From 1b28043db893f97acbf5e60f68c71ba11a0b9cbf Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Wed, 26 Aug 2020 18:46:04 +0530
Subject: [PATCH] Updates based on review feedback

securedrop-app-code control file is now a template. We don't
need --setuptools in rules file as by default virtualenv will
install the latest setuptools.

Also clean changelog for Focal. We are using single usr.sbin.apache2
for both distribution. Updates the tests var as we rebased against
develop.
---
 .../defaults/main.yml                         |   4 -
 .../files/changelog-focal                     |  80 +----
 .../files/control-focal                       |  15 -
 .../files/usr.sbin.apache2                    |   7 +
 .../files/usr.sbin.apache2-focal              | 321 ------------------
 .../tasks/main.yml                            |   5 +
 .../templates/control.j2}                     |   5 +-
 molecule/builder-focal/tests/vars.yml         |   4 +-
 8 files changed, 19 insertions(+), 422 deletions(-)
 delete mode 100644 install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/control-focal
 delete mode 100644 install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2-focal
 rename install_files/{securedrop-app-code/debian/control => ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2} (74%)

diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
index 59cc312a3b1..8ac09ebd9a3 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
@@ -51,11 +51,7 @@ securedrop_python_version: "{{ '3.8' if securedrop_build_focal_support else '3.5
 securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python{{ securedrop_python_version }}/site-packages"
 
 securedrop_app_focal_files:
-  - src: control-focal
-    dest: "{{ securedrop_app_code_prep_dir }}/debian/control"
   - src: rules-focal
     dest: "{{ securedrop_app_code_prep_dir }}/debian/rules"
   - src: securedrop-app-code.triggers-focal
     dest: "{{ securedrop_app_code_prep_dir }}/debian/securedrop-app-code.triggers"
-  - src: usr.sbin.apache2-focal
-    dest: "{{ securedrop_app_code_prep_dir }}/etc/apparmor.d/usr.sbin.apache2"
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
index 93b46b5418e..7459a02977c 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
@@ -1,83 +1,5 @@
-securedrop-app-code (1.5.0~rc1+focal) focal; urgency=medium
+securedrop-app-code (1.6.0~rc1+focal) focal; urgency=medium
 
   * 
 
  -- SecureDrop Team <securedrop@freedom.press>  Thu, 18 Jun 2020 21:58:23 +0000
-
-securedrop-app-code (1.4.0+xenial) xenial; urgency=medium
-
-  * See changelog.md 
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 17 Jun 2020 21:35:57 +0000
-
-securedrop-app-code (1.3.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 12 May 2020 18:37:42 +0000
-
-securedrop-app-code (1.2.2+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Fri, 13 Mar 2020 19:43:29 +0000
-
-securedrop-app-code (1.2.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 19 Feb 2020 14:40:43 +0000
-
-securedrop-app-code (1.2.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 20 Nov 2019 16:48:41 +0000
-
-securedrop-app-code (1.1.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 21 Oct 2019 18:09:35 +0000
-
-securedrop-app-code (1.0.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 17 Sep 2019 23:22:22 +0530
