Improve specification of securedrop-app-code dependencies

[rmol]

Status

Ready for review

Description of Changes

Fixes #4875.
Fixes #4864.

The securedrop-app-code Debian package didn't fully specify its dependencies, crucially libpython3.5, which is almost always installed on SecureDrop servers built according to our instructions, but doesn't have to be. This fixes that, and makes the securedrop-app-code package the sole source of truth about its dependencies, eliminating the out-of-band installation of some of them via the app Ansible role.

This also fixes a few dependency specifications in the instructions for setting up a development environment.

Testing

The upgrade scenario is the easiest way to test this:

• Check out this branch.
• make build-debs
• make upgrade-start
• molecule login -s upgrade -h app-staging
  • sudo apt remove libpython3.5
  • sudo service apache2 restart

The Apache restart should fail, and in the output of journalctl -xe --no-pager you should see a failure to locate libpython3.5m.so.1.0:

Sep 26 22:28:04 app-prod apache2[7358]: apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/wsgi.load: Cannot load /opt/venvs/securedrop-app-code/lib/python3.5/site-packages/mod_wsgi/server/mod_wsgi-py35.cpython-35m-x86_64-linux-gnu.so into server: libpython3.5m.so.1.0: cannot open shared object file: No such file or directory

To fix this, install the packages you just built:

• make upgrade-test-local
• molecule login -s upgrade -h app-staging
  • dpkg -l securedrop-app-code libpython3.5
    Confirm that securedrop-app-code was upgraded and that libpython3.5 is installed.
  • Run curl http://127.0.0.1 to confirm that the source interface is working again.

Deployment

This ensures that securedrop-app-code dependencies are present. It should have no effect on most SecureDrop installations, where they should already installed, but will make installation more robust on atypical systems.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

If you made changes to documentation:

• Doc linting (make docs-lint) passed locally

[conorsch]

Works as advertised. Ran through test plan, no problems to report. Confirmed that the libpython3.5 package is in the security channel, ensuring it will get updates automatically as part of the cron-apt run.