From fe0db51c8c2c6287e9e32a1a9cf71ef7ebbd2021 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Thu, 25 Mar 2021 15:59:18 -0400
Subject: [PATCH 01/11] Added mokutil check to detect SecureBoot if enabled.

(cherry picked from commit a24e2bccaf32f257ecf736a208a0b90692e2d916)
---
 .../roles/prepare-servers/tasks/main.yml          | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
index d9a765611a..517afe253c 100644
--- a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
+++ b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
@@ -21,6 +21,21 @@
       SecureDrop cannot be installed. For details, see
       https://github.com/freedomofpress/securedrop/issues/4058
 
+- name: Check SecureBoot status
+  raw: 'mokutil --sb-state'
+  ignore_errors: yes
+  register: _mokutil_results
+
+- name: Verify that SecureBoot is not enabled
+  assert:
+    that:
+      - "'SecureBoot enabled' not in _mokutil_results.stdout"
+      - "'SecureBoot enabled' not in _mokutil_results.stderr"
+    fail_msg: >-
+      SecureBoot is enabled. SecureDrop cannot be installed, as it uses a
+      custom kernel that is not signed. Please disable SecureBoot on the
+      target servers and try again.
+
 - name: Install python and packages required by installer
   raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core
   register: _apt_install_prereqs_results

From 699aacf326e3c83871af53a6939f7fc5cf0a5d40 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 30 Mar 2021 08:13:13 -0700
Subject: [PATCH 02/11] Make sure mokutil is installed for SB check

On Ubuntu Focal installed from ISO, the "mokutil" package wasn't
installed by default. Let's add it early in the prepare-servers role, so
we can use it to check for SecureBoot status before proceeding with
installation.

(cherry picked from commit 9ec39d87d9a70f8bb53741fce85cdfdc50464beb)
---
 .../roles/prepare-servers/tasks/main.yml          | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
index 517afe253c..e693ae3c4c 100644
--- a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
+++ b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
@@ -21,9 +21,15 @@
       SecureDrop cannot be installed. For details, see
       https://github.com/freedomofpress/securedrop/issues/4058
 
+- name: Install python and packages required by installer
+  raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core mokutil
+  register: _apt_install_prereqs_results
+  changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in _apt_install_prereqs_results.stdout"
+
 - name: Check SecureBoot status
-  raw: 'mokutil --sb-state'
-  ignore_errors: yes
+  command: mokutil --sb-state
+  changed_when: false
+  failed_when: false # results inspected below
   register: _mokutil_results
 
 - name: Verify that SecureBoot is not enabled
@@ -36,11 +42,6 @@
       custom kernel that is not signed. Please disable SecureBoot on the
       target servers and try again.
 
-- name: Install python and packages required by installer
-  raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core
-  register: _apt_install_prereqs_results
-  changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in _apt_install_prereqs_results.stdout"
-
 - name: Remove cloud-init
   apt:
     name: cloud-init

From 4279687e2e3bfa63d4eaa52a0461dfb3c995dbe6 Mon Sep 17 00:00:00 2001
From: Erik Moeller <erik@freedom.press>
Date: Thu, 25 Mar 2021 16:29:25 -0700
Subject: [PATCH 03/11] Correct backup location of custom logo; update
 docstring

(cherry picked from commit 0441a1d41493d9286434b1bc78b4e9f7ec427035)
---
 .../ansible-base/roles/backup/files/backup.py    | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/install_files/ansible-base/roles/backup/files/backup.py b/install_files/ansible-base/roles/backup/files/backup.py
index cb25a3f3d2..9df91697b7 100755
--- a/install_files/ansible-base/roles/backup/files/backup.py
+++ b/install_files/ansible-base/roles/backup/files/backup.py
@@ -1,8 +1,11 @@
 #!/opt/venvs/securedrop-app-code/bin/python
 """
-This script is copied to the App server and run by the Ansible playbook. When
-run (as root), it collects all of the necessary information to backup the 0.3
-system and stores it in /tmp/sd-backup-0.3-TIME_STAMP.tar.gz.
+This script is copied to the App server (to /tmp) and run by the Ansible playbook,
+typically via `securedrop-admin`.
+
+The backup file in the format sd-backup-$TIMESTAMP.tar.gz is then copied to the
+Admin Workstation by the playbook, and removed on the server. For further
+information and limitations, see https://docs.securedrop.org/en/stable/backup_and_restore.html
 """
 
 from datetime import datetime
@@ -19,14 +22,17 @@ def main():
 
     sd_code = '/var/www/securedrop'
     sd_config = os.path.join(sd_code, "config.py")
-    sd_custom_logo = os.path.join(sd_code, "static/i/logo.png")
+    sd_custom_logo = os.path.join(sd_code, "static/i/custom_logo.png")
 
     tor_hidden_services = "/var/lib/tor/services"
     torrc = "/etc/tor/torrc"
 
     with tarfile.open(backup_filename, 'w:gz') as backup:
         backup.add(sd_config)
-        backup.add(sd_custom_logo)
+
+        # If no custom logo has been configured, the file will not exist
+        if os.path.exists(sd_custom_logo):
+            backup.add(sd_custom_logo)
         backup.add(sd_data)
         backup.add(tor_hidden_services)
         backup.add(torrc)

From 94cd97712ff68c6cf7c055ba1f99a858f468e1da Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Mon, 29 Mar 2021 13:40:34 -0400
Subject: [PATCH 04/11] Updated restore playbook to preserve server-side SSH
 configuration

(cherry picked from commit 94e3f989c1aabbee67d3f1d5a0e638164487161b)
---
 .../roles/restore/tasks/cleanup_v2.yml        |  40 +++++
 .../ansible-base/roles/restore/tasks/main.yml | 162 +-----------------
 .../roles/restore/tasks/perform_restore.yml   | 102 +++++++++++
 .../roles/restore/tasks/update_tor.yml        |  16 ++
 4 files changed, 165 insertions(+), 155 deletions(-)
 create mode 100644 install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
 create mode 100644 install_files/ansible-base/roles/restore/tasks/perform_restore.yml
 create mode 100644 install_files/ansible-base/roles/restore/tasks/update_tor.yml

diff --git a/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
new file mode 100644
index 0000000000..cd90f5d0e2
--- /dev/null
+++ b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
@@ -0,0 +1,40 @@
+---
+- name: Copy disable_v2.py script
+  copy:
+    src: "{{ role_path }}/files/disable_v2.py"
+    dest: /opt/disable_v2.py
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Execute disable_v2 script
+  command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 tor source directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/source
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 tor journalist directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/journalist
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 tor ssh directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/ssh
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 source_url application file
+  file:
+    state: absent
+    path: /var/lib/securedrop/source_v2_url
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove disable_v2.py script
+  file:
+    state: absent
+    path: /opt/disable_v2.py
+  when: ("V3 services only" in compare_result.stdout)
diff --git a/install_files/ansible-base/roles/restore/tasks/main.yml b/install_files/ansible-base/roles/restore/tasks/main.yml
index 3cd847b6de..a6e3eb89fe 100644
--- a/install_files/ansible-base/roles/restore/tasks/main.yml
+++ b/install_files/ansible-base/roles/restore/tasks/main.yml
@@ -1,159 +1,11 @@
 ---
-- name: Create temporary directory for Tor configuration check
-  connection: local
-  become: no
-  tempfile:
-    state: directory
-  register: torrc_check_dir
+- name: Apply backup to Application Server
+  include: perform_restore.yml
 
-- name: Fetch current Tor configuration from app server
-  become: no
-  fetch:
-    src: /etc/tor/torrc
-    dest: "{{ torrc_check_dir.path }}"
-
-- name: Create directory to hold the Tor configuration from the backup
-  connection: local
-  become: no
-  file:
-    path: "{{ torrc_check_dir.path }}/backup"
-    state: directory
-
-- name: Extract Tor configuration from backup
-  connection: local
-  become: no
-  unarchive:
-    dest: "{{ torrc_check_dir.path }}/backup/"
-    src: "{{ restore_file }}"
-    extra_opts:
-      - "etc/tor/torrc"
-
-- name: Check for Tor configuration differences between the backup and server
-  connection: local
-  become: no
-  command: "python {{ role_path }}/files/compare_torrc.py {{ torrc_check_dir.path }}"
-  ignore_errors: yes
-  register: compare_result
-
-- name: Remove temporary directory for Tor configuration check
-  connection: local
-  become: no
-  file:
-    path: "{{ torrc_check_dir.path }}"
-    state: absent
-  when: torrc_check_dir.path is defined
-
-- name: Verify that the backup Tor config is compatible with the server Tor config
-  assert:
-    that:
-      - "'Valid configuration' in compare_result.stdout"
-    fail_msg:
-      - "This backup's tor configuration cannot be applied on this server."
-      - "A data-only restore can be applied using the --preserve-tor-config argument"
-      - "More info: {{ compare_result.stdout }}"
+- name: Remove deprecated v2 onion service configuration
+  include: cleanup_v2.yml
   when: not restore_skip_tor
 
