From f160fe8aecf3ef7094b39b0eebf51de5eb819eb8 Mon Sep 17 00:00:00 2001
From: John Hensley <john@freedom.press>
Date: Fri, 4 Sep 2020 12:21:37 -0400
Subject: [PATCH 1/8] Revert to old dh-virtualenv, use built-in venv module
This takes another run at controlling setuptools: instead of
installing a newer version of dh-virtualenv from Debian unstable for
its ability to specify the setuptools version via the alternative
build system, use it as before but with the Python 3 venv module,
which will use the local version of setuptools that's already present,
then replace that in the final package with the version pinned in the
securedrop-app-code requirements.
---
.../tasks/main.yml | 3 ---
install_files/securedrop-app-code/debian/rules | 11 ++++++++++-
molecule/builder-xenial/Dockerfile | 15 ++++-----------
.../tests/test_build_dependencies.py | 8 ++------
4 files changed, 16 insertions(+), 21 deletions(-)
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
index c1a5ba7f37..7e17ed787d 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -117,9 +117,6 @@
args:
chdir: "{{ securedrop_app_code_deb_dir }}"
environment:
- DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir"
- DH_UPGRADE_SETUPTOOLS: "46.0.0"
- DH_VIRTUALENV_ARGUMENTS: "{{ '--python=/usr/bin/python3.8 --setuptools 46.0.0' if securedrop_build_focal_support else '--python=/usr/bin/python3.5 --setuptools' }}"
DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs"
- name: Find newly built Debian package
diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules
index a2348a3d9c..a9cc6b77a7 100755
--- a/install_files/securedrop-app-code/debian/rules
+++ b/install_files/securedrop-app-code/debian/rules
@@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git
SECUREDROP_BUILD_PLATFORM=$(shell lsb_release -sc)
%:
- dh $@ --buildsystem=dh_virtualenv --with systemd
+ dh $@ --with python-virtualenv --with systemd
override_dh_gencontrol:
dh_gencontrol -- $(SUBSTVARS)
@@ -24,6 +24,15 @@ override_dh_strip_nondeterminism:
find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} +
dh_strip_nondeterminism $@
+override_dh_virtualenv:
+ dh_virtualenv \
+ --python=/usr/bin/python3 \
+ --builtin-venv \
+ --extra-pip-arg "--verbose" \
+ --extra-pip-arg "--no-deps" \
+ --extra-pip-arg "--no-binary=:all:" \
+ --extra-pip-arg "--no-cache-dir"
+
#
# Have to override the automatic service handling since we have more
# than one.
diff --git a/molecule/builder-xenial/Dockerfile b/molecule/builder-xenial/Dockerfile
index 8e1d0d3917..7db27ec5e6 100644
--- a/molecule/builder-xenial/Dockerfile
+++ b/molecule/builder-xenial/Dockerfile
@@ -7,14 +7,13 @@ LABEL image_name="xenial-sd-builder-app"
RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
apache2-dev \
- apt-transport-https \
aptitude \
coreutils \
- curl \
debhelper \
devscripts \
dh-python \
dh-systemd \
+ dh-virtualenv \
gdb \
git \
gnupg2 \
@@ -28,20 +27,14 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
python3-all \
python3-pip \
python3-setuptools \
+ python3-venv \
rsync \
ruby \
sqlite \
sudo \
tzdata \
unzip \
- virtualenv
-
-#install dh-virtualenv from debian unstable
-RUN curl https://ftp-master.debian.org/keys/archive-key-10.asc -o /tmp/debian-stable-archive-pubkey.asc && \
- apt-key add /tmp/debian-stable-archive-pubkey.asc
-RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
-COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
-RUN apt-get update && apt-get install -y -t unstable dh-virtualenv
-RUN apt-get clean && rm -rf /var/lib/apt/lists/*
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
RUN paxctl -cm /usr/bin/python3.5 && mkdir -p /tmp/build
diff --git a/molecule/builder-xenial/tests/test_build_dependencies.py b/molecule/builder-xenial/tests/test_build_dependencies.py
index b0db89e626..23137b6241 100644
--- a/molecule/builder-xenial/tests/test_build_dependencies.py
+++ b/molecule/builder-xenial/tests/test_build_dependencies.py
@@ -4,7 +4,7 @@
SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM")
SECUREDROP_PYTHON_VERSION = os.environ.get("SECUREDROP_PYTHON_VERSION", "3.5")
-SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "1.2.1")
+SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "0.11")
testinfra_hosts = [
"docker://{}-sd-app".format(SECUREDROP_TARGET_PLATFORM)
]
@@ -55,11 +55,7 @@ def test_python_version(host):
def test_dh_virtualenv(host):
"""
- The version of dh-virtualenv in Xenial repos isn't new enough to work
- with setuptools >= 50, so we pull it in from Debian. Confirm the expected
- recent version of dh-virtualenv is found. Since we're tracking Debian unstable
- for this dependency, this check will fail if unstable surprises us with a new
- version.
+ Confirm the expected version of dh-virtualenv is found.
"""
c = host.run("dh_virtualenv --version")
version_string = "dh_virtualenv {}".format(SECUREDROP_DH_VIRTUALENV_VERSION)
From 812c788319b450256eb7a62586a73b0dfa164a66 Mon Sep 17 00:00:00 2001
From: John Hensley <john@freedom.press>
Date: Tue, 8 Sep 2020 14:40:36 -0400
Subject: [PATCH 2/8] Add test of virtualenv activation script construction
Makes sure that the virtualenv activation script in the
securedrop-app-code package has the right path to the virtualenv.
---
molecule/testinfra/staging/app/test_appenv.py | 16 +++++++++++++---
molecule/testinfra/staging/vars/staging.yml | 4 ++--
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/molecule/testinfra/staging/app/test_appenv.py b/molecule/testinfra/staging/app/test_appenv.py
index 38bc253c21..2726b58bca 100644
--- a/molecule/testinfra/staging/app/test_appenv.py
+++ b/molecule/testinfra/staging/app/test_appenv.py
@@ -4,13 +4,11 @@
testinfra_hosts = ["app-staging"]
sdvars = pytest.securedrop_test_vars
-sdbin = "/opt/venvs/securedrop-app-code/bin"
-
@pytest.mark.parametrize('exp_pip_pkg', sdvars.pip_deps)
def test_app_pip_deps(host, exp_pip_pkg):
""" Ensure pip dependencies are installed """
- pip = host.pip_package.get_packages(pip_path=os.path.join(sdbin, "pip"))
+ pip = host.pip_package.get_packages(pip_path=os.path.join(sdvars.securedrop_venv_bin, "pip"))
assert pip[exp_pip_pkg['name']]['version'] == exp_pip_pkg['version']
@@ -48,6 +46,18 @@ def test_app_code_pkg(host):
assert host.package("securedrop-app-code").is_installed
+def test_app_code_venv(host):
+ """
+ Ensure the securedrop-app-code virtualenv is correct.
+ """
+ cmd = """test -z $VIRTUAL_ENV && . {}/bin/activate && test "$VIRTUAL_ENV" = "{}" """.format(
+ sdvars.securedrop_venv, sdvars.securedrop_venv
+ )
+
+ result = host.run(cmd)
+ assert result.rc == 0
+
+
def test_supervisor_not_installed(host):
""" ensure supervisor package is not installed """
assert host.package("supervisor").is_installed is False
diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml
index 2b6942ad57..825d97743b 100644
--- a/molecule/testinfra/staging/vars/staging.yml
+++ b/molecule/testinfra/staging/vars/staging.yml
@@ -12,8 +12,8 @@ wanted_apache_headers:
- 'Header unset Etag'
securedrop_venv: /opt/venvs/securedrop-app-code
-securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"
-securedrop_venv_site_packages: "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages"
+securedrop_venv_bin: "{{ securedrop_venv }}/bin"
+securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages"
securedrop_code: /var/www/securedrop
securedrop_data: /var/lib/securedrop
securedrop_user: www-data
From 84cdcd1ea09500bca41615f6c8ad7e4f43b2b664 Mon Sep 17 00:00:00 2001
From: John Hensley <john@freedom.press>
Date: Thu, 10 Sep 2020 13:21:28 -0400
Subject: [PATCH 3/8] Control setuptools version used in build container
virtualenvs
Also create a virtualenv for translation tasks in the build container,
instead of installing all of our requirements system-wide.
---
.../tasks/main.yml | 12 ++++++------
.../tasks/translations.yml | 10 +++++++++-
molecule/builder-focal/Dockerfile | 1 +
.../tests/test_build_dependencies.py | 14 +++-----------
.../tests/test_securedrop_deb_package.py | 5 ++---
5 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
index 7e17ed787d..660dfd3c2f 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -29,13 +29,13 @@
- name: Copy requirements.txt to prep directory
command: cp "{{ securedrop_pip_requirements }}" "{{ securedrop_app_code_prep_dir }}/requirements.txt"
-- include: sass.yml
-
-- name: Install SecureDrop Python requirements in container
+- name: Control the version of setuptools used in the default construction of virtual environments
shell: |
- pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt
- tags:
- - pip
+ pip3 download --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download
+ rm -f /usr/share/python-wheels/setuptools-*.whl
+ mv /tmp/securedrop-app-code-requirements-download/setuptools-*.whl /usr/share/python-wheels/
+
+- include: sass.yml
- include: translations.yml
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
index 4cbd3b4114..d01a75cf79 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
@@ -1,10 +1,18 @@
---
+- name: Install SecureDrop Python requirements in virtualenv for translation work
+ shell: |
+ python3 -m venv /tmp/securedrop-app-code-i18n-ve
+ /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt
+ tags:
+ - pip
+
- name: Compile PO to MO.
shell: >-
cp config.py.example config.py ;
trap 'rm config.py' EXIT ;
- python3 ./i18n_tool.py --verbose translate-messages --compile
+ . /tmp/securedrop-app-code-i18n-ve/bin/activate ;
+ /tmp/securedrop-app-code-i18n-ve/bin/python3 ./i18n_tool.py --verbose translate-messages --compile
args:
chdir: "{{ securedrop_code_filtered }}"
environment:
diff --git a/molecule/builder-focal/Dockerfile b/molecule/builder-focal/Dockerfile
index a75cde3029..de9b53b3fc 100644
--- a/molecule/builder-focal/Dockerfile
+++ b/molecule/builder-focal/Dockerfile
@@ -27,6 +27,7 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
python3-all \
python3-pip \
python3-setuptools \
+ python3-venv \
rsync \
ruby \
sqlite \
diff --git a/molecule/builder-xenial/tests/test_build_dependencies.py b/molecule/builder-xenial/tests/test_build_dependencies.py
index 23137b6241..0221ebf69e 100644
--- a/molecule/builder-xenial/tests/test_build_dependencies.py
+++ b/molecule/builder-xenial/tests/test_build_dependencies.py
@@ -4,7 +4,7 @@
SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM")
SECUREDROP_PYTHON_VERSION = os.environ.get("SECUREDROP_PYTHON_VERSION", "3.5")
-SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "0.11")
+
testinfra_hosts = [
"docker://{}-sd-app".format(SECUREDROP_TARGET_PLATFORM)
]
@@ -19,15 +19,6 @@ def test_sass_gem_installed(host):
assert c.rc == 0
-def test_pip_dependencies_installed(host):
- """
- Ensure the development pip dependencies are installed
- """
- c = host.run("pip3 list installed")
- assert "Flask-Babel" in c.stdout
- assert c.rc == 0
-
-
@pytest.mark.xfail(reason="This check conflicts with the concept of pegging"
"dependencies")
def test_build_all_packages_updated(host):
@@ -57,6 +48,7 @@ def test_dh_virtualenv(host):
"""
Confirm the expected version of dh-virtualenv is found.
"""
+ expected_version = "0.11" if host.system_info.codename == "xenial" else "1.2.1"
+ version_string = "dh_virtualenv {}".format(expected_version)
c = host.run("dh_virtualenv --version")
- version_string = "dh_virtualenv {}".format(SECUREDROP_DH_VIRTUALENV_VERSION)
assert c.stdout.startswith(version_string)
diff --git a/molecule/builder-xenial/tests/test_securedrop_deb_package.py b/molecule/builder-xenial/tests/test_securedrop_deb_package.py
index 0f88c24b78..5b7d82e0bc 100644
--- a/molecule/builder-xenial/tests/test_securedrop_deb_package.py
+++ b/molecule/builder-xenial/tests/test_securedrop_deb_package.py
@@ -187,11 +187,10 @@ def test_deb_package_contains_mo_file(host, deb):
Ensures the `securedrop-app-code` package has at least one
compiled mo file.
"""
- deb_package = host.file(deb.format(
- securedrop_test_vars.securedrop_version))
- c = host.run("dpkg-deb --contents {}".format(deb_package.path))
+ deb_package = host.file(deb.format(securedrop_test_vars.securedrop_version))
# Only relevant for the securedrop-app-code package:
if "securedrop-app-code" in deb_package.path:
+ c = host.run("dpkg-deb --contents {}".format(deb_package.path))
assert re.search(r"^.*messages\.mo$", c.stdout, re.M)
From 3ca16a549505b820b500b718f3571a57214c9556 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Fri, 11 Sep 2020 10:34:14 -0400
Subject: [PATCH 4/8] updated builder image hashes
---
molecule/builder-focal/image_hash | 4 ++--
molecule/builder-xenial/image_hash | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/molecule/builder-focal/image_hash b/molecule/builder-focal/image_hash
index bd105f0d50..6aff8d3769 100644
--- a/molecule/builder-focal/image_hash
+++ b/molecule/builder-focal/image_hash
@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2020_08_13
-47f7e1af8cc54bf9cb0afdef599b76d063c614943e54443ea660d6b53615814c
+# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2020_09_11
+10d4b7f28a3de6f2bd9e6a55dd5fdb448fb90442d15a013f73942b4d2e5ce259
diff --git a/molecule/builder-xenial/image_hash b/molecule/builder-xenial/image_hash
index c5c03e9379..58223855de 100644
--- a/molecule/builder-xenial/image_hash
+++ b/molecule/builder-xenial/image_hash
@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2020_09_02
-d62c99bb967e6dd1b276e642a29000656489313c2da2997f6bfbf466509f9b74
+# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2020_09_11
+b88a9e0ba180b55d0f22e84a81d3efc5da2263596a22ca5da043f84a2d741d88
From 512d87d574b8df08db79bde54add9fb9a426cfa2 Mon Sep 17 00:00:00 2001
From: John Hensley <john@freedom.press>
Date: Fri, 11 Sep 2020 14:36:28 -0400
Subject: [PATCH 5/8] Fix Vagrant staging, conf tests
The Vagrant box used for the libvirt staging env lacks
python3-distutils, which breaks mod_wsgi's "module-config" function,
as the swallowed exception when trying to import distutils causes the
correct shared library path construction logic to be skipped.
Also revert the templatization of the testinfra staging vars.
---
.../build-securedrop-app-code-deb-pkg/templates/control.j2 | 4 ++--
molecule/testinfra/staging/vars/app-staging.yml | 4 ++--
molecule/testinfra/staging/vars/staging.yml | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
index 5c264cf9a9..71b89408eb 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
@@ -11,8 +11,8 @@ Architecture: amd64
Conflicts: libapache2-mod-wsgi,supervisor
Replaces: libapache2-mod-wsgi,supervisor
{% if securedrop_build_focal_support %}
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
{% else %}
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
{% endif %}
Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
diff --git a/molecule/testinfra/staging/vars/app-staging.yml b/molecule/testinfra/staging/vars/app-staging.yml
index 1b6e55e605..a8b44ce04c 100644
--- a/molecule/testinfra/staging/vars/app-staging.yml
+++ b/molecule/testinfra/staging/vars/app-staging.yml
@@ -12,8 +12,8 @@ wanted_apache_headers:
- 'Header unset Etag'
securedrop_venv: /opt/venvs/securedrop-app-code
-securedrop_venv_bin: "{{ securedrop_venv }}/bin"
-securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages"
+securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin
+securedrop_venv_site_packages: /opt/venvs/securedrop-app-code/lib/python3.5/site-packages
securedrop_code: /var/www/securedrop
securedrop_data: /var/lib/securedrop
securedrop_user: www-data
diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml
index 825d97743b..94c8b7dffb 100644
--- a/molecule/testinfra/staging/vars/staging.yml
+++ b/molecule/testinfra/staging/vars/staging.yml
@@ -12,8 +12,8 @@ wanted_apache_headers:
- 'Header unset Etag'
securedrop_venv: /opt/venvs/securedrop-app-code
-securedrop_venv_bin: "{{ securedrop_venv }}/bin"
-securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages"
+securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin
+securedrop_venv_site_packages: /opt/venvs/securedrop-app-code/lib/python3.5/site-packages
securedrop_code: /var/www/securedrop
securedrop_data: /var/lib/securedrop
securedrop_user: www-data
From c499f16ce9e52ac95ad8c958ef650b10c205f420 Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Mon, 14 Sep 2020 12:02:56 +0530
Subject: [PATCH 6/8] Removes python3-distutils as dependency in Xenial
distutils is provided by libpython3.5-stdlib in Xenial.
