From f160fe8aecf3ef7094b39b0eebf51de5eb819eb8 Mon Sep 17 00:00:00 2001 From: John Hensley Date: Fri, 4 Sep 2020 12:21:37 -0400 Subject: [PATCH 1/8] Revert to old dh-virtualenv, use built-in venv module This takes another run at controlling setuptools: instead of installing a newer version of dh-virtualenv from Debian unstable for its ability to specify the setuptools version via the alternative build system, use it as before but with the Python 3 venv module, which will use the local version of setuptools that's already present, then replace that in the final package with the version pinned in the securedrop-app-code requirements. --- .../tasks/main.yml | 3 --- install_files/securedrop-app-code/debian/rules | 11 ++++++++++- molecule/builder-xenial/Dockerfile | 15 ++++----------- .../tests/test_build_dependencies.py | 8 ++------ 4 files changed, 16 insertions(+), 21 deletions(-) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml index c1a5ba7f37..7e17ed787d 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml @@ -117,9 +117,6 @@ args: chdir: "{{ securedrop_app_code_deb_dir }}" environment: - DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir" - DH_UPGRADE_SETUPTOOLS: "46.0.0" - DH_VIRTUALENV_ARGUMENTS: "{{ '--python=/usr/bin/python3.8 --setuptools 46.0.0' if securedrop_build_focal_support else '--python=/usr/bin/python3.5 --setuptools' }}" DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs" - name: Find newly built Debian package diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules index a2348a3d9c..a9cc6b77a7 100755 --- a/install_files/securedrop-app-code/debian/rules +++ b/install_files/securedrop-app-code/debian/rules @@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git SECUREDROP_BUILD_PLATFORM=$(shell lsb_release -sc) %: - dh $@ --buildsystem=dh_virtualenv --with systemd + dh $@ --with python-virtualenv --with systemd override_dh_gencontrol: dh_gencontrol -- $(SUBSTVARS) @@ -24,6 +24,15 @@ override_dh_strip_nondeterminism: find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} + dh_strip_nondeterminism $@ +override_dh_virtualenv: + dh_virtualenv \ + --python=/usr/bin/python3 \ + --builtin-venv \ + --extra-pip-arg "--verbose" \ + --extra-pip-arg "--no-deps" \ + --extra-pip-arg "--no-binary=:all:" \ + --extra-pip-arg "--no-cache-dir" + # # Have to override the automatic service handling since we have more # than one. diff --git a/molecule/builder-xenial/Dockerfile b/molecule/builder-xenial/Dockerfile index 8e1d0d3917..7db27ec5e6 100644 --- a/molecule/builder-xenial/Dockerfile +++ b/molecule/builder-xenial/Dockerfile @@ -7,14 +7,13 @@ LABEL image_name="xenial-sd-builder-app" RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \ apache2-dev \ - apt-transport-https \ aptitude \ coreutils \ - curl \ debhelper \ devscripts \ dh-python \ dh-systemd \ + dh-virtualenv \ gdb \ git \ gnupg2 \ @@ -28,20 +27,14 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \ python3-all \ python3-pip \ python3-setuptools \ + python3-venv \ rsync \ ruby \ sqlite \ sudo \ tzdata \ unzip \ - virtualenv - -#install dh-virtualenv from debian unstable -RUN curl https://ftp-master.debian.org/keys/archive-key-10.asc -o /tmp/debian-stable-archive-pubkey.asc && \ - apt-key add /tmp/debian-stable-archive-pubkey.asc -RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list -COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable -RUN apt-get update && apt-get install -y -t unstable dh-virtualenv -RUN apt-get clean && rm -rf /var/lib/apt/lists/* + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* RUN paxctl -cm /usr/bin/python3.5 && mkdir -p /tmp/build diff --git a/molecule/builder-xenial/tests/test_build_dependencies.py b/molecule/builder-xenial/tests/test_build_dependencies.py index b0db89e626..23137b6241 100644 --- a/molecule/builder-xenial/tests/test_build_dependencies.py +++ b/molecule/builder-xenial/tests/test_build_dependencies.py @@ -4,7 +4,7 @@ SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM") SECUREDROP_PYTHON_VERSION = os.environ.get("SECUREDROP_PYTHON_VERSION", "3.5") -SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "1.2.1") +SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "0.11") testinfra_hosts = [ "docker://{}-sd-app".format(SECUREDROP_TARGET_PLATFORM) ] @@ -55,11 +55,7 @@ def test_python_version(host): def test_dh_virtualenv(host): """ - The version of dh-virtualenv in Xenial repos isn't new enough to work - with setuptools >= 50, so we pull it in from Debian. Confirm the expected - recent version of dh-virtualenv is found. Since we're tracking Debian unstable - for this dependency, this check will fail if unstable surprises us with a new - version. + Confirm the expected version of dh-virtualenv is found. """ c = host.run("dh_virtualenv --version") version_string = "dh_virtualenv {}".format(SECUREDROP_DH_VIRTUALENV_VERSION) From 812c788319b450256eb7a62586a73b0dfa164a66 Mon Sep 17 00:00:00 2001 From: John Hensley Date: Tue, 8 Sep 2020 14:40:36 -0400 Subject: [PATCH 2/8] Add test of virtualenv activation script construction Makes sure that the virtualenv activation script in the securedrop-app-code package has the right path to the virtualenv. --- molecule/testinfra/staging/app/test_appenv.py | 16 +++++++++++++--- molecule/testinfra/staging/vars/staging.yml | 4 ++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/molecule/testinfra/staging/app/test_appenv.py b/molecule/testinfra/staging/app/test_appenv.py index 38bc253c21..2726b58bca 100644 --- a/molecule/testinfra/staging/app/test_appenv.py +++ b/molecule/testinfra/staging/app/test_appenv.py @@ -4,13 +4,11 @@ testinfra_hosts = ["app-staging"] sdvars = pytest.securedrop_test_vars -sdbin = "/opt/venvs/securedrop-app-code/bin" - @pytest.mark.parametrize('exp_pip_pkg', sdvars.pip_deps) def test_app_pip_deps(host, exp_pip_pkg): """ Ensure pip dependencies are installed """ - pip = host.pip_package.get_packages(pip_path=os.path.join(sdbin, "pip")) + pip = host.pip_package.get_packages(pip_path=os.path.join(sdvars.securedrop_venv_bin, "pip")) assert pip[exp_pip_pkg['name']]['version'] == exp_pip_pkg['version'] @@ -48,6 +46,18 @@ def test_app_code_pkg(host): assert host.package("securedrop-app-code").is_installed +def test_app_code_venv(host): + """ + Ensure the securedrop-app-code virtualenv is correct. + """ + cmd = """test -z $VIRTUAL_ENV && . {}/bin/activate && test "$VIRTUAL_ENV" = "{}" """.format( + sdvars.securedrop_venv, sdvars.securedrop_venv + ) + + result = host.run(cmd) + assert result.rc == 0 + + def test_supervisor_not_installed(host): """ ensure supervisor package is not installed """ assert host.package("supervisor").is_installed is False diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml index 2b6942ad57..825d97743b 100644 --- a/molecule/testinfra/staging/vars/staging.yml +++ b/molecule/testinfra/staging/vars/staging.yml @@ -12,8 +12,8 @@ wanted_apache_headers: - 'Header unset Etag' securedrop_venv: /opt/venvs/securedrop-app-code -securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin" -securedrop_venv_site_packages: "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages" +securedrop_venv_bin: "{{ securedrop_venv }}/bin" +securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages" securedrop_code: /var/www/securedrop securedrop_data: /var/lib/securedrop securedrop_user: www-data From 84cdcd1ea09500bca41615f6c8ad7e4f43b2b664 Mon Sep 17 00:00:00 2001 From: John Hensley Date: Thu, 10 Sep 2020 13:21:28 -0400 Subject: [PATCH 3/8] Control setuptools version used in build container virtualenvs Also create a virtualenv for translation tasks in the build container, instead of installing all of our requirements system-wide. --- .../tasks/main.yml | 12 ++++++------ .../tasks/translations.yml | 10 +++++++++- molecule/builder-focal/Dockerfile | 1 + .../tests/test_build_dependencies.py | 14 +++----------- .../tests/test_securedrop_deb_package.py | 5 ++--- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml index 7e17ed787d..660dfd3c2f 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml @@ -29,13 +29,13 @@ - name: Copy requirements.txt to prep directory command: cp "{{ securedrop_pip_requirements }}" "{{ securedrop_app_code_prep_dir }}/requirements.txt" -- include: sass.yml - -- name: Install SecureDrop Python requirements in container +- name: Control the version of setuptools used in the default construction of virtual environments shell: | - pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt - tags: - - pip + pip3 download --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download + rm -f /usr/share/python-wheels/setuptools-*.whl + mv /tmp/securedrop-app-code-requirements-download/setuptools-*.whl /usr/share/python-wheels/ + +- include: sass.yml - include: translations.yml diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml index 4cbd3b4114..d01a75cf79 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml @@ -1,10 +1,18 @@ --- +- name: Install SecureDrop Python requirements in virtualenv for translation work + shell: | + python3 -m venv /tmp/securedrop-app-code-i18n-ve + /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt + tags: + - pip + - name: Compile PO to MO. shell: >- cp config.py.example config.py ; trap 'rm config.py' EXIT ; - python3 ./i18n_tool.py --verbose translate-messages --compile + . /tmp/securedrop-app-code-i18n-ve/bin/activate ; + /tmp/securedrop-app-code-i18n-ve/bin/python3 ./i18n_tool.py --verbose translate-messages --compile args: chdir: "{{ securedrop_code_filtered }}" environment: diff --git a/molecule/builder-focal/Dockerfile b/molecule/builder-focal/Dockerfile index a75cde3029..de9b53b3fc 100644 --- a/molecule/builder-focal/Dockerfile +++ b/molecule/builder-focal/Dockerfile @@ -27,6 +27,7 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \ python3-all \ python3-pip \ python3-setuptools \ + python3-venv \ rsync \ ruby \ sqlite \ diff --git a/molecule/builder-xenial/tests/test_build_dependencies.py b/molecule/builder-xenial/tests/test_build_dependencies.py index 23137b6241..0221ebf69e 100644 --- a/molecule/builder-xenial/tests/test_build_dependencies.py +++ b/molecule/builder-xenial/tests/test_build_dependencies.py @@ -4,7 +4,7 @@ SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM") SECUREDROP_PYTHON_VERSION = os.environ.get("SECUREDROP_PYTHON_VERSION", "3.5") -SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "0.11") + testinfra_hosts = [ "docker://{}-sd-app".format(SECUREDROP_TARGET_PLATFORM) ] @@ -19,15 +19,6 @@ def test_sass_gem_installed(host): assert c.rc == 0 -def test_pip_dependencies_installed(host): - """ - Ensure the development pip dependencies are installed - """ - c = host.run("pip3 list installed") - assert "Flask-Babel" in c.stdout - assert c.rc == 0 - - @pytest.mark.xfail(reason="This check conflicts with the concept of pegging" "dependencies") def test_build_all_packages_updated(host): @@ -57,6 +48,7 @@ def test_dh_virtualenv(host): """ Confirm the expected version of dh-virtualenv is found. """ + expected_version = "0.11" if host.system_info.codename == "xenial" else "1.2.1" + version_string = "dh_virtualenv {}".format(expected_version) c = host.run("dh_virtualenv --version") - version_string = "dh_virtualenv {}".format(SECUREDROP_DH_VIRTUALENV_VERSION) assert c.stdout.startswith(version_string) diff --git a/molecule/builder-xenial/tests/test_securedrop_deb_package.py b/molecule/builder-xenial/tests/test_securedrop_deb_package.py index 0f88c24b78..5b7d82e0bc 100644 --- a/molecule/builder-xenial/tests/test_securedrop_deb_package.py +++ b/molecule/builder-xenial/tests/test_securedrop_deb_package.py @@ -187,11 +187,10 @@ def test_deb_package_contains_mo_file(host, deb): Ensures the `securedrop-app-code` package has at least one compiled mo file. """ - deb_package = host.file(deb.format( - securedrop_test_vars.securedrop_version)) - c = host.run("dpkg-deb --contents {}".format(deb_package.path)) + deb_package = host.file(deb.format(securedrop_test_vars.securedrop_version)) # Only relevant for the securedrop-app-code package: if "securedrop-app-code" in deb_package.path: + c = host.run("dpkg-deb --contents {}".format(deb_package.path)) assert re.search(r"^.