Test built Debian packages #1785
Comments
legoktm
added a commit
that referenced
this issue
Feb 16, 2024
piuparts tests package installation, upgrade and removal. We don't care that much about the last one so it's just a warning for now. For each package, piuparts will install the package CI just built and ensure that goes smoothly, making sure all the dependencies are present and the postinst works. Issues that were found are being fixed in the next commit. At a later stage, once the released packages are passing piuparts too, we can have it automatically grab the latest package from apt.freedom.press, install that, and then test the upgrade path to the new CI-built packages. This CI setup relies on running docker-in-docker, which is hacky but seems to work. Unfortunately it doesn't work for the client (starts apparmor), workstation-config (starts systemd) and workstation-viewer (pulls in grsec kernel). In the future we can look at switching into a chrooted setup that might fix the last two. Getting this to work in GitHub Actions was inspired by <https://github.com/evgeni/action-piuparts/> but I didn't really copy any code. Refs #1785.
|
For upstream tooling we can reuse:
|
legoktm
added a commit
that referenced
this issue
Feb 19, 2024
lintian is the Debian package linter and catches a number of things we can improve in our packages. For now I've suppressed everything and annotated them with TODO/FIXME for others to take on or address incrementally. lintian is run at the end of `make build-debs` unless the "FAST" environment variable is set. Any warning or error causes the build to fail, but it can be suppressed in the corresponding lintian-overrides file. Refs #1785.
legoktm
added a commit
that referenced
this issue
Feb 19, 2024
lintian is the Debian package linter and catches a number of things we can improve in our packages. For now I've suppressed everything and annotated them with TODO/FIXME for others to take on or address incrementally. lintian is run at the end of `make build-debs` unless the "FAST" environment variable is set. Any warning or error causes the build to fail, but it can be suppressed in the corresponding lintian-overrides file. Internally there's a bit of work so we can identify the *.changes file that we just built, so we first build into a temporary directory, copy the files into our repository's build, then run lintian in the temporary directory. Refs #1785.
legoktm
added a commit
that referenced
this issue
Feb 21, 2024
piuparts tests package installation, upgrade and removal. We don't care that much about the last one so it's just a warning for now. For each package, piuparts will install the package CI just built and ensure that goes smoothly, making sure all the dependencies are present and the postinst works. Issues that were found are being fixed in the next commit. At a later stage, once the released packages are passing piuparts too, we can have it automatically grab the latest package from apt.freedom.press, install that, and then test the upgrade path to the new CI-built packages. This CI setup relies on running docker-in-docker, which is hacky but seems to work. Unfortunately it doesn't work for the client (starts apparmor), workstation-config (starts systemd) and workstation-viewer (pulls in grsec kernel). In the future we can look at switching into a chrooted setup that might fix the last two. Getting this to work in GitHub Actions was inspired by <https://github.com/evgeni/action-piuparts/> but I didn't really copy any code. Refs #1785.
legoktm
added a commit
that referenced
this issue
Feb 21, 2024
lintian is the Debian package linter and catches a number of things we can improve in our packages. For now I've suppressed everything and annotated them with TODO/FIXME for others to take on or address incrementally. lintian is run at the end of `make build-debs` unless the "FAST" environment variable is set. Any warning or error causes the build to fail, but it can be suppressed in the corresponding lintian-overrides file. Internally there's a bit of work so we can identify the *.changes file that we just built, so we first build into a temporary directory, copy the files into our repository's build, then run lintian in the temporary directory. Refs #1785.
legoktm
added a commit
that referenced
this issue
Feb 22, 2024
piuparts tests package installation, upgrade and removal. We don't care that much about the last one so it's just a warning for now. For each package, piuparts will install the package CI just built and ensure that goes smoothly, making sure all the dependencies are present and the postinst works. Issues that were found are being fixed in the next commit. At a later stage, once the released packages are passing piuparts too, we can have it automatically grab the latest package from apt.freedom.press, install that, and then test the upgrade path to the new CI-built packages. This CI setup relies on running docker-in-docker, which is hacky but seems to work. Unfortunately it doesn't work for the client (starts apparmor), workstation-config (starts systemd) and workstation-viewer (pulls in grsec kernel). In the future we can look at switching into a chrooted setup that might fix the last two. Getting this to work in GitHub Actions was inspired by <https://github.com/evgeni/action-piuparts/> but I didn't really copy any code. Refs #1785.
|
One of the things I want to explore is running the tests against the installed Debian package. Because we use a virtualenv, this actually makes it straightforward to install the dev dependencies in: Then install the dependencies, without installing the root package: Now the trick is we run the tests from a different directory, so that way the local securedrop_client package doesn't override the venv-installed one. This means the tests need to support being run from a different directory, which some don't yet. I'm not sure yet how this fits into the whole big picture, are we going to be running the tests in yet another variation? Or would this supplant our normal test runs? How straightforward do we make this to run locally? |
|
legoktm
added a commit
that referenced
this issue
Mar 5, 2024
lintian is the Debian package linter and catches a number of things we can improve in our packages. For now I've suppressed everything and annotated them with TODO/FIXME for others to take on or address incrementally. lintian is run at the end of `make build-debs` unless the "FAST" environment variable is set. Any warning or error causes the build to fail, but it can be suppressed in the corresponding lintian-overrides file. Internally there's a bit of work so we can identify the *.changes file that we just built, so we first build into a temporary directory, copy the files into our repository's build, then run lintian in the temporary directory. Refs #1785.
legoktm
added a commit
that referenced
this issue
Mar 5, 2024
lintian is the Debian package linter and catches a number of things we can improve in our packages. For now I've suppressed everything and annotated them with TODO/FIXME for others to take on or address incrementally. lintian is run at the end of `make build-debs` unless the "FAST" environment variable is set. Any warning or error causes the build to fail, but it can be suppressed in the corresponding lintian-overrides file. A number of file and directories that may exist in the tree are excluded from the package build process through d/source/options to prevent lintian from seeing them. Internally there's a bit of work so we can identify the *.changes file that we just built, so we first build into a temporary directory, copy the files into our repository's build, then run lintian in the temporary directory. Refs #1785.
legoktm
added a commit
that referenced
this issue
Mar 5, 2024
lintian is the Debian package linter and catches a number of things we can improve in our packages. For now I've suppressed everything and annotated them with TODO/FIXME for others to take on or address incrementally. lintian is run at the end of `make build-debs` unless the "FAST" environment variable is set. Any warning or error causes the build to fail, but it can be suppressed in the corresponding lintian-overrides file. A number of file and directories that may exist in the tree are excluded from the package build process through d/source/options to prevent lintian from seeing them. Internally there's a bit of work so we can identify the *.changes file that we just built, so we first build into a temporary directory, copy the files into our repository's build, then run lintian in the temporary directory. Refs #1785.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
We should run various tests against built Debian packages. Previously the builder repository ran a very trivial test that verified unpacking and the conffiles hack (https://github.com/freedomofpress/securedrop-builder/blob/ace977adaff920e70756aa2e8e9c773f956db4a5/tests/test_deb_package.py), but we have more useful ones in the server repo: https://github.com/freedomofpress/securedrop/blob/develop/builder/tests/test_securedrop_deb_package.py that should be used here.
The text was updated successfully, but these errors were encountered: