Using reproducible wheels into our securedrop-app-code Debian package on Focal #5901
Comments
eloquence
moved this from Next sprint candidates
to Near Term - SecureDrop Core
in SecureDrop Team Board
|
During this sprint, @kushaldas will investigate this build workflow locally, to begin scoping work for the next sprint. |
eloquence
moved this from Near Term - SecureDrop Core
to SecureDrop Sprint #71 (5/20-6/2)
in SecureDrop Team Board
|
Few open questions/points:
Update: We should mark the wheels are all related files (sha256sums and signatures) properly for each distro. For example, This will also enable us in future to add a new distro very easily. For example when |
|
One good point of having all wheel from a particular OS into separate directory is that we can also separate out the tests in CI machines running the same OS can handle only the wheels from that particular directory. I will update with my findings more later in the evening. Also the bootstrapping requirements will be different for various OS/projects. For all the workstation projects, it is one set, and for the |
|
This branch https://github.com/freedomofpress/securedrop-debian-packaging/tree/wheels_on_focal needs to be rebased to latest |
eloquence
moved this from Near Term - SecureDrop Server
to SecureDrop Sprint #74 - 8/4-8/18
in SecureDrop Team Board
|
^ That is the extent of our commitment for the current sprint; we're aiming to continue work on this leading up to the SecureDrop 2.1.0 release. |
eloquence
moved this from To Do (Kanban Mode)
to Near Term - SecureDrop Server
in SecureDrop Team Board
|
This is the remaining issue preventing reproducibility of Of course, this is a solved problem by SDW. We use FWIW, I played with a middle ground of using |
|
Also, during package builds we're currently building all of the Python dependencies twice. Using pre-built wheels will cut that down to zero times. |
|
I filed #6546 to clean up how our requirements.txt files are organized before we embark down this. |
Each project, whether it's securedrop-client or the workstation-bootstrap, will now store wheels and associated metadata in the exact same way. Moving files around will happen in follow-up commits. securedrop-client/ debian/ sha256sums.txt sha256sums.txt.asc wheels/ The workstation-bootstrap is similar, except it also contains its requirements files. workstation-bootstrap/ build-requirements.txt requirements.in requirements.txt sha256sums.txt sha256sums.txt.asc wheels/ The main goal of this refactor is to make room for the new securedrop-app-code bootstrap and wheels. The main scripts now take a `--project` parameter, which is the path in this repository, and `--pkg-dir`, which is the path to the Git checkout of it (previously a PKG_DIR environment variable). In nearly all cases backwards-compat code has been added so it should do the right thing based on old documentation. Makefile: * Updates for how scripts are now invoked. * Drop misleading "clean" target, people can use git-clean(1) directly. scripts/build-debianpackage: * Validate $PKG_NAME before we use it. * Set $WHEELS_DIR to that package's wheel directory. * Only verify sha256sums.txt if it exists (securedrop-export and metapackages have no Python dependencies). scripts/build-sync-wheels: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Drop "cache" terminology since this is persistent storage. * Remove dead commented-out code. scripts/install-deps: * Debian 11 is our baseline now, fix typo. * Look for and install wheels from workstation-bootstrap now. scripts/sync-sha256sums: * Require a directory instead of looking for a BOOTSTRAP variable. scripts/update-requirements: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Use pathlib internally scripts/verify-sha256sum-signature: * Require a directory instead of looking for a BOOTSTRAP variable. Refs <freedomofpress/securedrop#5901>.
Each project, whether it's securedrop-client or the workstation-bootstrap, will now store wheels and associated metadata in the exact same way. Moving files around will happen in follow-up commits. securedrop-client/ debian/ sha256sums.txt sha256sums.txt.asc wheels/ The workstation-bootstrap is similar, except it also contains its requirements files. workstation-bootstrap/ build-requirements.txt requirements.in requirements.txt sha256sums.txt sha256sums.txt.asc wheels/ The main goal of this refactor is to make room for the new securedrop-app-code bootstrap and wheels. The main scripts now take a `--project` parameter, which is the path in this repository, and `--pkg-dir`, which is the path to the Git checkout of it (previously a PKG_DIR environment variable). In nearly all cases backwards-compat code has been added so it should do the right thing based on old documentation. Makefile: * Updates for how scripts are now invoked. * Drop misleading "clean" target, people can use git-clean(1) directly. scripts/build-debianpackage: * Validate $PKG_NAME before we use it. * Set $WHEELS_DIR to that package's wheel directory. * Only verify sha256sums.txt if it exists (securedrop-export and metapackages have no Python dependencies). scripts/build-sync-wheels: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Drop "cache" terminology since this is persistent storage. * Remove dead commented-out code. scripts/install-deps: * Debian 11 is our baseline now, fix typo. * Look for and install wheels from workstation-bootstrap now. scripts/sync-sha256sums: * Require a directory instead of looking for a BOOTSTRAP variable. scripts/update-requirements: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Use pathlib internally scripts/verify-sha256sum-signature: * Require a directory instead of looking for a BOOTSTRAP variable. Refs <freedomofpress/securedrop#5901>.
