoft C++ Build Tools"](https://visualstudio.microsoft.com/visual-cpp-build-tools/) and make sure to select "Desktop development with C++" when installing.
-Install [poetry](https://python-poetry.org/). Open PowerShell, and run:
+Install [`uv`](https://python-`uv`.org/). Open PowerShell, and run:
 ```
-python -m pip install poetry
+python -m pip install `uv`
 ```
 Install git from [here](https://git-scm.com/download/win), open a Windows terminal (`cmd.exe`) and clone this repository:
@ -449,11 +449,11 @@ Install git from [here](https://git-scm.com/download/win), open a Windows termin
 git clone https://github.com/freedomofpress/dangerzone/
 ```
-Change to the `dangerzone` folder, and install the poetry dependencies:
+Change to the `dangerzone` folder, and install the `uv` dependencies:
 ```
 cd dangerzone
-poetry install
+`uv` install
 ```
 Build the dangerzone container image:
@ -472,7 +472,7 @@ After that you can launch dangerzone during development with:
 ```
 # start a shell in the virtual environment
-poetry shell
+`uv` shell
 # run the CLI
 .\dev_scripts\dangerzone-cli.bat --help
@ -875,11 +875,11 @@ class QAWindows(QABase):
            logger.info("Verified that Docker Desktop is installed and running")
    @QABase.task(
-        "Install Poetry and the project's dependencies", ref=REF_BUILD, auto=True
+        "Install `uv` and the project's dependencies", ref=REF_BUILD, auto=True
    )
-    def install_poetry(self):
+    def install_`uv`(self):
-        self.run("python", "-m", "pip", "install", "poetry")
+        self.run("python", "-m", "pip", "install", "`uv`")
-        self.run("poetry", "install", "--sync")
+        self.run("`uv`", "install", "--sync")
    @QABase.task("Build Dangerzone container image", ref=REF_BUILD, auto=True)
    def build_image(self):
@ -889,12 +889,12 @@ class QAWindows(QABase):
    def run_tests(self):
        # NOTE: Windows does not have Makefile by default.
        self.run(
-            "poetry", "run", "pytest", "-v", "--ignore", r"tests\test_large_set.py"
+            "`uv`", "run", "pytest", "-v", "--ignore", r"tests\test_large_set.py"
        )
    @QABase.task("Build Dangerzone .exe", ref="REF_BUILD", auto=True)
    def build_dangerzone_exe(self):
-        self.run("poetry", "run", "python", r".\setup-windows.py", "build")
+        self.run("`uv`", "run", "python", r".\setup-windows.py", "build")
    @classmethod
    def get_id(cls):
@ -903,7 +903,7 @@ class QAWindows(QABase):
    def start(self):
        self.install_python()
        self.install_docker()
-        self.install_poetry()
+        self.install_`uv`()
        self.build_image()
        self.download_tessdata()
        self.run_tests()
@ -935,9 +935,9 @@ class QALinux(QABase):
        args_str = " ".join(args)
        self.container_run("bash", "-c", f"cd dangerzone; {args_str}")
-    def poetry_run(self, *args):
+    def `uv`_run(self, *args):
-        """Run a command via Poetry inside a Dangerzone environment."""
+        """Run a command via `uv` inside a Dangerzone environment."""
-        self.shell_run("poetry", "run", *args)
+        self.shell_run("`uv`", "run", *args)
    @QABase.task(
        "Create Dangerzone build environment",
@ -964,7 +964,7 @@ class QALinux(QABase):
    @QABase.task("Run tests", ref="REF_BUILD", auto=True)
    def run_tests(self):
-        self.poetry_run("make", "test")
+        self.`uv`_run("make", "test")
    def build_package(self):
        """Build the Dangerzone .deb/.rpm package"""