-
-securedrop-app-code (0.14.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 10 Jul 2019 15:11:49 +0000
-
-securedrop-app-code (0.13.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 18 Jun 2019 13:48:12 +0000
-
-securedrop-app-code (0.13.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 29 May 2019 20:45:21 +0000
-
-securedrop-app-code (0.12.2+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 25 Apr 2019 17:54:15 +0000
-
-securedrop-app-code (0.12.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 20 Mar 2019 20:20:40 +0000
-
-securedrop-app-code (0.12.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 27 Feb 2019 00:37:02 +0000
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/control-focal b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/control-focal
deleted file mode 100644
index 8f7a79e51fa..00000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/control-focal
+++ /dev/null
@@ -1,15 +0,0 @@
-Source: securedrop-app-code
-Section: web
-Priority: optional
-Maintainer: SecureDrop Team <securedrop@freedom.press>
-Homepage: https://securedrop.org
-Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd, dh-virtualenv
-Standards-Version: 3.9.8
-X-Python3-Version: >= 3.8
-
-Package: securedrop-app-code
-Architecture: amd64
-Conflicts: libapache2-mod-wsgi,supervisor
-Replaces: libapache2-mod-wsgi,supervisor
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
-Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
index 90a77965665..128d4e2dacc 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
@@ -70,6 +70,7 @@
   /etc/magic r,
   /etc/mime.types r,
   /etc/python3.5/sitecustomize.py r,
+  /etc/python3.8/sitecustomize.py r,
   /etc/services r,
   /etc/timezone r,
   /lib/x86_64-linux-gnu/libbz2.so.* mr,
@@ -87,6 +88,7 @@
   /run/apache2/wsgi.*.sock rw,
   /run/lock/apache2/rewrite-map.* rw,
   /run/lock/apache2/ssl-cache.* rwk,
+  /run/systemd/userdb/io.systemd.DynamicUser r,
   /run/shm rw,
   /sbin/ldconfig rix,
   /sbin/ldconfig.real rix,
@@ -107,6 +109,9 @@
   /opt/venvs/securedrop-app-code/bin/python3 r,
   /opt/venvs/securedrop-app-code/lib/python3.5/ r,
   /opt/venvs/securedrop-app-code/lib/python3.5/** rm,
+  /opt/venvs/securedrop-app-code/lib/python3.8/ r,
+  /opt/venvs/securedrop-app-code/lib/python3.8/** rm,
+  /opt/venvs/securedrop-app-code/pyvenv.cfg r,
   /var/lib/securedrop/ r,
   /var/lib/securedrop/db.sqlite kw,
   /var/lib/securedrop/db.sqlite rwk,
@@ -280,6 +285,8 @@
   /var/www/securedrop/static/i/logo-footer.png r,
   /var/www/securedrop/static/i/no16-global.png r,
   /var/www/securedrop/static/i/no16.png r,
+  /var/www/securedrop/static/i/securedrop.png r,
+  /var/www/securedrop/static/i/securedrop_small.png r,
   /var/www/securedrop/static/i/server_upload.png r,
   /var/www/securedrop/static/i/star.png r,
   /var/www/securedrop/static/i/success_checkmark.png r,
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2-focal b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2-focal
deleted file mode 100644
index 8f46e79759f..00000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2-focal
+++ /dev/null
@@ -1,321 +0,0 @@
-# Last Modified: Wed Oct 29 08:16:32 2014
-#include <tunables/global>
-
-/usr/sbin/apache2 {
-  #include <abstractions/base>