-- name: Copy backup to application server
-  synchronize:
-    src: "{{ restore_file }}"
-    dest: /tmp/{{ restore_file }}
-    partial: yes
-
-- name: Extract backup
-  unarchive:
-    dest: /
-    remote_src: yes
-    src: "/tmp/{{ restore_file}}"
-  when: (not restore_skip_tor) and
-        ("V3 services only" not in compare_result.stdout)
-
-- name: Extract backup, using v3 services only
-  unarchive:
-    dest: /
-    remote_src: yes
-    src: "/tmp/{{ restore_file}}"
-    exclude: "var/lib/tor/services/source,var/lib/tor/services/journalist,var/lib/tor/services/ssh"
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Extract backup, skipping tor service configuration
-  unarchive:
-    dest: /
-    remote_src: yes
-    src: "/tmp/{{ restore_file}}"
-    exclude: "var/lib/tor,etc/tor/torrc"
-  when: restore_skip_tor
-
-- name: Reconfigure securedrop-app-code
-  command: dpkg-reconfigure securedrop-app-code
-
-- name: Reconfigure securedrop-config
-  command: dpkg-reconfigure securedrop-config
-
-- name: Reload Apache service
-  service:
-    name: apache2
-    state: reloaded
-
-- name: Copy disable_v2.py script
-  copy:
-    src: "{{ role_path }}/files/disable_v2.py"
-    dest: /opt/disable_v2.py
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Execute disable_v2 script
-  command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Remove v2 tor source directory
-  file:
-    state: absent
-    path: /var/lib/tor/services/source
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Remove v2 tor journalist directory
-  file:
-    state: absent
-    path: /var/lib/tor/services/journalist
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Remove v2 tor ssh directory
-  file:
-    state: absent
-    path: /var/lib/tor/services/ssh
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Remove v2 source_url application file
-  file:
-    state: absent
-    path: /var/lib/securedrop/source_v2_url
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Remove disable_v2.py script
-  file:
-    state: absent
-    path: /opt/disable_v2.py
-  when: (not restore_skip_tor) and
-        ("V3 services only" in compare_result.stdout)
-
-- name: Reload Tor service
-  service:
-    name: tor
-    state: reloaded
-  async: 60
-  poll: 0
-  register: tor_reload_job
-
-- name: Wait for Tor reload
-  async_status:
-    jid: "{{ tor_reload_job.ansible_job_id }}"
-  register: tor_reload
-  until: tor_reload.finished
-  retries: 6
-  delay: 10
+- name: Restart Tor
+  include: update_tor.yml
+  when: not restore_skip_tor
diff --git a/install_files/ansible-base/roles/restore/tasks/perform_restore.yml b/install_files/ansible-base/roles/restore/tasks/perform_restore.yml
new file mode 100644
index 0000000000..2da23dca7d
--- /dev/null
+++ b/install_files/ansible-base/roles/restore/tasks/perform_restore.yml
@@ -0,0 +1,102 @@
+---
+- name: Create temporary directory for Tor configuration check
+  connection: local
+  become: no
+  tempfile:
+    state: directory
+  register: torrc_check_dir
+
+- name: Fetch current Tor configuration from app server
+  become: no
+  fetch:
+    src: /etc/tor/torrc
+    dest: "{{ torrc_check_dir.path }}"
+
+- name: Create directory to hold the Tor configuration from the backup
+  connection: local
+  become: no
+  file:
+    path: "{{ torrc_check_dir.path }}/backup"
+    state: directory
+
+- name: Extract Tor configuration from backup
+  connection: local
+  become: no
+  unarchive:
+    dest: "{{ torrc_check_dir.path }}/backup/"
+    src: "{{ restore_file }}"
+    extra_opts:
+      - "etc/tor/torrc"
+
+- name: Check for Tor configuration differences between the backup and server
+  connection: local
+  become: no
+  command: "python {{ role_path }}/files/compare_torrc.py {{ torrc_check_dir.path }}"
+  ignore_errors: yes
+  register: compare_result
+
+- name: Remove temporary directory for Tor configuration check
+  connection: local
+  become: no
+  file:
+    path: "{{ torrc_check_dir.path }}"
+    state: absent
+  when: torrc_check_dir.path is defined
+
+- name: Verify that the backup Tor config is compatible with the server Tor config
+  assert:
+    that:
+      - "'Valid configuration' in compare_result.stdout"
+    fail_msg:
+      - "This backup's tor configuration cannot be applied on this server."
+      - "A data-only restore can be applied using the --preserve-tor-config argument"
+      - "More info: {{ compare_result.stdout }}"
+  when: not restore_skip_tor
+
+- name: Copy backup to application server
+  synchronize:
+    src: "{{ restore_file }}"
+    dest: /tmp/{{ restore_file }}
+    partial: yes
+
+- name: Extract backup
+  unarchive:
+    dest: /
+    remote_src: yes
+    src: "/tmp/{{ restore_file}}"
+    exclude:
+      - "var/lib/tor/services/ssh"
+      - "var/lib/tor/services/sshv3"
+  when: (not restore_skip_tor) and
+        ("V3 services only" not in compare_result.stdout)
+
+- name: Extract backup, using v3 services only
+  unarchive:
+    dest: /
+    remote_src: yes
+    src: "/tmp/{{ restore_file}}"
+    exclude:
+      - "var/lib/tor/services/source,var/lib/tor/services/journalist"
+      - "var/lib/tor/services/ssh"
+      -  "var/lib/tor/services/sshv3"
+  when: (not restore_skip_tor) and
+        ("V3 services only" in compare_result.stdout)
+
+- name: Extract backup, skipping tor service configuration
+  unarchive:
+    dest: /
+    remote_src: yes
+    src: "/tmp/{{ restore_file}}"
+    exclude: "var/lib/tor,etc/tor/torrc"
+  when: restore_skip_tor
+
+- name: Reconfigure securedrop-app-code
+  command: dpkg-reconfigure securedrop-app-code
+
+- name: Reconfigure securedrop-config
+  command: dpkg-reconfigure securedrop-config
+
+- name: Reload Apache service
+  service:
+    name: apache2
+    state: reloaded
diff --git a/install_files/ansible-base/roles/restore/tasks/update_tor.yml b/install_files/ansible-base/roles/restore/tasks/update_tor.yml
new file mode 100644
index 0000000000..9d24c23363
--- /dev/null
+++ b/install_files/ansible-base/roles/restore/tasks/update_tor.yml
@@ -0,0 +1,16 @@
+---
+- name: Reload Tor service
+  service:
+    name: tor
+    state: reloaded
+  async: 60
+  poll: 0
+  register: tor_reload_job
+
+- name: Wait for Tor reload
+  async_status:
+    jid: "{{ tor_reload_job.ansible_job_id }}"
+  register: tor_reload
+  until: tor_reload.finished
+  retries: 6
+  delay: 10

From 64bc4be9c6d96f384473859df72a33019cc216a0 Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Mon, 29 Mar 2021 16:21:12 +0530
Subject: [PATCH 05/11] Fixes #5835 disables ossec mails for fwupd

Adds a new rules group and also the related decoder.

(cherry picked from commit d289c1af055c104d0de4770b217252dba20781cb)
---
 .../var/ossec/etc/local_decoder.xml           |  7 +++++++
 .../var/ossec/rules/local_rules.xml           | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml b/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml
index 50445d873e..63c4e3b707 100644
--- a/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml
+++ b/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml
@@ -47,3 +47,10 @@
 <decoder name="dhclient">
   <program_name>dhclient</program_name>
 </decoder>
+
+<!--
+  The default fwupd tries to auto-update and generates error.
+-->
+<decoder name="fwupd">
+  <program_name>fwupd</program_name>
+</decoder>
diff --git a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
index eb3f5d4cb8..26eeab6958 100644
--- a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
+++ b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
@@ -73,6 +73,25 @@
   </rule>
 </group>
 
+<!--
+  fwupd auto-updates realted rules.
+-->
+
+<group name="fwupd">
+  <rule id="100111" level="0">
+    <decoded_as>fwupd</decoded_as>
+    <match>Error opening directory</match>
+    <description>fwupd error</description>
+    <options>no_email_alert</options>
+  </rule>
+  <rule id="100112" level="0">
+    <decoded_as>fwupd</decoded_as>
+    <match>Failed to load SMBIOS</match>
+    <description>fwupd error for auto updates</description>
+    <options>no_email_alert</options>
+  </rule>
+</group>
+
 <!--
   Do not alert on stagging VM dhcp client errors. These events should not occur
   in production environments

From 1da976dfda55eb9f5355904f592726d13ca569ca Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 6 Apr 2021 15:43:51 -0400
Subject: [PATCH 06/11] Adds ossec-logtest testinfra test for fwupd rules

(cherry picked from commit 19ade45ba819d7067588eadc59a56b816a9b1d2e)
---
 molecule/testinfra/vars/staging.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml
index 6cddbe4cac..6582a1042c 100644
--- a/molecule/testinfra/vars/staging.yml
+++ b/molecule/testinfra/vars/staging.yml
@@ -133,6 +133,20 @@ log_events_without_ossec_alerts:
       jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6a
       hj-%A-m_5lgab!OVR,!pR+;L]eLgilU
 
+  # Override and suppress fwupd-specific errors under Ubuntu Focal
+  - name: test_ossec_fwupd_fuplugin_uefi_does_not_produce_alert
+    alert: >
+      Mar  1 13:22:53 app fwupd[133921]: 13:22:53:0883 FuPluginUefi
+      Error opening directory â€œ/sys/firmware/efi/esrt/entriesâ€�: No such file or directory
+    level: "0"
+    rule_id: "100111"
+
+  - name: test_ossec_fwupd_fuengine_does_not_produce_alert
+    alert: >
+      Mar  1 13:22:53 mon fwupd[133921]: 13:22:53:0576 FuEngine
+      Failed to load SMBIOS: invalid DMI data size, got 2527 bytes, expected 2745
+    level: "0"
+    rule_id: "100112"
 
 # Log events we expect an OSSEC alert to occur for
 log_events_with_ossec_alerts:

From 15234834e7bc4171505b62a6af221c93c5f5000b Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Tue, 30 Mar 2021 14:19:08 -0400
Subject: [PATCH 07/11] Updated pylint, pyyaml dependencies

- pylint 2.5.0 -> 2.7.0 (python 3.6+ required, no review as dev only)
- pyyaml 5.3.1 -> 5.4.1 (python 3.6+ required, previously reviewed)

(cherry picked from commit 053463e078de1fbefccaa07ae18193bfbd60fdd7)
---
 admin/requirements-dev.in                     |   2 +-
 admin/requirements-dev.txt                    |  14 +-
 admin/requirements-testinfra.txt              |  42 ++++--
 admin/requirements.in                         |   2 +-
 admin/requirements.txt                        |  42 ++++--
 .../python3/develop-requirements.in           |   4 +-
 .../python3/develop-requirements.txt          | 125 ++++++++++--------
 7 files changed, 141 insertions(+), 90 deletions(-)