--- a/dev_scripts/verify-attestation.sh
+++ b/dev_scripts/verify-attestation.sh
@ -0,0 +1,19 @@
 # First, login to the container registry.
 # (We only need this because images are not publicly available yet)
 # Enter "USERNAME" instead of your username
 # and use your PAT as a password
 # regctl registry login ghcr.io
 # Get the manifest from the latest tag
 regctl manifest get --format raw-body ghcr.io/freedomofpress/dangerzone/dangerzone:latest > manifest.json
 # The attestation for this manifest hash is available
 # at the tag named "sha256-sha256(manifest.json)"
 DIGEST="sha256-$(sha256sum manifest.json | awk '{ print $1 }')"
 regctl artifact get ghcr.io/freedomofpress/dangerzone/dangerzone:${DIGEST} > bundle.json
 # Finally verify that the attestation is the right one
 cosign verify-blob-attestation --bundle bundle.json --new-bundle-format\
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com"\
       --certificate-identity-regexp="^https://github.com/freedomofpress/dangerzone/.github/workflows/release-container-image.yml@refs/heads/test/image-publication-cosign"\
       manifest.json
--- a/dodo.py
+++ b/dodo.py
@ -63,7 +63,7 @@ TESSDATA_TARGETS = list_language_data()
 IMAGE_DEPS = [
    "Dockerfile",
-    "poetry.lock",
+    "uv.lock",
    *list_files("dangerzone/conversion"),
    "dangerzone/gvisor_wrapper/entrypoint.py",
    "install/common/build-image.py",
@ -76,7 +76,7 @@ SOURCE_DEPS = [
    *list_files("dangerzone", recursive=True),
 ]
-PYTHON_DEPS = ["poetry.lock", "pyproject.toml"]
+PYTHON_DEPS = ["uv.lock", "pyproject.toml"]
 DMG_DEPS = [
    *list_files("install/macos"),
@ -218,9 +218,9 @@ def task_build_image():
    }
-def task_poetry_install():
+def task_uv_install():
-    """Setup the Poetry environment"""
+    """Setup the uv environment"""
-    return {"actions": ["poetry install --sync"], "clean": ["poetry env remove --all"]}
+    return {"actions": ["uv sync"], "clean": ["rm -rf .venv"]}
 def task_macos_build_dmg():
@ -232,7 +232,7 @@ def task_macos_build_dmg():
    return {
        "actions": [
            (copy_dir, [".", dz_dir]),
-            f"cd {dz_dir} && poetry run install/macos/build-app.py --with-codesign",
+            f"cd {dz_dir} && uv run install/macos/build-app.py --with-codesign",
            (
                "xcrun notarytool submit --wait --apple-id %(apple_id)s"
                f" --keychain-profile dz-notarytool-release-key {dmg_src}"
@ -246,7 +246,7 @@ def task_macos_build_dmg():
        "task_dep": [
            "macos_check_system",
            "init_release_dir",
-            "poetry_install",
+            "uv_install",
            "download_tessdata",
        ],
        "targets": [dmg_src, dmg_dst],
--- a/install/common/build-image.py
+++ b/install/common/build-image.py
@ -151,7 +151,7 @@ class ContainerPipDependencies:
    def __enter__(self):
        try:
            container_requirements_txt = subprocess.check_output(
-                ["poetry", "export", "--only", "container"], universal_newlines=True
+                ["uv", "export", "--only-group", "container"], universal_newlines=True
            )
        except subprocess.CalledProcessError as e:
            print("FAILURE", e.returncode, e.output)
--- a/install/linux/build-rpm.py
+++ b/install/linux/build-rpm.py
@ -27,13 +27,13 @@ def build(build_dir, qubes=False):
    The build process is the following:
    1. Clean up any stale data from previous runs under ./dist. Note that this directory
-       is used by `poetry build` and `rpmbuild`.
+       is used by `uv build` and `rpmbuild`.
    2. Create the necessary RPM project structure under the specified build directory
       (default: ~/rpmbuild), and use symlinks to point to ./dist, so that we don't need
       to move files explicitly.
-    3. Create a Python source distribution using `poetry build`. If we are building a
+    3. Create a Python source distribution using `uv build --sdist`.
-       Qubes package and there is a container image under `share/`, stash it temporarily
+       If we are building a Qubes package and there is a container image under
-       under a different directory.
+       `share/`, stash it temporarily under a different directory.