---
.../build-securedrop-app-code-deb-pkg/templates/control.j2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
index 71b89408eb..5e889f6823 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
@@ -13,6 +13,6 @@ Replaces: libapache2-mod-wsgi,supervisor
{% if securedrop_build_focal_support %}
Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
{% else %}
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3
{% endif %}
Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
From 30ba408a29061872118dffdba8c82b78daa26a72 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Fri, 4 Sep 2020 14:57:04 -0700
Subject: [PATCH 7/8] Fixes libevent deps for ossec under Focal
Fixing a typo in the libevent name package names. Hadn't noticed during
review of previous PRs because we're only just approaching the point of
being able install these packages in a staging environment.
(cherry picked from commit 7682467ab573f23780a46665ddb27317f2289e8e)
---
install_files/securedrop-ossec-agent/DEBIAN/control.j2 | 2 +-
install_files/securedrop-ossec-server/DEBIAN/control.j2 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control.j2 b/install_files/securedrop-ossec-agent/DEBIAN/control.j2
index 47a577c9ae..fa8e3b9a4a 100644
--- a/install_files/securedrop-ossec-agent/DEBIAN/control.j2
+++ b/install_files/securedrop-ossec-agent/DEBIAN/control.j2
@@ -7,7 +7,7 @@ Package: securedrop-ossec-agent
Version: 3.6.0+1.6.0~rc1
Architecture: amd64
{% if securedrop_build_focal_support %}
-Depends: libevent-2.1.7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
+Depends: libevent-2.1-7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
{% else %}
Depends: libevent-1.4-2,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
{% endif %}
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control.j2 b/install_files/securedrop-ossec-server/DEBIAN/control.j2
index b21053159d..f3e6eab6f5 100644
--- a/install_files/securedrop-ossec-server/DEBIAN/control.j2
+++ b/install_files/securedrop-ossec-server/DEBIAN/control.j2
@@ -7,7 +7,7 @@ Package: securedrop-ossec-server
Version: 3.6.0+1.6.0~rc1
Architecture: amd64
{% if securedrop_build_focal_support %}
-Depends: libevent-2.1.7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
+Depends: libevent-2.1-7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
{% else %}
Depends: libevent-1.4-2,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
{% endif %}
From d50e41343d0056562018fcc2030ffdad4d434d50 Mon Sep 17 00:00:00 2001
From: John Hensley <john@freedom.press>
Date: Mon, 14 Sep 2020 12:13:59 -0400
Subject: [PATCH 8/8] Add --no-deps to setuptools download
---
.../roles/build-securedrop-app-code-deb-pkg/tasks/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
index 660dfd3c2f..f5c720637b 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -31,7 +31,7 @@
- name: Control the version of setuptools used in the default construction of virtual environments
shell: |
- pip3 download --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download
+ pip3 download --no-deps --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download
rm -f /usr/share/python-wheels/setuptools-*.whl
mv /tmp/securedrop-app-code-requirements-download/setuptools-*.whl /usr/share/python-wheels/