Stop compiling Python using --with-system-expat

The upstream Python test suite (which gets run when compiling with PGO
enabled) fails with the `libexpat` in Ubuntu 22.04.

In #1661 previously added what I hoped would be a temporarily workaround
until the failures were fixed upstream, however, the Python maintainers
say they don't guarantee compatibility with distro `expat`, and that
it's up to us to test for compatibility and patch if we want to use the
distro version. However, this isn't viable given that we're neither a
Linux distro maintainer, a CPython maintainer or an expat maintainer.

Instead, like the upstream Docker Hub Python images, we will switch the
`expat` bundled within the CPython sources, which is actually what the
upstream CPython project tests in its CI. This means users won't get
security updates for free via the base image, and will instead need to
update their Python patch versions instead as newer versions are
vendored in CPython. However, this is the least worst alternative for
now.

I'm doing this now, since otherwise I'll need to generate another patch
series for the soon to be released Python 3.14.

For more details, see:
python/cpython#125067 (comment)

GUS-W-17414073.

Author: edmorley

builds/Dockerfile

@@ -17,4 +17,4 @@ RUN apt-get update --error-on=any \
 COPY --from=cosign /ko-app/cosign /usr/local/bin/cosign
 
 WORKDIR /tmp
-COPY build_python_runtime.sh python-3.13-ubuntu-22.04-libexpat-workaround.patch .
+COPY build_python_runtime.sh .

builds/build_python_runtime.sh

@@ -83,17 +83,11 @@ cosign verify-blob \
 tar --extract --file python.tgz --strip-components=1 --directory "${SRC_DIR}"
 cd "${SRC_DIR}"
 
-# Work around PGO profile test failures with Python 3.13 on Ubuntu 22.04, due to the tests
-# checking the raw libexpat version which doesn't account for Ubuntu backports:
-# https://github.com/heroku/heroku-buildpack-python/pull/1661#issuecomment-2405259352
-# https://github.com/python/cpython/issues/125067
-if [[ "${PYTHON_MAJOR_VERSION}" == "3.13" && "${STACK}" == "heroku-22" ]]; then
-	patch -p1 </tmp/python-3.13-ubuntu-22.04-libexpat-workaround.patch
-fi
-
 # Aim to keep this roughly consistent with the options used in the Python Docker images,
 # for maximum compatibility / most battle-tested build configuration:
 # https://github.com/docker-library/python
+# We don't use `--with-system-expat` due to:
+# https://github.com/python/cpython/issues/125067#issuecomment-2517445480
 CONFIGURE_OPTS=(
 	# Explicitly set the target architecture rather than auto-detecting based on the host CPU.
 	# This only affects targets like i386 (for which we don't build), but we pass it anyway for
@@ -110,9 +104,6 @@ CONFIGURE_OPTS=(
 	# Skip running `ensurepip` as part of install, since the buildpack installs a curated
 	# version of pip itself (which ensures it's consistent across Python patch releases).
 	"--with-ensurepip=no"
-	# Build the `pyexpat` module using the `expat` library in the base image (which will
-	# automatically receive security updates), rather than CPython's vendored version.
-	"--with-system-expat"
 )
 
 if [[ "${PYTHON_MAJOR_VERSION}" != +(3.9) ]]; then