    4. Build both binary and source RPMs using rpmbuild. Optionally, pass to the SPEC
        `_qubes` flag, that denotes we want to build a package for Qubes.
    """
@ -75,7 +75,7 @@ def build(build_dir, qubes=False):
    if stash_container and container_tar_gz.exists():
        container_tar_gz.rename(container_tar_gz_bak)
    try:
-        subprocess.run(["poetry", "build", "-f", "sdist"], cwd=root, check=True)
+        subprocess.run(["uv", "build", "--sdist"], cwd=root, check=True)
        # Copy and unlink the Dangerzone sdist, instead of just renaming it. If the
        # build directory is outside the filesystem boundary (e.g., due to a container
        # mount), then a simple rename will not work.
--- a/install/linux/dangerzone.spec
+++ b/install/linux/dangerzone.spec
@ -11,7 +11,7 @@
 #
 # 1. It expects a `dangerzone-<version>.tar.gz` package under SOURCES. It is
 #    best not to invoke `tar` yourself, but create a Python source distribution
-#    instead, via `poetry build`.
+#    instead, via `uv build --sdist`.
 # 2. It detects the `_qubes` parameter. If 1, it will build a package
 #    tailored for installation in Qubes environments. Else, it will build a
 #    regular RPM package. The key differences between these packages are that:
@ -41,7 +41,7 @@ URL:            https://dangerzone.rocks
 # XXX: rpmbuild attempts to find a tarball in SOURCES using the basename in the
 # Source0 url. In our case, GitHub uses `v<version>.tar.gz`. However, the name
-# of the source distribution that `poetry build` creates is
+# of the source distribution that `uv build --sdist` creates is
 # `dangerzone-<version>.tar.gz`, so rpmbuild cannot find it.
 #
 # Taking a hint from SecureDrop Workstation, we can fix this by adding an
--- a/install/linux/vendor-pymupdf.py
+++ b/install/linux/vendor-pymupdf.py
@ -28,14 +28,14 @@ def main():
    )
    logger.info("Getting PyMuPDF deps as requirements.txt")
-    cmd = ["poetry", "export", "--only", "container"]
+    cmd = ["uv", "export", "--only-group", "container"]
    container_requirements_txt = subprocess.check_output(cmd)
    # XXX: Hack for Ubuntu Focal.
    #
    # The `requirements.txt` file is generated from our `pyproject.toml` file, and thus
    # specifies that the minimum Python version is 3.9. This was to accommodate to
-    # PySide6, which is installed in macOS / Windows via `poetry` and works with Python
+    # PySide6, which is installed in macOS / Windows via `uv` and works with Python
    # 3.9+. [1]
    #
    # The Python version in Ubuntu Focal though is 3.8. This generally was not much of
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,71 +1,70 @@
-[tool.poetry]
+[project]
 requires-python = ">=3.9,<3.13"
 name = "dangerzone"
 version = "0.8.0"
 description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs"
-authors = ["Freedom of the Press Foundation <info@freedom.press>", "Micah Lee <micah.lee@theintercept.com>"]
+authors = [
-license = "AGPL-3.0"
+    { name = "Freedom of the Press Foundation", email = "info@freedom.press" },
-# NOTE: See also https://github.com/freedomofpress/dangerzone/issues/677
+    { name = "Micah Lee", email = "micah.lee@theintercept.com" }, ]
-include = [
+license = { text = "AGPL-3.0"}
-    { path = "share/*", format = "sdist" },
+
-    { path = "qubes/*", format = "sdist" },
+dependencies = [
-    { path = "install/linux/press.freedom.dangerzone.*", format = "sdist" },
+    "appdirs",
-    { path = "README.md", format = "sdist" },
+    "click",
    "colorama",
    "markdown",
    "packaging",
    "pymupdf (>=1.23.3, <1.24.0)", # The version in Fedora 39
    "pyside6 (>=6.7.1, < 6.8)",
    "pyxdg; sys_platform == 'linux'",
    "requests",]
 [dependency-groups]
 # Dependencies installed inside the container
 container = [
    "pymupdf",
    ]
 # Dependencies required only for development
 dev = [
    "httpx",
 ]
-[tool.poetry.dependencies]
+# Dependencies required for linting the code.