-  #include <abstractions/tor>
-
-  capability dac_override,
-  capability kill,
-  capability net_bind_service,
-  capability sys_ptrace,
-
-  /bin/dash rix,
-  /bin/touch rix,
-  /bin/uname rix,
-  /dev/null w,
-  /dev/urandom r,
-  /etc/apache2/apache2.conf r,
-  /etc/apache2/conf-available/charset.conf r,
-  /etc/apache2/conf-available/localized-error-pages.conf r,
-  /etc/apache2/conf-available/other-vhosts-access-log.conf r,
-  /etc/apache2/conf-available/security.conf r,
-  /etc/apache2/conf-available/serve-cgi-bin.conf r,
-  /etc/apache2/conf-enabled/ r,
-  /etc/apache2/mods-available/access_compat.load r,
-  /etc/apache2/mods-available/alias.conf r,
-  /etc/apache2/mods-available/alias.load r,
-  /etc/apache2/mods-available/auth_basic.load r,
-  /etc/apache2/mods-available/authn_core.load r,
-  /etc/apache2/mods-available/authn_file.load r,
-  /etc/apache2/mods-available/authz_core.load r,
-  /etc/apache2/mods-available/authz_host.load r,
-  /etc/apache2/mods-available/authz_user.load r,
-  /etc/apache2/mods-available/autoindex.conf r,
-  /etc/apache2/mods-available/autoindex.load r,
-  /etc/apache2/mods-available/deflate.conf r,
-  /etc/apache2/mods-available/deflate.load r,
-  /etc/apache2/mods-available/dir.conf r,
-  /etc/apache2/mods-available/dir.load r,
-  /etc/apache2/mods-available/env.load r,
-  /etc/apache2/mods-available/filter.load r,
-  /etc/apache2/mods-available/headers.load r,
-  /etc/apache2/mods-available/mime.conf r,
-  /etc/apache2/mods-available/mime.load r,
-  /etc/apache2/mods-available/mpm_event.conf r,
-  /etc/apache2/mods-available/mpm_event.load r,
-  /etc/apache2/mods-available/negotiation.conf r,
-  /etc/apache2/mods-available/negotiation.load r,
-  /etc/apache2/mods-available/reqtimeout.conf r,
-  /etc/apache2/mods-available/reqtimeout.load r,
-  /etc/apache2/mods-available/rewrite.load r,
-  /etc/apache2/mods-available/setenvif.conf r,
-  /etc/apache2/mods-available/setenvif.load r,
-  /etc/apache2/mods-available/socache_shmcb.load r,
-  /etc/apache2/mods-available/ssl.conf r,
-  /etc/apache2/mods-available/ssl.load r,
-  /etc/apache2/mods-available/status.conf r,
-  /etc/apache2/mods-available/status.load r,
-  /etc/apache2/mods-available/wsgi.conf r,
-  /etc/apache2/mods-available/wsgi.load r,
-  /etc/apache2/mods-available/xsendfile.load r,
-  /etc/apache2/mods-enabled/ r,
-  /etc/apache2/ports.conf r,
-  /etc/apache2/sites-available/journalist.conf r,
-  /etc/apache2/sites-available/source.conf r,
-  /etc/apache2/sites-enabled/ r,
-  /etc/ld.so.cache r,
-  /etc/localtime r,
-  /etc/lsb-release r,
-  /etc/magic r,
-  /etc/mime.types r,
-  /etc/python3.8/sitecustomize.py r,
-  /etc/services r,
-  /etc/timezone r,
-  /lib/x86_64-linux-gnu/libbz2.so.* mr,
-  /lib/x86_64-linux-gnu/libc-*.so mr,
-  /lib/x86_64-linux-gnu/libz.so.* mr,
-  /proc/ r,
-  /proc/*/fd/ r,
-  /proc/*/fd/* r,
-  /proc/*/mounts r,
-  /proc/*/stat r,
-  /proc/*/status r,
-  /proc/sys/kernel/random/entropy_avail r,
-  /run/apache2/apache2.pid rw,
-  /run/apache2/wsgi.*.lock rwk,
-  /run/apache2/wsgi.*.sock rw,
-  /run/lock/apache2/rewrite-map.* rw,
-  /run/lock/apache2/ssl-cache.* rwk,
-  /run/systemd/userdb/io.systemd.DynamicUser rw,
-  /run/shm rw,
-  /sbin/ldconfig rix,
-  /sbin/ldconfig.real rix,
-  /tmp/** rwm,
