Support debian packaging

[joshuathayer]

This removes PyQt from management via pipenv, and adds instructions to install system-managed PyQt packages instead. @kushaldas can explain further, but this has to do with our desire to use only packages we can identify by checksum.

This also adds certifi, which I needed to add in order to get the packaged software to run after installation.

The other additions to Pipfile.lock are transitive from securedrop-sdk

This PR also adds requirements-build.txt, per @kushaldas 's recommendation:

Remember to commit the requirements-build.txt file to the git repo. This will help others to build using the same source tarballs.

[redshiftzero]

ah right, so the workflow from now when we make a change on the sdk side that we need in the journalist GUI will be us making a new release of the securedrop-sdk and updating on PyPI, i'll do this since we need a release after this change was made: freedomofpress/securedrop-sdk#21

[kushaldas]

@redshiftzero Yup, I did a 0.0.1 release so that we can test this packaging story. I think we should do a 0.0.2 release as that will allow us to experiment more as far as the version number goes.

[redshiftzero]

yep i agree

[redshiftzero]

thought: instead of removing pyqt5 entirely we should probably move pyqt5 to the development requirements of the Pipfile, since we still want to make sure it's installed in dev/ci/test but not prod/build

[kushaldas]

This still can create false positive as dev/ci will be different that production. We should use the same system provided package everywhere.

[conorsch]

Using a pipfile dev dependency enables e.g. macOS developers. If the only way to run the dev env is to use a Debian-based OS, that's going to be a problem. Probably worth accepting a small bit of divergence in order to accommodate dev workflows here.

[redshiftzero]

yeah, i mean, i'm open to other suggestions here but the only other real option (other than use debian, ha) is to instruct developers on macOS to install qt5 separately in the dev env

[msheiny]

dumb question here -- can we use docker containers and VNC ? if we use system level PyQt versions arent we going to have mismatch between different developers? or is pyqt so rock stable that this shouldn't be a problem? (i swear im not trolling here!)

[conorsch]

Good point @msheiny, with system packages, it's not just "Debian-based OS" that'd be the requirement, but specifically Debian Stretch. Unless you're running Qubes, that's a lot to ask from contributors looking to write a bit of Python code.

The container/VNC strategy is interesting, but given the outstanding deadlines we're working with—particularly the upcoming audit—I suggest we preserve the pyqt dependency in the pipfile via dev dependencies as @redshiftzero suggests.

[joshuathayer]

I just pushed a commit which adds PyQt5 to the dev dependencies.

[ntoll]

+1 on all this...WRT PyQT stability issues... I'd say it's "mostly" rock solid, except when it isn't. You can draw your own conclusions. ;-)

[heartsucker]

but this has to do with our desire to use only packages we can identify by checksum.

Uh ok so maybe I'm missing something, but don't we have the sha256 hashes of the package in the lockfile? And also aren't we using pip wheel to include them in the debian package? It seems overly complex to have some python requirements be in the lock file and some come from system and could also lead to divergences and incompatibilities.

[kushaldas]

Uh ok so maybe I'm missing something, but don't we have the sha256 hashes of the package in the lockfile? And also aren't we using pip wheel to include them in the debian package? It seems overly complex to have some python requirements be in the lock file and some come from system and could also lead to divergences and incompatibilities.

PyQt directly releases binary wheels to PyPI. We don't know how it is built. Building PyQt dependencies from source (we have to get source from the official website as they are missing in PyPI) is a lot of extra work to maintain. It is much easier to use system provided PyQt5.

[heartsucker]

Right got it. Totally makes sense.

[ntoll]

I see the tests have failed. :-/

[kushaldas]

I see the tests have failed. :-/

To make that test pass, we will have to do a new release of securedrop-sdk, which is freedomofpress/securedrop-sdk#24. But, this is blocked on freedomofpress/securedrop-sdk#26

[kushaldas]

Also we should down the setup.py to 0.0.1 so that we count these releases as really alpha level.

[redshiftzero]

note for other maintainers: these are the build requirements from the first attempt building the securedrop-client package. For the next package build we will need to refresh these build requirements (to pull in securedrop-sdk==0.0.2)

[redshiftzero]

CI now passing here as we have a new version of securedrop-sdk, merging this in