-python = ">=3.9,<3.13"
+lint = [
-click = "*"
+    "mypy",
-appdirs = "*"
+    "types-colorama",
-PySide6 = "^6.7.1"
+    "types-pyside2",
-PyMuPDF = "^1.23.3"  # The version in Fedora 39
+    "types-markdown",
-colorama = "*"
+    "types-pygments",
-pyxdg = {version = "*", platform = "linux"}
+    "types-requests",
-requests = "*"
+    "ruff",
-markdown = "*"
+]
 packaging = "*"
 [tool.poetry.scripts]
 dangerzone = 'dangerzone:main'
 dangerzone-cli = 'dangerzone:main'
 # Dependencies required for packaging the code on various platforms.
-[tool.poetry.group.package.dependencies]
+package = [
-setuptools = "*"
+    "setuptools",
-cx_freeze = {version = "^7.2.5", platform = "win32"}
+    "cx-freeze",
-pywin32 = {version = "*", platform = "win32"}
+    "pywin32",
-pyinstaller = {version = "*", platform = "darwin"}
+    "pyinstaller",
-doit = "^0.36.0"
+    "doit",
-
+]
 # Dependencies required for linting the code.
 [tool.poetry.group.lint.dependencies]
 black = "*"
 isort = "*"
 mypy = "*"
 types-PySide2 = "*"
 types-Markdown = "*"
 types-requests = "*"
 [project.optional-dependencies]
 # Dependencies required for testing the code.
-[tool.poetry.group.test.dependencies]
+test = [
-pytest = "^7.1.2"
+    "pytest",
-pytest-mock = "^3.10.0"
+    "pytest-cov",
-pytest-qt = "^4.2.0"
+    "pytest-mock",
-pytest-cov = "^5.0.0"
+    "pytest-qt",
-strip-ansi = "*"
+    "pytest-rerunfailures",
-pytest-subprocess = "^1.5.2"
+    "pytest-subprocess",
-pytest-rerunfailures = "^14.0"
+    "strip-ansi",
 ]
-[tool.poetry.group.container.dependencies]
+[project.scripts]
-pymupdf = "1.24.11" # Last version to support python 3.8 (needed for Ubuntu Focal support)
+dangerzone = 'dangerzone:main'
-
+dangerzone-cli = 'dangerzone:main'
 [tool.poetry.group.dev.dependencies]
 httpx = "^0.27.2"
 [tool.isort]
 profile = "black"
 skip_gitignore = true
 # This is necessary due to https://github.com/PyCQA/isort/issues/1835
 follow_links = false
 [tool.doit]
 verbosity = 3
@ -75,6 +74,27 @@ verbosity = 3
 # images that are a few days behind. See also: docs/developer/doit.md
 use_cache = false
 [tool.ruff.lint]
 select = [
    # isort
    "I",
 ]
 [tool.hatch.build.targets.wheel]
 packages = [
     "dangerzone",
 ]
 [tool.hatch.build.targets.sdist]
 include = [
     "dangerzone/*",
     "share/*",
     "qubes/*",
     "install/linux/press.freedom.dangerzone.*",
     "README.md",
 ]
 [build-system]
-requires = ["poetry-core>=1.2.0"]
+requires = ["hatchling"]
-build-backend = "poetry.core.masonry.api"
+build-backend = "hatchling.build"
--- a/uv.lock
+++ b/uv.lock
`@ -1,2 +1,2 @@`
	`set DANGERZONE_MODE=cli`	`set DANGERZONE_MODE=cli`
	`poetry run python .\dev_scripts\dangerzone %*`	`uv run python .\dev_scripts\dangerzone %*`
`@ -1,2 +1,2 @@`
	`set DANGERZONE_MODE=gui`	`set DANGERZONE_MODE=gui`
	`poetry run python .\dev_scripts\dangerzone %*`	`uv run python .\dev_scripts\dangerzone %*`