diff --git a/admin/requirements-dev.in b/admin/requirements-dev.in
index 3f20244ca9..d64eebb7a4 100644
--- a/admin/requirements-dev.in
+++ b/admin/requirements-dev.in
@@ -6,7 +6,7 @@ mock
 pbr
 pip==19.3.1
 pip-tools==4.5.1
-pylint==2.5.0
+pylint>=2.7.0; python_version > '3.6'
 pytest==3.2.0
 requests>=2.22.0
 tox
diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt
index 4278f8b08f..e48d699378 100644
--- a/admin/requirements-dev.txt
+++ b/admin/requirements-dev.txt
@@ -4,9 +4,9 @@
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements-dev.txt requirements-dev.in
 #
-astroid==2.4.2 \
-    --hash=sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703 \
-    --hash=sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386 \
+astroid==2.5.2 \
+    --hash=sha256:6b0ed1af831570e500e2437625979eaa3b36011f66ddfc4ce930128610258ca9 \
+    --hash=sha256:cd80bf957c49765dce6d92c43163ff9d2abc43132ce64d4b1b47717c6d2522df \
     # via pylint
 certifi==2018.4.16 \
     --hash=sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7 \
@@ -137,9 +137,9 @@ pyflakes==1.6.0 \
     --hash=sha256:08bd6a50edf8cffa9fa09a463063c425ecaaf10d1eb0335a7e8b1401aef89e6f \
     --hash=sha256:8d616a382f243dbf19b54743f280b80198be0bca3a5396f1d2e1fca6223e8805 \
     # via flake8
-pylint==2.5.0 \
-    --hash=sha256:588e114e3f9a1630428c35b7dd1c82c1c93e1b0e78ee312ae4724c5e1a1e0245 \
-    --hash=sha256:bd556ba95a4cf55a1fc0004c00cf4560b1e70598a54a74c6904d933c8f3bd5a8 \
+pylint==2.7.4 ; python_version > "3.6" \
+    --hash=sha256:209d712ec870a0182df034ae19f347e725c1e615b2269519ab58a35b3fcbbe7a \
+    --hash=sha256:bd38914c7731cdc518634a8d3c5585951302b6e2b6de60fbb3f7a0220e21eeee \
     # via -r requirements-dev.in
 pytest-catchlog==1.2.2 \
     --hash=sha256:4be15dc5ac1750f83960897f591453040dff044b5966fe24a91c2f7d04ecfcf0 \
@@ -156,7 +156,7 @@ requests==2.22.0 \
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
     --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced \
-    # via astroid, mock, pip-tools, tox
+    # via mock, pip-tools, tox
 toml==0.10.1 \
     --hash=sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f \
     --hash=sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88 \
diff --git a/admin/requirements-testinfra.txt b/admin/requirements-testinfra.txt
index 99f529b7db..88316d792c 100644
--- a/admin/requirements-testinfra.txt
+++ b/admin/requirements-testinfra.txt
@@ -202,18 +202,36 @@ pytest==6.1.1 \
     --hash=sha256:7a8190790c17d79a11f847fba0b004ee9a8122582ebff4729a082c109e81a4c9 \
     --hash=sha256:8f593023c1a0f916110285b6efd7f99db07d59546e3d8c36fc60e2ab05d3be92 \
     # via -r requirements-testinfra.in, pytest-forked, pytest-xdist, testinfra
-pyyaml==5.3.1 \
-    --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \
-    --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \
-    --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \
-    --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \
-    --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \
-    --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \
-    --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \
-    --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \
-    --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \
-    --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \
-    --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \
+pyyaml==5.4.1 ; python_version > "3.6" \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \
     # via -r requirements.in, ansible
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
diff --git a/admin/requirements.in b/admin/requirements.in
index 97f07f22d9..12257f5082 100644
--- a/admin/requirements.in
+++ b/admin/requirements.in
@@ -1,5 +1,5 @@
 markupsafe>=1.1
 prompt_toolkit==2.0.9
-pyyaml>=5.3.1
+pyyaml>=5.4.1; python_version > '3.6'
 setuptools>=46.0.0
 six==1.15.0
diff --git a/admin/requirements.txt b/admin/requirements.txt
index 97d47ebbe8..4cdc41f107 100644
--- a/admin/requirements.txt
+++ b/admin/requirements.txt
@@ -111,18 +111,36 @@ prompt_toolkit==2.0.9 \
 pycparser==2.18 \
     --hash=sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226 \
     # via cffi
-pyyaml==5.3.1 \
-    --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \
-    --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \
-    --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \
-    --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \
-    --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \
-    --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \
-    --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \
-    --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \
-    --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \
-    --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \
-    --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \
+pyyaml==5.4.1 ; python_version > "3.6" \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \
     # via -r requirements.in, ansible
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
diff --git a/securedrop/requirements/python3/develop-requirements.in b/securedrop/requirements/python3/develop-requirements.in
index 474e8ff8c3..e6ec5fc017 100644
--- a/securedrop/requirements/python3/develop-requirements.in
+++ b/securedrop/requirements/python3/develop-requirements.in
@@ -26,12 +26,12 @@ pip==19.3.1
 pip-tools==4.5.1
 psutil>=5.6.6
 pyenchant
-pylint>=2.5.0
+pylint>=2.7.0; python_version > '3.6'
 py>=1.10.0
 pytest>=6.1.1
 pytest-xdist>=2.1.0
 python-vagrant
-pyyaml>=5.3.1
+pyyaml>=5.4.1; python_version > '3.6'
 ruamel.yaml>=0.16.10
 safety>=1.8.7
 setuptools>=46.0.0
diff --git a/securedrop/requirements/python3/develop-requirements.txt b/securedrop/requirements/python3/develop-requirements.txt
index d3957aef6c..453541022b 100644
--- a/securedrop/requirements/python3/develop-requirements.txt
+++ b/securedrop/requirements/python3/develop-requirements.txt
@@ -40,9 +40,9 @@ aspy.yaml==1.3.0 \
     --hash=sha256:463372c043f70160a9ec950c3f1e4c3a82db5fca01d334b6bc89c7164d744bdc \
     --hash=sha256:e7c742382eff2caed61f87a39d13f99109088e5e93f04d76eb8d4b28aa143f45 \
     # via pre-commit
-astroid==2.4.0 \
-    --hash=sha256:29fa5d46a2404d01c834fcb802a3943685f1fc538eb2a02a161349f5505ac196 \
-    --hash=sha256:2fecea42b20abb1922ed65c7b5be27edfba97211b04b2b6abc6a43549a024ea6 \
+astroid==2.5.2 \
+    --hash=sha256:6b0ed1af831570e500e2437625979eaa3b36011f66ddfc4ce930128610258ca9 \
+    --hash=sha256:cd80bf957c49765dce6d92c43163ff9d2abc43132ce64d4b1b47717c6d2522df \
     # via pylint
 attrs==20.2.0 \
     --hash=sha256:26b54ddbbb9ee1d34d5d3668dd37d6cf74990ab23c828c2888dccdceee395594 \
@@ -264,18 +264,18 @@ idna==2.5 \
 importlib-metadata==0.23 \
     --hash=sha256:aa18d7378b00b40847790e7c27e11673d7fed219354109d0e7b9e5b25dc3ad26 \
     --hash=sha256:d5f18a79777f3aa179c145737780282e27b508fc8fd688cb17c7a813e8bd39af \
-    # via importlib-resources, pluggy, pre-commit, pytest
+    # via pre-commit
 importlib-resources==1.5.0 \
     --hash=sha256:6f87df66833e1942667108628ec48900e02a4ab4ad850e25fbf07cb17cf734ca \
     --hash=sha256:85dc0b9b325ff78c8bef2e4ff42616094e16b98ebd5e3b50fe7e2f0bbcdcde49 \
-    # via -r requirements/python3/develop-requirements.in, pre-commit
+    # via -r requirements/python3/develop-requirements.in
 iniconfig==1.0.1 \
     --hash=sha256:80cf40c597eb564e86346103f609d74efce0f6b4d4f30ec8ce9e2c26411ba437 \
     --hash=sha256:e5f92f89355a67de0595932a6c6c02ab4afddc6fcdc0bfc5becd0d60884d3f69 \
     # via pytest
-isort==4.2.15 \
-    --hash=sha256:79f46172d3a4e2e53e7016e663cc7a8b538bec525c36675fcfd2767df30b3983 \
-    --hash=sha256:cd5d3fc2c16006b567a17193edf4ed9830d9454cbeb5a42ac80b36ea00c23db4 \
+isort==5.8.0 \
+    --hash=sha256:0a943902919f65c5684ac4e0154b1ad4fac6dcaa5d9f3426b732f1c8b5419be6 \
+    --hash=sha256:2bb1680aad211e3c9944dbce1d4ba09a989f04e238296c87fe2139faa26d655d \
     # via pylint
 jinja2-time==0.2.0 \
     --hash=sha256:d14eaa4d315e7688daa4969f616f226614350c48730bfa1692d2caebd8c90d40 \
@@ -289,28 +289,29 @@ jmespath==0.9.3 \
     --hash=sha256:6a81d4c9aa62caf061cb517b4d9ad1dd300374cd4706997aff9cd6aedd61fc64 \
     --hash=sha256:f11b4461f425740a1d908e9a3f7365c3d2e569f6ca68a2ff8bc5bcd9676edd63 \
     # via boto3, botocore
-lazy-object-proxy==1.4.3 \
-    --hash=sha256:0c4b206227a8097f05c4dbdd323c50edf81f15db3b8dc064d08c62d37e1a504d \
-    --hash=sha256:194d092e6f246b906e8f70884e620e459fc54db3259e60cf69a4d66c3fda3449 \
-    --hash=sha256:1be7e4c9f96948003609aa6c974ae59830a6baecc5376c25c92d7d697e684c08 \
-    --hash=sha256:4677f594e474c91da97f489fea5b7daa17b5517190899cf213697e48d3902f5a \
-    --hash=sha256:48dab84ebd4831077b150572aec802f303117c8cc5c871e182447281ebf3ac50 \
-    --hash=sha256:5541cada25cd173702dbd99f8e22434105456314462326f06dba3e180f203dfd \
-    --hash=sha256:59f79fef100b09564bc2df42ea2d8d21a64fdcda64979c0fa3db7bdaabaf6239 \
-    --hash=sha256:8d859b89baf8ef7f8bc6b00aa20316483d67f0b1cbf422f5b4dc56701c8f2ffb \
-    --hash=sha256:9254f4358b9b541e3441b007a0ea0764b9d056afdeafc1a5569eee1cc6c1b9ea \
-    --hash=sha256:9651375199045a358eb6741df3e02a651e0330be090b3bc79f6d0de31a80ec3e \
-    --hash=sha256:97bb5884f6f1cdce0099f86b907aa41c970c3c672ac8b9c8352789e103cf3156 \
-    --hash=sha256:9b15f3f4c0f35727d3a0fba4b770b3c4ebbb1fa907dbcc046a1d2799f3edd142 \
-    --hash=sha256:a2238e9d1bb71a56cd710611a1614d1194dc10a175c1e08d75e1a7bcc250d442 \
-    --hash=sha256:a6ae12d08c0bf9909ce12385803a543bfe99b95fe01e752536a60af2b7797c62 \
-    --hash=sha256:ca0a928a3ddbc5725be2dd1cf895ec0a254798915fb3a36af0964a0a4149e3db \
-    --hash=sha256:cb2c7c57005a6804ab66f106ceb8482da55f5314b7fcb06551db1edae4ad1531 \
-    --hash=sha256:d74bb8693bf9cf75ac3b47a54d716bbb1a92648d5f781fc799347cfc95952383 \
-    --hash=sha256:d945239a5639b3ff35b70a88c5f2f491913eb94871780ebfabb2568bd58afc5a \
-    --hash=sha256:eba7011090323c1dadf18b3b689845fd96a61ba0a1dfbd7f24b921398affc357 \
-    --hash=sha256:efa1909120ce98bbb3777e8b6f92237f5d5c8ea6758efea36a473e1d38f7d3e4 \
-    --hash=sha256:f3900e8a5de27447acbf900b4750b0ddfd7ec1ea7fbaf11dfa911141bc522af0 \
+lazy-object-proxy==1.6.0 \
+    --hash=sha256:17e0967ba374fc24141738c69736da90e94419338fd4c7c7bef01ee26b339653 \
+    --hash=sha256:1fee665d2638491f4d6e55bd483e15ef21f6c8c2095f235fef72601021e64f61 \
+    --hash=sha256:22ddd618cefe54305df49e4c069fa65715be4ad0e78e8d252a33debf00f6ede2 \
+    --hash=sha256:24a5045889cc2729033b3e604d496c2b6f588c754f7a62027ad4437a7ecc4837 \
+    --hash=sha256:410283732af311b51b837894fa2f24f2c0039aa7f220135192b38fcc42bd43d3 \
+    --hash=sha256:4732c765372bd78a2d6b2150a6e99d00a78ec963375f236979c0626b97ed8e43 \
+    --hash=sha256:489000d368377571c6f982fba6497f2aa13c6d1facc40660963da62f5c379726 \
+    --hash=sha256:4f60460e9f1eb632584c9685bccea152f4ac2130e299784dbaf9fae9f49891b3 \
+    --hash=sha256:5743a5ab42ae40caa8421b320ebf3a998f89c85cdc8376d6b2e00bd12bd1b587 \
+    --hash=sha256:85fb7608121fd5621cc4377a8961d0b32ccf84a7285b4f1d21988b2eae2868e8 \
+    --hash=sha256:9698110e36e2df951c7c36b6729e96429c9c32b3331989ef19976592c5f3c77a \
+    --hash=sha256:9d397bf41caad3f489e10774667310d73cb9c4258e9aed94b9ec734b34b495fd \
+    --hash=sha256:b579f8acbf2bdd9ea200b1d5dea36abd93cabf56cf626ab9c744a432e15c815f \
+    --hash=sha256:b865b01a2e7f96db0c5d12cfea590f98d8c5ba64ad222300d93ce6ff9138bcad \
+    --hash=sha256:bf34e368e8dd976423396555078def5cfc3039ebc6fc06d1ae2c5a65eebbcde4 \
+    --hash=sha256:c6938967f8528b3668622a9ed3b31d145fab161a32f5891ea7b84f6b790be05b \
+    --hash=sha256:d1c2676e3d840852a2de7c7d5d76407c772927addff8d742b9808fe0afccebdf \
+    --hash=sha256:d7124f52f3bd259f510651450e18e0fd081ed82f3c08541dffc7b94b883aa981 \
+    --hash=sha256:d900d949b707778696fdf01036f58c9876a0d8bfe116e8d220cfd4b15f14e741 \
+    --hash=sha256:ebfd274dcd5133e0afae738e6d9da4323c3eb021b3e13052d8cbd0e457b1256e \
+    --hash=sha256:ed361bb83436f117f9917d282a456f9e5009ea12fd6de8742d1a4752c3017e93 \
+    --hash=sha256:f5144c75445ae3ca2057faac03fda5a902eff196702b0a24daf1d6ce0650514b \
     # via astroid
 markupsafe==1.1.1 \
     --hash=sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473 \
@@ -402,10 +403,6 @@ paramiko==2.6.0 \
     --hash=sha256:99f0179bdc176281d21961a003ffdb2ec369daac1a1007241f53374e376576cf \
     --hash=sha256:f4b2edfa0d226b70bd4ca31ea7e389325990283da23465d572ed1f70a7583041 \
     # via molecule
-pathlib2==2.3.5 ; python_version < "3.6" \
-    --hash=sha256:0ec8205a157c80d7acc301c0b18fbd5d44fe655968f5d947b6ecef5290fc35db \
-    --hash=sha256:6cd9a47b597b37cc57de1c05e56fb1a1c9cc9fab04fe78c29acd090418529868 \
-    # via -r requirements/python3/develop-requirements.in, pytest
 pathspec==0.5.5 \
     --hash=sha256:72c495d1bbe76674219e307f6d1c6062f2e1b0b483a5e4886435127d0df3d0d3 \
     # via yamllint
@@ -475,9 +472,9 @@ pyflakes==2.1.1 \
     --hash=sha256:17dbeb2e3f4d772725c777fabc446d5634d1038f234e77343108ce445ea69ce0 \
     --hash=sha256:d976835886f8c5b31d47970ed689944a0262b5f3afa00a5a7b4dc81e5449f8a2 \
     # via flake8
-pylint==2.5.0 \
-    --hash=sha256:588e114e3f9a1630428c35b7dd1c82c1c93e1b0e78ee312ae4724c5e1a1e0245 \
-    --hash=sha256:bd556ba95a4cf55a1fc0004c00cf4560b1e70598a54a74c6904d933c8f3bd5a8 \
+pylint==2.7.4 ; python_version > "3.6" \
+    --hash=sha256:209d712ec870a0182df034ae19f347e725c1e615b2269519ab58a35b3fcbbe7a \
+    --hash=sha256:bd38914c7731cdc518634a8d3c5585951302b6e2b6de60fbb3f7a0220e21eeee \
     # via -r requirements/python3/develop-requirements.in
 pynacl==1.1.2 \
     --hash=sha256:123c41df1db119397f2e26e9c63ca2ea853d3663e26b1c389bd3859dc1b7178a \
@@ -528,7 +525,7 @@ pytest==6.1.1 \
 python-dateutil==2.6.1 \
     --hash=sha256:891c38b2a02f5bb1be3e4793866c8df49c7d19baabf9c1bad62547e0b4866aca \
     --hash=sha256:95511bae634d69bc7329ba55e646499a842bc4ec342ad54a8cdb65645a0aad3c \
-    # via botocore
+    # via arrow, botocore
 python-gilt==1.2.1 \
     --hash=sha256:4fd58c128635d1f4a8c93305e648f23379ce56e23624e4c5479427fcd2d5656e \
     --hash=sha256:c7321ef1a8efddbdef657b4fd21c3eaf1b4cb24a9656d97b73a444b1feb2067a \
@@ -537,18 +534,36 @@ python-gilt==1.2.1 \
 python-vagrant==0.5.15 \
     --hash=sha256:af9a8a9802d382d45dbea96aa3cfbe77c6e6ad65b3fe7b7c799d41ab988179c6 \
     # via -r requirements/python3/develop-requirements.in, molecule-vagrant
-pyyaml==5.3.1 \
-    --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \
-    --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \
-    --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \
-    --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \
-    --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \
-    --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \
-    --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \
-    --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \
-    --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \
-    --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \
-    --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \
+pyyaml==5.4.1 ; python_version > "3.6" \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \
     # via -r ../admin/requirements.in, -r requirements/python3/develop-requirements.in, ansible, ansible-lint, aspy.yaml, bandit, dparse, molecule, molecule-vagrant, pre-commit, python-gilt, yamllint
 requests==2.22.0 \
     --hash=sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4 \
@@ -602,7 +617,7 @@ shellingham==1.3.2 \
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
     --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced \
-    # via -r ../admin/requirements.in, ansible-lint, argon2-cffi, astroid, bandit, bcrypt, cfgv, click-completion, cryptography, docker, dparse, fasteners, git-url-parse, molecule, packaging, pathlib2, pip-tools, pre-commit, prompt-toolkit, pynacl, python-dateutil, stevedore, websocket-client
+    # via -r ../admin/requirements.in, ansible-lint, argon2-cffi, bandit, bcrypt, cfgv, click-completion, cryptography, docker, dparse, fasteners, git-url-parse, molecule, packaging, pip-tools, pre-commit, prompt-toolkit, pynacl, python-dateutil, stevedore, websocket-client
 smmap2==2.0.3 \
     --hash=sha256:b78ee0f1f5772d69ff50b1cbdb01b8c6647a8354f02f23b488cf4b2cfc923956 \
     --hash=sha256:c7530db63f15f09f8251094b22091298e82bf6c699a6b8344aaaef3f2e1276c3 \
@@ -656,7 +671,7 @@ typed-ast==1.4.1 \
     --hash=sha256:d5d33e9e7af3b34a40dc05f498939f0ebf187f07c385fd58d591c533ad8562fe \
     --hash=sha256:fc0fea399acb12edbf8a628ba8d2312f583bdbdb3335635db062fa98cf71fca4 \
     --hash=sha256:fe460b922ec15dd205595c9b5b99e2f056fd98ae8f9f56b888e7a17dc2b757e7 \
-    # via astroid, mypy
+    # via mypy
 typing-extensions==3.7.4.1 \
     --hash=sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2 \
     --hash=sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d \
@@ -682,8 +697,8 @@ whichcraft==0.4.1 \
     --hash=sha256:9e0d51c9387cb7e9f28b7edb549e6a03da758f7784f991eb4397d7f7808c57fd \
     --hash=sha256:cd0e10b58960ab877d9f273cd28788730936c3cdaceec2dafad97c7cf3067d46 \
     # via cookiecutter
-wrapt==1.11.2 \
-    --hash=sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1 \
+wrapt==1.12.1 \
+    --hash=sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7 \
     # via astroid
 yamllint==1.17.0 \
     --hash=sha256:67173339f28868260ce5912abfefa10e115ceb1d2ac1c4d8c7acc8c4ef6c9a8a \
@@ -692,7 +707,7 @@ yamllint==1.17.0 \
 zipp==0.6.0 \
     --hash=sha256:3718b1cbcd963c7d4c5511a8240812904164b7f381b647143a89d3b98f9bcd8e \
     --hash=sha256:f06903e9f1f43b12d371004b4ac7b06ab39a44adc747266928ae6debfa7b3335 \
-    # via importlib-metadata, importlib-resources
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 pip==19.3.1 \

From 566dd485e6e96cbc4e14d962d56c1c872aac8ffe Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Tue, 30 Mar 2021 17:10:00 -0400
Subject: [PATCH 08/11] Updated CI lint job to use focal container

(cherry picked from commit 938a0425079b3bf675e09fc73d5298a0dfb545ea)
---
 .circleci/config.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 8c9b3c890a..61d2ebb312 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -100,7 +100,7 @@ jobs:
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
-      BASE_OS: xenial
+      BASE_OS: focal
     steps:
       - checkout
       - *rebaseontarget
@@ -115,8 +115,8 @@ jobs:
       - run:
           name: Run all linters but shellcheck
           command: |
-            fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "/opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/develop-requirements.txt && make -C .. ansible-config-lint app-lint flake8 html-lint typelint yamllint"
+            fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "/opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/develop-requirements.txt && make -C .. ansible-config-lint app-lint flake8 html-lint typelint yamllint"
 
       - run:
           name: Run shellcheck

From 125a10f43497bb56a84f191f7dbea96f983b4bc4 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 17 Mar 2021 17:50:31 -0700
Subject: [PATCH 09/11] Pre-install setuptools-scm <6 in venv

Required in order to maintain support for Python 3.5, under Xenial.
The python-dateutil package pulls in whatever the latest setuptools-scm
version is, and as of setuptools_scm>=6, Python 3.5 is no longer
supported.

(cherry picked from commit dcee956d32576f89b25c590f1edc8949647217ab)
---
 .../tasks/translations.yml                                  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
index d01a75cf79..e72fb741af 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
@@ -1,8 +1,10 @@
 ---
 
 - name: Install SecureDrop Python requirements in virtualenv for translation work
-  shell: |
-    python3 -m venv /tmp/securedrop-app-code-i18n-ve
+  shell: >
+    set -e &&
+    python3 -m venv /tmp/securedrop-app-code-i18n-ve &&
+    /tmp/securedrop-app-code-i18n-ve/bin/pip3 install "setuptools-scm==5.0.2" &&
     /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt
   tags:
     - pip

From 47d3de66ab254af967d3b7f42e84d9dc44ff4f05 Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Mon, 22 Mar 2021 13:17:29 +0530
Subject: [PATCH 10/11] Installs dependency in the debian virutalenv

We have to install the correct version of setuptools_scm in the
virtualenv created by the `dh-virtualenv` tool. This is managed
by:

https://github.com/spotify/dh-virtualenv/blob/0.11/dh_virtualenv/deployment.py#L145-L146

Only problem is that `pip` does not support hash verification when
used via command line.

(cherry picked from commit 68e7e9c8eef7e775d7219a31d9965dd860d1b2f5)
---
 install_files/securedrop-app-code/debian/rules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules
index a9cc6b77a7..8079dd9d64 100755
--- a/install_files/securedrop-app-code/debian/rules
+++ b/install_files/securedrop-app-code/debian/rules
@@ -28,6 +28,7 @@ override_dh_virtualenv:
 	dh_virtualenv \
 		--python=/usr/bin/python3 \
 		--builtin-venv \
+		--preinstall setuptools-scm==5.0.2 \
 		--extra-pip-arg "--verbose" \
 		--extra-pip-arg "--no-deps" \
 		--extra-pip-arg "--no-binary=:all:" \

From 4bdccbfa1738d41c3781131ee6b34ecef8572319 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Wed, 7 Apr 2021 11:48:47 -0400
Subject: [PATCH 11/11] SecureDrop 1.8.1~rc1

---
 changelog.md                                             | 9 +++++++++
 install_files/ansible-base/group_vars/all/securedrop     | 2 +-
 .../files/changelog-focal                                | 6 ++++++
 .../files/changelog-xenial                               | 6 ++++++
 molecule/builder-xenial/tests/vars.yml                   | 2 +-
 securedrop/version.py                                    | 2 +-
 setup.py                                                 | 2 +-
 7 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/changelog.md b/changelog.md
index a698f63c38..294eab23cc 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.8.1~rc1
+
+* Install a fixed version of setuptools-scm before building packages (#5877)
+* Update pylint from 2.5.0 to 2.7.4, pyyaml from 5.3.1 to 5.4.1 (#5884)
+* Suppress OSSEC alert caused by fwupd not being active (#5882)
+* Exclude SSH onion service config from restores (#5886)
+* Add support for custom logos in backups (#5880)
+* Add check for SecureBoot status in installer (#5879)
+
 ## 1.8.0
 
 ### Web applications
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 3b8149db40..fb6a186430 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_version: "1.8.0"
+securedrop_version: "1.8.1~rc1"
 securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz"
 
 grsecurity: true
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
index f3189756f1..868559e2fa 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
@@ -1,3 +1,9 @@
+securedrop-app-code (1.8.1~rc1+focal) focal; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <securedrop@freedom.press>  Wed, 07 Apr 2021 11:48:22 -0400
+
 securedrop-app-code (1.8.0+focal) focal; urgency=medium
 
   * see changelog.md
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial
index a5a7f5292c..382a2a986a 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial
@@ -1,3 +1,9 @@
+securedrop-app-code (1.8.1~rc1+xenial) xenial; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <securedrop@freedom.press>  Wed, 07 Apr 2021 11:47:42 -0400
+
 securedrop-app-code (1.8.0+xenial) xenial; urgency=medium
 
   * See changelog.md 
diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml
index 1575348716..07a3416bbf 100644
--- a/molecule/builder-xenial/tests/vars.yml
+++ b/molecule/builder-xenial/tests/vars.yml
@@ -1,5 +1,5 @@
 ---
-securedrop_version: "1.8.0"
+securedrop_version: "1.8.1~rc1"
 ossec_version: "3.6.0"
 keyring_version: "0.1.4"
 config_version: "0.1.4"
diff --git a/securedrop/version.py b/securedrop/version.py
index b280975791..30107d8243 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = '1.8.0'
+__version__ = '1.8.1~rc1'
diff --git a/setup.py b/setup.py
index b0f3b5cca2..c3f1552602 100644
--- a/setup.py
+++ b/setup.py
@@ -4,7 +4,7 @@
 
 setuptools.setup(
     name="securedrop-app-code",
-    version="1.8.0",
+    version="1.8.1~rc1",
     author="Freedom of the Press Foundation",
     author_email="securedrop@freedom.press",
     description="SecureDrop Server",