*messages\.mo$", c.stdout, re.M) From 3ca16a549505b820b500b718f3571a57214c9556 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Fri, 11 Sep 2020 10:34:14 -0400 Subject: [PATCH 4/8] updated builder image hashes --- molecule/builder-focal/image_hash | 4 ++-- molecule/builder-xenial/image_hash | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/molecule/builder-focal/image_hash b/molecule/builder-focal/image_hash index bd105f0d50..6aff8d3769 100644 --- a/molecule/builder-focal/image_hash +++ b/molecule/builder-focal/image_hash @@ -1,2 +1,2 @@ -# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2020_08_13 -47f7e1af8cc54bf9cb0afdef599b76d063c614943e54443ea660d6b53615814c +# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2020_09_11 +10d4b7f28a3de6f2bd9e6a55dd5fdb448fb90442d15a013f73942b4d2e5ce259 diff --git a/molecule/builder-xenial/image_hash b/molecule/builder-xenial/image_hash index c5c03e9379..58223855de 100644 --- a/molecule/builder-xenial/image_hash +++ b/molecule/builder-xenial/image_hash @@ -1,2 +1,2 @@ -# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2020_09_02 -d62c99bb967e6dd1b276e642a29000656489313c2da2997f6bfbf466509f9b74 +# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2020_09_11 +b88a9e0ba180b55d0f22e84a81d3efc5da2263596a22ca5da043f84a2d741d88 From 512d87d574b8df08db79bde54add9fb9a426cfa2 Mon Sep 17 00:00:00 2001 From: John Hensley Date: Fri, 11 Sep 2020 14:36:28 -0400 Subject: [PATCH 5/8] Fix Vagrant staging, conf tests The Vagrant box used for the libvirt staging env lacks python3-distutils, which breaks mod_wsgi's "module-config" function, as the swallowed exception when trying to import distutils causes the correct shared library path construction logic to be skipped. Also revert the templatization of the testinfra staging vars. --- .../build-securedrop-app-code-deb-pkg/templates/control.j2 | 4 ++-- molecule/testinfra/staging/vars/app-staging.yml | 4 ++-- molecule/testinfra/staging/vars/staging.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 index 5c264cf9a9..71b89408eb 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 @@ -11,8 +11,8 @@ Architecture: amd64 Conflicts: libapache2-mod-wsgi,supervisor Replaces: libapache2-mod-wsgi,supervisor {% if securedrop_build_focal_support %} -Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3 +Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3 {% else %} -Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3 +Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3 {% endif %} Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode. diff --git a/molecule/testinfra/staging/vars/app-staging.yml b/molecule/testinfra/staging/vars/app-staging.yml index 1b6e55e605..a8b44ce04c 100644 --- a/molecule/testinfra/staging/vars/app-staging.yml +++ b/molecule/testinfra/staging/vars/app-staging.yml @@ -12,8 +12,8 @@ wanted_apache_headers: - 'Header unset Etag' securedrop_venv: /opt/venvs/securedrop-app-code -securedrop_venv_bin: "{{ securedrop_venv }}/bin" -securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages" +securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin +securedrop_venv_site_packages: /opt/venvs/securedrop-app-code/lib/python3.5/site-packages securedrop_code: /var/www/securedrop securedrop_data: /var/lib/securedrop securedrop_user: www-data diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml index 825d97743b..94c8b7dffb 100644 --- a/molecule/testinfra/staging/vars/staging.yml +++ b/molecule/testinfra/staging/vars/staging.yml @@ -12,8 +12,8 @@ wanted_apache_headers: - 'Header unset Etag' securedrop_venv: /opt/venvs/securedrop-app-code -securedrop_venv_bin: "{{ securedrop_venv }}/bin" -securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages" +securedrop_venv_bin: /opt/venvs/securedrop-app-code/bin +securedrop_venv_site_packages: /opt/venvs/securedrop-app-code/lib/python3.5/site-packages securedrop_code: /var/www/securedrop securedrop_data: /var/lib/securedrop securedrop_user: www-data From c499f16ce9e52ac95ad8c958ef650b10c205f420 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Mon, 14 Sep 2020 12:02:56 +0530 Subject: [PATCH 6/8] Removes python3-distutils as dependency in Xenial distutils is provided by libpython3.5-stdlib in Xenial. --- .../build-securedrop-app-code-deb-pkg/templates/control.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 index 71b89408eb..5e889f6823 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 @@ -13,6 +13,6 @@ Replaces: libapache2-mod-wsgi,supervisor {% if securedrop_build_focal_support %} Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3 {% else %} -Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3 +Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3 {% endif %} Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode. From 30ba408a29061872118dffdba8c82b78daa26a72 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Fri, 4 Sep 2020 14:57:04 -0700 Subject: [PATCH 7/8] Fixes libevent deps for ossec under Focal Fixing a typo in the libevent name package names. Hadn't noticed during review of previous PRs because we're only just approaching the point of being able install these packages in a staging environment. (cherry picked from commit 7682467ab573f23780a46665ddb27317f2289e8e) --- install_files/securedrop-ossec-agent/DEBIAN/control.j2 | 2 +- install_files/securedrop-ossec-server/DEBIAN/control.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control.j2 b/install_files/securedrop-ossec-agent/DEBIAN/control.j2 index 47a577c9ae..fa8e3b9a4a 100644 --- a/install_files/securedrop-ossec-agent/DEBIAN/control.j2 +++ b/install_files/securedrop-ossec-agent/DEBIAN/control.j2 @@ -7,7 +7,7 @@ Package: securedrop-ossec-agent Version: 3.6.0+1.6.0~rc1 Architecture: amd64 {% if securedrop_build_focal_support %} -Depends: libevent-2.1.7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config +Depends: libevent-2.1-7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config {% else %} Depends: libevent-1.4-2,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config {% endif %} diff --git a/install_files/securedrop-ossec-server/DEBIAN/control.j2 b/install_files/securedrop-ossec-server/DEBIAN/control.j2 index b21053159d..f3e6eab6f5 100644 --- a/install_files/securedrop-ossec-server/DEBIAN/control.j2 +++ b/install_files/securedrop-ossec-server/DEBIAN/control.j2 @@ -7,7 +7,7 @@ Package: securedrop-ossec-server Version: 3.6.0+1.6.0~rc1 Architecture: amd64 {% if securedrop_build_focal_support %} -Depends: libevent-2.1.7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config +Depends: libevent-2.1-7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config {% else %} Depends: libevent-1.4-2,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config {% endif %} From d50e41343d0056562018fcc2030ffdad4d434d50 Mon Sep 17 00:00:00 2001 From: John Hensley Date: Mon, 14 Sep 2020 12:13:59 -0400 Subject: [PATCH 8/8] Add --no-deps to setuptools download --- .../roles/build-securedrop-app-code-deb-pkg/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml index 660dfd3c2f..f5c720637b 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml @@ -31,7 +31,7 @@ - name: Control the version of setuptools used in the default construction of virtual environments shell: | - pip3 download --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download + pip3 download --no-deps --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download rm -f /usr/share/python-wheels/setuptools-*.whl mv /tmp/securedrop-app-code-requirements-download/setuptools-*.whl /usr/share/python-wheels/