Packaging logic for building SecureDrop-related Debian packages
Clone or download

SecureDrop Debian Packaging

This repository contains the packaging files and tooling for building Debian packages for projects for the alpha SecureDrop Workstation based on Qubes OS. Packages are placed on for installation in Debian-based TemplateVMs. These packages are not yet ready for use in a production environment. Packaging Workflow

Packaging a Python-based SecureDrop project

This includes securedrop-proxy and securedrop-client.

Packaging Dependencies

In a Debian AppVM in Qubes:

make install-deps
make fetch-wheels

Make a release

Release managers of securedrop-client and securedrop-proxy must update the requirements files which are used for build of these packages using make requirements. If new dependencies were added in the Pipfile of that repo that are not in the FPF PyPI mirror, then the release manager needs to build those wheels and push the tarball and wheel package of the new dependency to the FPF PyPI mirror using make build-wheels.

Summarizing release manager steps:

  1. Update versions as necessary
  2. make requirements
  3. Do a test build following steps below
  4. Make any changes as necessary and create a PR with the modifications from steps 1-4
  5. Push the release tag for use in building

This means that the requirements.txt files will be updated by release managers, not developers. Developers should update Pipfile.lock.

Build a package

Next, checkout the project you intend to package and enter that directory:

git clone
cd securedrop-foobar

Checkout the release tag for the project:

git checkout 0.x.y

If you are making any changes in the Pipfile, remember to add all recursive dependencies directly as dependency under [packages].

Generate a tarball to be used in the build process:

python3 sdist

Clone this repository for access to the packaging tooling.

cd ..
git clone
cd securedrop-debian-packaging

If you are releasing a new version (rather than rebuilding a package from a previous version), you must update the changelog:

./scripts/update-changelog securedrop-foobar

Finally, build the package by pointing to the tarball and package version:

PKG_PATH=/path/to/tarball PKG_VERSION=0.x.y make securedrop-foobar

Packaging non-Python based SecureDrop projects


Intro to packaging

For an introduction to packaging Python projects into Debian packages, one can see the SecureDrop Debian Packaging Guide. Note that these guidelines on Read the Docs are for educational purposes only. The README you are currently reading is the canonical reference for SecureDrop Workstation packagers.