-  /usr/bin/file rix,
-  /usr/bin/gpg rix,
-  /usr/bin/gpg-agent rix,
-  /usr/bin/gpg2 rix,
-  /usr/bin/pinentry-curses rix,
-  /usr/bin/pinentry-gtk-2 rix,
-  /usr/bin/shred rix,
-  /usr/bin/srm rix,
-  /usr/lib{,32,64}/** mr,
-  /usr/share/file/magic r,
-  /usr/share/file/magic.mgc r,
-  /opt/venvs/securedrop-app-code/**/__pycache__/ rw,
-  /opt/venvs/securedrop-app-code/**/__pycache__/* rw,
-  /opt/venvs/securedrop-app-code/bin/python3 r,
-  /opt/venvs/securedrop-app-code/lib/python3.8/ r,
-  /opt/venvs/securedrop-app-code/lib/python3.8/** rm,
-  /opt/venvs/securedrop-app-code/pyvenv.cfg rw,
-  /var/lib/securedrop/ r,
-  /var/lib/securedrop/db.sqlite kw,
-  /var/lib/securedrop/db.sqlite rwk,
-  /var/lib/securedrop/db.sqlite-journal rw,
-  /var/lib/securedrop/db.sqlite-journal w,
-  /var/lib/securedrop/keys/* rwl,
-  /var/lib/securedrop/keys/*.app-staging.* w,
-  /var/lib/securedrop/keys/gpg-agent.conf r,
-  /var/lib/securedrop/keys/openpgp-revocs.d/* rw,
-  /var/lib/securedrop/keys/private-keys-v1.d/* rw,
-  /var/lib/securedrop/keys/pubring.gpg r,
-  /var/lib/securedrop/keys/pubring.gpg rw,
-  /var/lib/securedrop/keys/pubring.gpg.lock l,
-  /var/lib/securedrop/keys/pubring.gpg.lock rwl,
-  /var/lib/securedrop/keys/pubring.gpg.tmp rw,
-  /var/lib/securedrop/keys/pubring.gpg.tmp w,
-  /var/lib/securedrop/keys/pubring.gpg~ w,
-  /var/lib/securedrop/keys/random_seed rwk,
-  /var/lib/securedrop/keys/secring.gpg r,
-  /var/lib/securedrop/keys/secring.gpg.lock l,
-  /var/lib/securedrop/keys/secring.gpg.lock rw,
-  /var/lib/securedrop/keys/secring.gpg.tmp rw,
-  /var/lib/securedrop/keys/trustdb.gpg rw,
-  /var/lib/securedrop/keys/trustdb.gpg.lock rwl,
-  /var/lib/securedrop/shredder/** rw,
-  /var/lib/securedrop/shredder/*/ w,
-  /var/lib/securedrop/store/** rw,
-  /var/lib/securedrop/store/*/ w,
-  /var/lib/securedrop/source_v2_url r,
-  /var/lib/securedrop/source_v3_url r,
-  /var/lib/securedrop/tmp/** rw,
-  /var/lib/ssl/* r,
-  /var/log/apache2/* w,
-  /var/log/apache2/other_vhosts_access.log rw,
-  /var/tmp/* rwm,
-  /var/www/* r,
-  /var/www/.gnupg/ rw,
-  /var/www/.gnupg/** rw,
-  /var/www/journalist.wsgi r,
-  /var/www/securedrop/ r,
-  /var/www/securedrop/**/__pycache__/ rw,
-  /var/www/securedrop/**/__pycache__/* rw,
-  /var/www/securedrop/.well-known/pki-validation/*.txt r,
-  /var/www/securedrop/__pycache__/ rw,
-  /var/www/securedrop/__pycache__/* rw,
-  /var/www/securedrop/config.py r,
-  /var/www/securedrop/crypto_util.py r,
-  /var/www/securedrop/db.py r,
-  /var/www/securedrop/dictionaries/adjectives.txt r,
-  /var/www/securedrop/dictionaries/nouns.txt r,
-  /var/www/securedrop/i18n.py r,
-  /var/www/securedrop/journalist.py r,
-  /var/www/securedrop/journalist_app/ r,
-  /var/www/securedrop/journalist_app/__init__.py r,
-  /var/www/securedrop/journalist_app/account.py r,
-  /var/www/securedrop/journalist_app/admin.py r,
-  /var/www/securedrop/journalist_app/api.py r,
-  /var/www/securedrop/journalist_app/col.py r,
-  /var/www/securedrop/journalist_app/decorators.py r,
-  /var/www/securedrop/journalist_app/forms.py r,
-  /var/www/securedrop/journalist_app/main.py r,
-  /var/www/securedrop/journalist_app/utils.py r,
-  /var/www/securedrop/journalist_templates/_confirmation_modal.html r,
-  /var/www/securedrop/journalist_templates/_source_row.html r,
-  /var/www/securedrop/journalist_templates/account_edit_hotp_secret.html r,
-  /var/www/securedrop/journalist_templates/account_new_two_factor.html r,
-  /var/www/securedrop/journalist_templates/admin.html r,
-  /var/www/securedrop/journalist_templates/admin_add_user.html r,
-  /var/www/securedrop/journalist_templates/admin_edit_hotp_secret.html r,
-  /var/www/securedrop/journalist_templates/admin_new_user_two_factor.html r,
-  /var/www/securedrop/journalist_templates/base.html r,
-  /var/www/securedrop/journalist_templates/col.html r,
-  /var/www/securedrop/journalist_templates/config.html r,
-  /var/www/securedrop/journalist_templates/delete.html r,
-  /var/www/securedrop/journalist_templates/edit_account.html r,
-  /var/www/securedrop/journalist_templates/error.html r,
-  /var/www/securedrop/journalist_templates/flag.html r,
-  /var/www/securedrop/journalist_templates/flashed.html r,
-  /var/www/securedrop/journalist_templates/index.html r,
-  /var/www/securedrop/journalist_templates/js-strings.html r,
-  /var/www/securedrop/journalist_templates/locales.html r,
-  /var/www/securedrop/journalist_templates/login.html r,
-  /var/www/securedrop/journalist_templates/logo_upload_flashed.html r,
-  /var/www/securedrop/journalist_templates/submission_preferences_saved_flash.html r,
-  /var/www/securedrop/models.py r,
-  /var/www/securedrop/request_that_secures_file_uploads.py r,
-  /var/www/securedrop/rm.py r,
-  /var/www/securedrop/sdconfig.py r,
-  /var/www/securedrop/secure_tempfile.py r,
-  /var/www/securedrop/source.py r,
-  /var/www/securedrop/source_app/ r,
-  /var/www/securedrop/source_app/__init__.py r,
-  /var/www/securedrop/source_app/api.py r,
-  /var/www/securedrop/source_app/decorators.py r,
-  /var/www/securedrop/source_app/forms.py r,
-  /var/www/securedrop/source_app/info.py r,
-  /var/www/securedrop/source_app/main.py r,
-  /var/www/securedrop/source_app/utils.py r,
-  /var/www/securedrop/source_templates/banner_warning_flashed.html r,
-  /var/www/securedrop/source_templates/base.html r,
-  /var/www/securedrop/source_templates/error.html r,
-  /var/www/securedrop/source_templates/first_submission_flashed_message.html r,
-  /var/www/securedrop/source_templates/flashed.html r,
-  /var/www/securedrop/source_templates/footer.html r,
-  /var/www/securedrop/source_templates/generate.html r,
-  /var/www/securedrop/source_templates/index.html r,
-  /var/www/securedrop/source_templates/locales.html r,
-  /var/www/securedrop/source_templates/login.html r,
-  /var/www/securedrop/source_templates/logout.html r,
-  /var/www/securedrop/source_templates/lookup.html r,
-  /var/www/securedrop/source_templates/next_submission_flashed_message.html r,
-  /var/www/securedrop/source_templates/notfound.html r,
-  /var/www/securedrop/source_templates/session_timeout.html r,
-  /var/www/securedrop/source_templates/tor2web-warning.html r,
-  /var/www/securedrop/source_templates/use-tor-browser.html r,
-  /var/www/securedrop/source_templates/why-journalist-key.html r,
-  /var/www/securedrop/static/.webassets-cache/** rw,
-  /var/www/securedrop/static/css/font-awesome.css r,
-  /var/www/securedrop/static/css/journalist.css r,
-  /var/www/securedrop/static/css/normalize.css r,
-  /var/www/securedrop/static/css/source.css r,
-  /var/www/securedrop/static/fonts/fa-brands-400.eot r,
-  /var/www/securedrop/static/fonts/fa-brands-400.svg r,
-  /var/www/securedrop/static/fonts/fa-brands-400.ttf r,
-  /var/www/securedrop/static/fonts/fa-brands-400.woff r,
-  /var/www/securedrop/static/fonts/fa-brands-400.woff2 r,
-  /var/www/securedrop/static/fonts/fa-regular-400.eot r,
-  /var/www/securedrop/static/fonts/fa-regular-400.svg r,
-  /var/www/securedrop/static/fonts/fa-regular-400.ttf r,
-  /var/www/securedrop/static/fonts/fa-regular-400.woff r,
-  /var/www/securedrop/static/fonts/fa-regular-400.woff2 r,
-  /var/www/securedrop/static/fonts/fa-solid-900.eot r,
-  /var/www/securedrop/static/fonts/fa-solid-900.svg r,
-  /var/www/securedrop/static/fonts/fa-solid-900.ttf r,
-  /var/www/securedrop/static/fonts/fa-solid-900.woff r,
-  /var/www/securedrop/static/fonts/fa-solid-900.woff2 r,
-  /var/www/securedrop/static/gen/journalist.css rw,
-  /var/www/securedrop/static/gen/journalist.js rw,
-  /var/www/securedrop/static/gen/source.css rw,
-  /var/www/securedrop/static/gen/source.js rw,
-  /var/www/securedrop/static/i/arrow-upload-blue.png r,
-  /var/www/securedrop/static/i/arrow-upload-large.png r,
-  /var/www/securedrop/static/i/arrow-upload-white.png r,
-  /var/www/securedrop/static/i/custom_logo.png rw,
-  /var/www/securedrop/static/i/delete_gray.png r,
-  /var/www/securedrop/static/i/delete_red.png r,
-  /var/www/securedrop/static/i/bang-stop.png r,
-  /var/www/securedrop/static/i/favicon.png r,
-  /var/www/securedrop/static/i/font-awesome/black/guard.svg r,
-  /var/www/securedrop/static/i/font-awesome/black/times.svg r,
-  /var/www/securedrop/static/i/font-awesome/cancel-blue.png r,
-  /var/www/securedrop/static/i/font-awesome/checkmark-blue.png r,
-  /var/www/securedrop/static/i/font-awesome/checkmark-white.png r,
-  /var/www/securedrop/static/i/font-awesome/comments-blue.png r,
-  /var/www/securedrop/static/i/font-awesome/comments-white.png r,
-  /var/www/securedrop/static/i/font-awesome/exclamation-triangle-black.png r,
-  /var/www/securedrop/static/i/font-awesome/fa-arrow-circle-o-right-blue.png r,
-  /var/www/securedrop/static/i/font-awesome/fa-arrow-circle-o-right-white.png r,
-  /var/www/securedrop/static/i/font-awesome/fa-globe-black.png r,
-  /var/www/securedrop/static/i/font-awesome/info-circle-black.png r,
-  /var/www/securedrop/static/i/font-awesome/lock-black.png r,
-  /var/www/securedrop/static/i/font-awesome/refresh-blue.png r,
-  /var/www/securedrop/static/i/font-awesome/refresh-white.png r,
-  /var/www/securedrop/static/i/font-awesome/times-white.png r,
-  /var/www/securedrop/static/i/font-awesome/white/exclamation-circle.svg r,
-  /var/www/securedrop/static/i/font-awesome/white/guard.svg r,
-  /var/www/securedrop/static/i/hand_with_fingerprint.png r,
-  /var/www/securedrop/static/i/languages_arrow.png r,
-  /var/www/securedrop/static/i/languages_globe.png r,
-  /var/www/securedrop/static/i/logo.png rw,
-  /var/www/securedrop/static/i/logo-footer.png r,
-  /var/www/securedrop/static/i/no16-global.png r,
-  /var/www/securedrop/static/i/no16.png r,
-  /var/www/securedrop/static/i/securedrop.png r,
-  /var/www/securedrop/static/i/securedrop_small.png r,
-  /var/www/securedrop/static/i/server_upload.png r,
-  /var/www/securedrop/static/i/star.png r,
-  /var/www/securedrop/static/i/success_checkmark.png r,
-  /var/www/securedrop/static/i/tipbox/tipbox-hed-j-all.png r,
-  /var/www/securedrop/static/i/tipbox/tipbox-hed-j-single.png r,
-  /var/www/securedrop/static/i/tipbox/tipbox-hed-submit1.png r,
-  /var/www/securedrop/static/i/tipbox/tipbox-hed-submit3.png r,
-  /var/www/securedrop/static/i/tipbox/tipbox-hed-user.png r,
-  /var/www/securedrop/static/i/tipbox/tipbox-logo.png r,
-  /var/www/securedrop/static/i/torbroom-black.png r,
-  /var/www/securedrop/static/i/torbroom-coral.png r,
-  /var/www/securedrop/static/i/trash-x-out.png r,
-  /var/www/securedrop/static/i/trash-x-solid.png r,
-  /var/www/securedrop/static/i/un-star.png r,
-  /var/www/securedrop/static/i/x_icon-button_blue.png r,
-  /var/www/securedrop/static/i/x_icon-grimace_blue.png r,
-  /var/www/securedrop/static/i/x_icon-sd_blue.png r,
-  /var/www/securedrop/static/js/journalist.js r,
-  /var/www/securedrop/static/js/source.js r,
-  /var/www/securedrop/store.py r,
-  /var/www/securedrop/template_filters.py r,
-  /var/www/securedrop/translations/ r,
-  /var/www/securedrop/translations/** r,
-  /var/www/securedrop/version.py r,
-  /var/www/securedrop/wordlist r,
-  /var/www/securedrop/wordlists/** r,
-  /var/www/securedrop/worker.py r,
-  /var/www/source.wsgi r,
-
-  ^DEFAULT_URI {
-  }
-
-  ^HANDLING_UNTRUSTED_INPUT {
-  }
-}
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
index 117fc91f6f1..7e17ed787da 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -64,6 +64,11 @@
   with_items: "{{ securedrop_app_focal_files }}"
   when: securedrop_build_focal_support
 
+- name: Create the control file based on distribution
+  template:
+    src: "control.j2"
+    dest: "{{ securedrop_app_code_prep_dir }}/debian/control"
+
 - name: Create lib/systemd/services directory in prep directory
   file:
     state: directory
diff --git a/install_files/securedrop-app-code/debian/control b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
similarity index 74%
rename from install_files/securedrop-app-code/debian/control
rename to install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
index 07d1ea6274a..5c264cf9a94 100644
--- a/install_files/securedrop-app-code/debian/control
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
@@ -5,11 +5,14 @@ Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd, dh-virtualenv
 Standards-Version: 3.9.8
-X-Python3-Version: >= 3.5
 
 Package: securedrop-app-code
 Architecture: amd64
 Conflicts: libapache2-mod-wsgi,supervisor
 Replaces: libapache2-mod-wsgi,supervisor
+{% if securedrop_build_focal_support %}
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
+{% else %}
 Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3
+{% endif %}
 Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
diff --git a/molecule/builder-focal/tests/vars.yml b/molecule/builder-focal/tests/vars.yml
index 35f8932cbad..bfa40d3e525 100644
--- a/molecule/builder-focal/tests/vars.yml
+++ b/molecule/builder-focal/tests/vars.yml
@@ -1,9 +1,9 @@
 ---
-securedrop_version: "1.5.0~rc1"
+securedrop_version: "1.6.0~rc1"
 ossec_version: "3.6.0"
 keyring_version: "0.1.4"
 config_version: "0.1.3"
-grsec_version: "4.14.175"
+grsec_version: "4.14.188"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.