diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
index 268b0c87f6..184ffe9b68 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -105,8 +105,10 @@
   args:
     chdir: "{{ securedrop_app_code_deb_dir }}"
   environment:
+    DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir"
+    DH_UPGRADE_SETUPTOOLS: "46.0.0"
+    DH_VIRTUALENV_ARGUMENTS: "--python=/usr/bin/python3.5 --setuptools"
     DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs"
-    SETUPTOOLS_USE_DISTUTILS: "stdlib"
 
 - name: Find newly built Debian package
   find:
diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules
index 468e18b944..a2348a3d9c 100755
--- a/install_files/securedrop-app-code/debian/rules
+++ b/install_files/securedrop-app-code/debian/rules
@@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git
 SECUREDROP_BUILD_PLATFORM=$(shell lsb_release -sc)
 
 %:
-	dh $@ --with python-virtualenv --with systemd
+	dh $@ --buildsystem=dh_virtualenv --with systemd
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
@@ -24,16 +24,6 @@ override_dh_strip_nondeterminism:
 	find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} +
 	dh_strip_nondeterminism $@
 
-override_dh_virtualenv:
-	dh_virtualenv \
-		--python=/usr/bin/python3.5 \
-		--setuptools \
-		--extra-pip-arg "--verbose" \
-		--extra-pip-arg "--ignore-installed" \
-		--extra-pip-arg "--no-deps" \
-		--extra-pip-arg "--no-binary=:all:" \
-		--extra-pip-arg "--no-cache-dir"
-
 #
 # Have to override the automatic service handling since we have more
 # than one.
diff --git a/molecule/builder-xenial/Dockerfile b/molecule/builder-xenial/Dockerfile
index 13256c8066..9c438bb41e 100644
--- a/molecule/builder-xenial/Dockerfile
+++ b/molecule/builder-xenial/Dockerfile
@@ -13,7 +13,6 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         devscripts \
         dh-python \
         dh-systemd \
-        dh-virtualenv \
         gdb \
         git \
         gnupg2 \
@@ -36,4 +35,11 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         && apt-get clean \
         && rm -rf /var/lib/apt/lists/*
 
+#install dh-virtualenv from debian unstable
+RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
+COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
+RUN apt-get install -y debian-archive-keyring
+RUN ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/
+RUN apt-get update && apt-get install -y dh-virtualenv
+
 RUN paxctl -cm /usr/bin/python3.5 && mkdir -p /tmp/build
diff --git a/molecule/builder-xenial/aptpreferences.conf b/molecule/builder-xenial/aptpreferences.conf
new file mode 100644
index 0000000000..a041f3b002
--- /dev/null
+++ b/molecule/builder-xenial/aptpreferences.conf
@@ -0,0 +1,7 @@
+Package: *
+Pin: release a=xenial
+Pin-Priority: 700
+
+Package: *
+Pin: release a=unstable
+Pin-Priority: 1