freedomofpress · conorsch · Sep 14, 2020 · Sep 4, 2020 · Sep 8, 2020 · Sep 10, 2020
@@ -117,9 +117,6 @@
   args:
     chdir: "{{ securedrop_app_code_deb_dir }}"
   environment:
-    DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir"
-    DH_UPGRADE_SETUPTOOLS: "46.0.0"
-    DH_VIRTUALENV_ARGUMENTS: "{{  '--python=/usr/bin/python3.8 --setuptools  46.0.0' if securedrop_build_focal_support else '--python=/usr/bin/python3.5 --setuptools' }}"
     DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs"
 
 - name: Find newly built Debian package

@@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git
 SECUREDROP_BUILD_PLATFORM=$(shell lsb_release -sc)
 
 %:
-	dh $@ --buildsystem=dh_virtualenv --with systemd
+	dh $@ --with python-virtualenv --with systemd
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
@@ -24,6 +24,15 @@ override_dh_strip_nondeterminism:
 	find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} +
 	dh_strip_nondeterminism $@
 
+override_dh_virtualenv:
+	dh_virtualenv \
+		--python=/usr/bin/python3 \
+		--builtin-venv \
+		--extra-pip-arg "--verbose" \
+		--extra-pip-arg "--no-deps" \
+		--extra-pip-arg "--no-binary=:all:" \
+		--extra-pip-arg "--no-cache-dir"
+
 #
 # Have to override the automatic service handling since we have more
 # than one.

@@ -7,14 +7,13 @@ LABEL image_name="xenial-sd-builder-app"
 
 RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         apache2-dev \
-        apt-transport-https \
         aptitude \
         coreutils \
-        curl \
         debhelper \
         devscripts \
         dh-python \
         dh-systemd \
+        dh-virtualenv \
         gdb \
         git \
         gnupg2 \
@@ -28,20 +27,14 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         python3-all \
         python3-pip \
         python3-setuptools \
+        python3-venv \
         rsync \
         ruby \
         sqlite \
         sudo \
         tzdata \
         unzip \
-        virtualenv
-
-#install dh-virtualenv from debian unstable
-RUN curl https://ftp-master.debian.org/keys/archive-key-10.asc -o /tmp/debian-stable-archive-pubkey.asc && \
-        apt-key add /tmp/debian-stable-archive-pubkey.asc
-RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
-COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
-RUN apt-get update && apt-get install -y -t unstable dh-virtualenv
-RUN apt-get clean && rm -rf /var/lib/apt/lists/*
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
 
 RUN paxctl -cm /usr/bin/python3.5 && mkdir -p /tmp/build
@@ -4,7 +4,7 @@
 
 SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM")
 SECUREDROP_PYTHON_VERSION = os.environ.get("SECUREDROP_PYTHON_VERSION", "3.5")
-SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "1.2.1")
+SECUREDROP_DH_VIRTUALENV_VERSION = os.environ.get("SECUREDROP_DH_VIRTUALENV_VERSION", "0.11")
 testinfra_hosts = [
         "docker://{}-sd-app".format(SECUREDROP_TARGET_PLATFORM)
 ]
@@ -55,11 +55,7 @@ def test_python_version(host):
 
 def test_dh_virtualenv(host):
     """
-    The version of dh-virtualenv in Xenial repos isn't new enough to work
-    with setuptools >= 50, so we pull it in from Debian. Confirm the expected
-    recent version of dh-virtualenv is found. Since we're tracking Debian unstable
-    for this dependency, this check will fail if unstable surprises us with a new
-    version.
+    Confirm the expected version of dh-virtualenv is found.
     """
     c = host.run("dh_virtualenv --version")
     version_string = "dh_virtualenv {}".format(SECUREDROP_DH_VIRTUALENV_VERSION)

@@ -4,13 +4,11 @@
 testinfra_hosts = ["app-staging"]
 sdvars = pytest.securedrop_test_vars
 
-sdbin = "/opt/venvs/securedrop-app-code/bin"
-
 
 @pytest.mark.parametrize('exp_pip_pkg', sdvars.pip_deps)
 def test_app_pip_deps(host, exp_pip_pkg):
     """ Ensure pip dependencies are installed """
-    pip = host.pip_package.get_packages(pip_path=os.path.join(sdbin, "pip"))
+    pip = host.pip_package.get_packages(pip_path=os.path.join(sdvars.securedrop_venv_bin, "pip"))
     assert pip[exp_pip_pkg['name']]['version'] == exp_pip_pkg['version']
 
 
@@ -48,6 +46,18 @@ def test_app_code_pkg(host):
     assert host.package("securedrop-app-code").is_installed
 
 
+def test_app_code_venv(host):
+    """
+    Ensure the securedrop-app-code virtualenv is correct.
+    """
+    cmd = """test -z $VIRTUAL_ENV && . {}/bin/activate && test "$VIRTUAL_ENV" = "{}" """.format(
+        sdvars.securedrop_venv, sdvars.securedrop_venv
+    )
+
+    result = host.run(cmd)
+    assert result.rc == 0
+
+
 def test_supervisor_not_installed(host):
     """ ensure supervisor package is not installed """
     assert host.package("supervisor").is_installed is False

@@ -12,8 +12,8 @@ wanted_apache_headers:
   - 'Header unset Etag'
 
 securedrop_venv: /opt/venvs/securedrop-app-code
-securedrop_venv_bin: "/opt/venvs/securedrop-app-code/bin"
-securedrop_venv_site_packages: "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages"
+securedrop_venv_bin: "{{ securedrop_venv }}/bin"
+securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages"
 securedrop_code: /var/www/securedrop
 securedrop_data: /var/lib/securedrop
 securedrop_user: www-data