Each project, whether it's securedrop-client or the workstation-bootstrap, will now store wheels and associated metadata in the exact same way. Moving files around will happen in follow-up commits. securedrop-client/ debian/ sha256sums.txt sha256sums.txt.asc wheels/ The workstation-bootstrap is similar, except it also contains its requirements files. workstation-bootstrap/ build-requirements.txt requirements.in requirements.txt sha256sums.txt sha256sums.txt.asc wheels/ The main goal of this refactor is to make room for the new securedrop-app-code bootstrap and wheels. The main scripts now take a `--project` parameter, which is the path in this repository, and `--pkg-dir`, which is the path to the Git checkout of it (previously a PKG_DIR environment variable). In nearly all cases backwards-compat code has been added so it should do the right thing based on old documentation. Makefile: * Updates for how scripts are now invoked. * Drop misleading "clean" target, people can use git-clean(1) directly. scripts/build-debianpackage: * Validate $PKG_NAME before we use it. * Set $WHEELS_DIR to that package's wheel directory. * Only verify sha256sums.txt if it exists (securedrop-export and metapackages have no Python dependencies). scripts/build-sync-wheels: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Drop "cache" terminology since this is persistent storage. * Remove dead commented-out code. scripts/install-deps: * Debian 11 is our baseline now, fix typo. * Look for and install wheels from workstation-bootstrap now. scripts/sync-sha256sums: * Require a directory instead of looking for a BOOTSTRAP variable. scripts/update-requirements: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Use pathlib internally scripts/verify-sha256sum-signature: * Require a directory instead of looking for a BOOTSTRAP variable. Refs <freedomofpress/securedrop#5901>.
Each project, whether it's securedrop-client or the workstation-bootstrap, will now store wheels and associated metadata in the exact same way. Moving files around will happen in follow-up commits. securedrop-client/ debian/ sha256sums.txt sha256sums.txt.asc wheels/ The workstation-bootstrap is similar, except it also contains its requirements files. workstation-bootstrap/ build-requirements.txt requirements.in requirements.txt sha256sums.txt sha256sums.txt.asc wheels/ The main goal of this refactor is to make room for the new securedrop-app-code bootstrap and wheels. The main scripts now take a `--project` parameter, which is the path in this repository, and `--pkg-dir`, which is the path to the Git checkout of it (previously a PKG_DIR environment variable). In nearly all cases backwards-compat code has been added so it should do the right thing based on old documentation. Makefile: * Updates for how scripts are now invoked. * Drop misleading "clean" target, people can use git-clean(1) directly. scripts/build-debianpackage: * Validate $PKG_NAME before we use it. * Set $WHEELS_DIR to that package's wheel directory. * Only verify sha256sums.txt if it exists (securedrop-export and metapackages have no Python dependencies). scripts/build-sync-wheels: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Drop "cache" terminology since this is persistent storage. * Remove dead commented-out code. scripts/install-deps: * Debian 11 is our baseline now, fix typo. * Look for and install wheels from workstation-bootstrap now. scripts/sync-sha256sums: * Require a directory instead of looking for a BOOTSTRAP variable. scripts/update-requirements: * Switch to --pkg-dir/--project args, with backwards-compat. * Allow specifying where requirements.txt lives. * Use pathlib internally scripts/verify-sha256sum-signature: * Require a directory instead of looking for a BOOTSTRAP variable. Refs <freedomofpress/securedrop#5901>.
|
Current work in flight:
|
Description
Currently we are using Python dependencies installed from source during the Debian package build. As we are
retiring the
Xenialbuilds, we should move to using our own reproducible wheels inFocalpackagingusing the scripts from the securedrop-debian-packaing repository.
Works need to done
Xenialpackage builds should be removed.requirements.txtfile for the app code (should be copy ofsecuredrop/requirements/python3/securedrop-app-code-requirements.txtin the same directoryFocalthat isPython 3.8in thesecuredrop-debian-packagingrepository.securedrop-app-codeand add them tosecuredrop-debian-packagingrepository.ansiblerole and therulesfile to use our wheels to build the Debian package.Note: For
Focalwe can use thedh-virtualenvpackage from https://launchpad.net/~jyrki-pulliainen/+archive/ubuntu/dh-virtualenv directly.The text was updated successfully, but these errors were encountered: