Update Dockerfile.rocky9

Elaborate and polish comment about the choice of paramiko and bcrypt version in pip installation.

Signed-off-by: Jonas Bardino <bardino@science.ku.dk>

Author: jonasbardino

Dockerfile.rocky9

@@ -768,10 +768,19 @@ RUN if [ "${UPGRADE_PARAMIKO}" = "True" ]; then \
         #            dependencies specifically into /usr instead.
         #pip3 install -U setuptools; \
         #pip3 install setuptools_rust; \
-        # Additional NOTE: paramiko version 3.0.0 introduces several changes that in particular improves the SFTP download performance.
-        # At the time of writing, the upcoming rhel10 epel uses 3.5, which we use as a version floor for which to use.
-        # However, bcrypt version 4 and above has shown to produce import errors in mod_wsgi caused by the usage of sub-interpreters
-        # as highlighted at https://github.com/PyO3/pyo3/blob/main/guide/src/migration.md#each-pymodule-can-now-only-be-initialized-once-per-process
+        # Additional NOTE: paramiko version 3.x introduces several changes
+        # that in particular improve the SFTP download performance.
+        # At the time of writing, the RHEL/Rocky 10 EPEL repo provides 3.5,
+        # which we use as a version baseline to mimic.
+        # However, combining that with recent bcrypt versions in the 4.x
+        # series leads to import errors in mod_wsgi caused by the usage of
+        # sub-interpreters as highlighted at
+        # https://github.com/PyO3/pyo3/blob/main/guide/src/migration.md#each-pymodule-can-now-only-be-initialized-once-per-process
+        # with further explanation at
+        # https://bugzilla.redhat.com/show_bug.cgi?id=2255688 and
+        # https://github.com/PyO3/pyo3/issues/3451
+        # So we explicitly cap the bcrypt version to the latest 3.2 one,
+        # which coincides with the default Rocky version, btw.
         pip3 install --prefix=$(python3-config --prefix) 'paramiko>=3.5' 'bcrypt<4'; \
       fi; \
     fi;