Revert to old dh-virtualenv, use built-in venv module

This takes another run at controlling setuptools: instead of installing a newer version of dh-virtualenv from Debian unstable for its ability to specify the setuptools version via the alternative build system, use it as before but with the Python 3 venv module, which will use the local version of setuptools that's already present, then replace that in the final package with the version pinned in the securedrop-app-code requirements.
freedomofpress · Sep 4, 2020 · c9a262e · c9a262e
1 parent 3990426
commit c9a262e
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 21 deletions.
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
@@ -107,6 +107,7 @@
   /opt/venvs/securedrop-app-code/bin/python3 r,
   /opt/venvs/securedrop-app-code/lib/python3.5/ r,
   /opt/venvs/securedrop-app-code/lib/python3.5/** rm,
+  /opt/venvs/securedrop-app-code/pyvenv.cfg r,
   /var/lib/securedrop/ r,
   /var/lib/securedrop/db.sqlite kw,
   /var/lib/securedrop/db.sqlite rwk,

diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -105,9 +105,6 @@
   args:
     chdir: "{{ securedrop_app_code_deb_dir }}"
   environment:
-    DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir"
-    DH_UPGRADE_SETUPTOOLS: "46.0.0"
-    DH_VIRTUALENV_ARGUMENTS: "--python=/usr/bin/python3.5 --setuptools"
     DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs"
 
 - name: Find newly built Debian package

diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules
@@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git
 SECUREDROP_BUILD_PLATFORM=$(shell lsb_release -sc)
 
 %:
-	dh $@ --buildsystem=dh_virtualenv --with systemd
+	dh $@ --with python-virtualenv --with systemd
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
@@ -24,6 +24,15 @@ override_dh_strip_nondeterminism:
 	find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} +
 	dh_strip_nondeterminism $@
 
+override_dh_virtualenv:
+	dh_virtualenv \
+		--python=/usr/bin/python3.5 \
+		--builtin-venv \
+		--extra-pip-arg "--verbose" \
+		--extra-pip-arg "--no-deps" \
+		--extra-pip-arg "--no-binary=:all:" \
+		--extra-pip-arg "--no-cache-dir"
+
 #
 # Have to override the automatic service handling since we have more
 # than one.

diff --git a/molecule/builder-xenial/Dockerfile b/molecule/builder-xenial/Dockerfile
@@ -7,14 +7,13 @@ LABEL image_name="xenial-sd-builder-app"
 
 RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         apache2-dev \
-        apt-transport-https \
         aptitude \
         coreutils \
-        curl \
         debhelper \
         devscripts \
         dh-python \
         dh-systemd \
+        dh-virtualenv \
         gdb \
         git \
         gnupg2 \
@@ -28,20 +27,14 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         python3-all \
         python3-pip \
         python3-setuptools \
+        python3-venv \
         rsync \
         ruby \
         sqlite \
         sudo \
         tzdata \
         unzip \
-        virtualenv
-
-#install dh-virtualenv from debian unstable
-RUN curl https://ftp-master.debian.org/keys/archive-key-10.asc -o /tmp/debian-stable-archive-pubkey.asc && \
-        apt-key add /tmp/debian-stable-archive-pubkey.asc
-RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
-COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
-RUN apt-get update && apt-get install -y -t unstable dh-virtualenv
-RUN apt-get clean && rm -rf /var/lib/apt/lists/*
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
 
 RUN paxctl -cm /usr/bin/python3.5 && mkdir -p /tmp/build
diff --git a/molecule/builder-xenial/tests/test_build_dependencies.py b/molecule/builder-xenial/tests/test_build_dependencies.py
@@ -4,7 +4,7 @@
 
 SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM")
 SECUREDROP_PYTHON_VERSION = os.environ.get("SECUREDROP_PYTHON_VERSION", "3.5")
-SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "1.2.1")
+SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "0.11")
 testinfra_hosts = [
         "docker://{}-sd-app".format(SECUREDROP_TARGET_PLATFORM)
 ]
@@ -55,11 +55,7 @@ def test_python_version(host):
 
 def test_dh_virtualenv(host):
     """
-    The version of dh-virtualenv in Xenial repos isn't new enough to work
-    with setuptools >= 50, so we pull it in from Debian. Confirm the expected
-    recent version of dh-virtualenv is found. Since we're tracking Debian unstable
-    for this dependency, this check will fail if unstable surprises us with a new
-    version.
+    Confirm the expected version of dh-virtualenv is found.
     """
     c = host.run("dh_virtualenv --version")
     version_string = "dh_virtualenv {}".format(SECUREDROP_DH_VIRTUALENV_VERSION)