The Dependency You Forgot You Had

On April 10, my football analysis application stopped fetching match statistics. No code had changed. The scraper had worked for months. The only thing different was the environment — I had migrated from Windows to Ubuntu.

The error, when I tracked it down, was this:

ModuleNotFoundError: No module named 'curl_cffi'

curl_cffi is not a standard package. It provides browser impersonation via libcurl — specifically, the ability to mimic a real browser's TLS fingerprint well enough to pass the bot detection used by many sports data providers. Without it, automated requests are identified and blocked. The stats stop populating.

The package had been installed in my Windows virtual environment. When I recreated the venv on Ubuntu, it was not there. Nothing failed on startup — the venv created successfully, the application launched, and everything appeared normal until something actually tried to fetch data from the statistics endpoint.

The fix was two lines:

pip install curl-cffi

# requirements.txt
curl_cffi>=0.7

The venv structure did not change. The scraper code did not change. One package — installed manually months earlier, never recorded in requirements.txt — was the entire problem.

What France is about to discover

On 8 April 2026, the French government announced a mandate to migrate approximately 2.5 million civil servant workstations from Windows to Linux. Every ministry must submit a detailed migration roadmap by autumn 2026. The state's digital agency, DINUM, begins the transition immediately as the testing ground.

The reasoning is sound. Open-source software is auditable. The National Cybersecurity Agency, ANSSI, can inspect and modify it directly. The Gendarmerie has been running its own Ubuntu-based distribution — GendBuntu — across 100,000 machines since 2008, saving an estimated €2 million annually in licensing fees. France is not starting from zero.

But the OS is not where migrations break.

They break on a Python package installed manually two years ago by someone who has since left. On a font renderer that behaves differently on X11 than on GDI. On a Windows path separator buried three layers deep in a config file. On a dependency with no direct Linux equivalent. On tooling that worked reliably for years precisely because no one had ever moved it.

France's overhaul extends beyond the desktop. Microsoft Teams and Zoom are being replaced by the French-built Visio platform. Google Drive is being phased out in favour of a national suite — La Suite — built on local alternatives. Each of those transitions carries its own layer of hidden dependencies: integrations, file format assumptions, authentication flows, behaviours that only surface when the underlying platform changes.

The lesson from two lines of code

The fix took five minutes once I understood the problem. The problem itself took days to surface — not because anything announced itself broken, but because the failure was silent. The application ran. The pipeline completed. The stats just stopped appearing.

That is the real migration risk. Not the loud failures. The silent ones — the processes that continue to look operational until someone checks the output and realises nothing has updated since the cutover date.

requirements.txt exists to prevent exactly this. It is not a list of what you intend to install. It is a record of what you actually built on. The difference only becomes visible when you move.

France's migration roadmaps — due this autumn — will be inventories of what each ministry believes it runs. The accurate version of that list is only produced one way: move the workload, and watch what breaks.