Support building packages on noble

.github/workflows/build.yml

@@ -18,7 +18,9 @@ jobs:
     strategy:
       matrix:
         build: [one, two]
-    runs-on: ubuntu-latest
+        ubuntu_version: [focal, noble]
+    # TODO: change this back to ubuntu-latest once it is consistently 24.04
+    runs-on: ubuntu-24.04
     outputs:
       artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
@@ -28,16 +30,21 @@ jobs:
           python-version: '3.8'
       - name: Build packages
         run: |
-          ./builder/build-debs.sh
-          WHAT=ossec ./builder/build-debs.sh
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} ./builder/build-debs.sh
+      - name: Build OSSEC packages
+        run: |
+          UBUNTU_VERSION=${{ matrix.ubuntu_version }} WHAT=ossec ./builder/build-debs.sh
       - uses: actions/upload-artifact@v4
         id: upload
         with:
-          name: build-${{ matrix.build }}
-          path: build
+          name: ${{ matrix.ubuntu_version }}-${{ matrix.build }}
+          path: build/${{ matrix.ubuntu_version }}
           if-no-files-found: error
 
   reproducible-debs:
+    strategy:
+      matrix:
+        ubuntu_version: [focal, noble]
     runs-on: ubuntu-latest
     container: debian:bookworm
     needs:
@@ -49,13 +56,13 @@ jobs:
             --no-install-recommends
       - uses: actions/download-artifact@v4
         with:
-          pattern: "build-*"
+          pattern: "${{ matrix.ubuntu_version }}-*"
       - name: diffoscope
         run: |
           find . -name '*.deb' -exec sha256sum {} \;
           # FIXME: securedrop-app-code isn't reproducible
           for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server
           do
               echo "Checking ${pkg}..."
-              diffoscope build-one/focal/${pkg}*.deb build-two/focal/${pkg}*.deb
+              diffoscope ${{ matrix.ubuntu_version }}-one/${pkg}*.deb ${{ matrix.ubuntu_version }}-two/${pkg}*.deb
           done

builder/Dockerfile

@@ -1,8 +1,5 @@
-FROM ubuntu:focal
-
-# additional meta-data makes it easier to clean up, find
-LABEL org="Freedom of the Press"
-LABEL image_name="focal-sd-builder-app"
+ARG UBUNTU_VERSION=focal
+FROM ubuntu:${UBUNTU_VERSION}
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
@@ -57,4 +54,5 @@ RUN gpg --import /tmp/OSSEC-ARCHIVE-KEY.asc && gpg --export > /ossec.gpg \
 
 COPY build-debs-ossec.sh /build-debs-ossec
 COPY build-debs-securedrop.sh /build-debs-securedrop
+COPY fixup-changelog.sh /fixup-changelog
 COPY dep-check.sh /dep-check

builder/build-debs-ossec.sh

@@ -19,10 +19,14 @@ cd ossec-hids-${OSSEC_VERSION}
 # Copy the debian/ tree into place
 cp -Rv /src/ossec/ossec-"${VARIANT}"/debian debian
 
+# Add the distro suffix to the version
+bash /fixup-changelog
+
 # Build the package
 dpkg-buildpackage -us -uc
 
 # Copy the built artifacts back and print checksums
-mv -v ../*.{buildinfo,changes,deb,tar.gz} /src/build/focal
-cd /src/build/focal
+source /etc/os-release
+mv -v ../*.{buildinfo,changes,deb,tar.gz} "/src/build/${VERSION_CODENAME}"
+cd "/src/build/${VERSION_CODENAME}"
 sha256sum ./*

builder/build-debs-securedrop.sh

@@ -21,12 +21,15 @@ pip3 download --no-deps --require-hashes -r requirements/python3/requirements.tx
 rm -f /usr/share/python-wheels/setuptools-*.whl
 mv /tmp/requirements-download/setuptools-*.whl /usr/share/python-wheels/
 
+# Add the distro suffix to the version
+bash /fixup-changelog
+
 # Build the package
 dpkg-buildpackage -us -uc
 
 # Copy the built artifacts back and print checksums
 source /etc/os-release
-mkdir -p /src/build/focal
-mv -v ../*.{buildinfo,changes,deb,tar.gz} /src/build/focal
-cd /src/build/focal
+mkdir -p "/src/build/${VERSION_CODENAME}"
+mv -v ../*.{buildinfo,changes,deb,tar.gz} "/src/build/${VERSION_CODENAME}"
+cd "/src/build/${VERSION_CODENAME}"
 sha256sum ./*

builder/build-debs.sh

@@ -26,25 +26,26 @@ export OCI_RUN_ARGUMENTS
 export OCI_BIN
 
 WHAT="${WHAT:-securedrop}"
+export UBUNTU_VERSION="${UBUNTU_VERSION:-focal}"
 
 cd "$(git rev-parse --show-toplevel)"
 
 . ./builder/image_prep.sh
 
-mkdir -p build/focal
+mkdir -p "build/${UBUNTU_VERSION}"
 
 if [[ $WHAT == "ossec" ]]; then
     # We need to build each variant separately because it dirties the container
     $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
         -e VARIANT=agent --entrypoint "/build-debs-ossec" \
-        fpf.local/sd-server-builder
+        fpf.local/sd-server-builder-${UBUNTU_VERSION}
     $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
         -e VARIANT=server --entrypoint "/build-debs-ossec" \
-        fpf.local/sd-server-builder
+        fpf.local/sd-server-builder-${UBUNTU_VERSION}
 else
     $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
         --entrypoint "/build-debs-securedrop" \
-        fpf.local/sd-server-builder
+        fpf.local/sd-server-builder-${UBUNTU_VERSION}
 fi
 
 NOTEST="${NOTEST:-}"

builder/fixup-changelog.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euxo pipefail
+# Adjust d/changelog version to suffix the codename.
+# This runs *inside* the container.
+
+source /etc/os-release
+VERSION=$(dpkg-parsechangelog -S Version)
+
+NIGHTLY="${NIGHTLY:-}"
+if [[ -n $NIGHTLY ]]; then
+    NEW_VERSION="${VERSION}.dev$(date +%Y%m%d%H%M%S)"
+else
+    NEW_VERSION=$VERSION
+fi
+
+# Ideally we'd use `dch` here but then we'd to install all of devscripts
+sed -i "0,/${VERSION}/ s//${NEW_VERSION}+${VERSION_CODENAME}/" debian/changelog

builder/image_prep.sh

@@ -3,33 +3,38 @@ set -euxo pipefail
 
 cd "$(git rev-parse --show-toplevel)"
 
+IMAGE_NAME="fpf.local/sd-server-builder-${UBUNTU_VERSION}"
+
 # First see if the image exists or not
 missing=false
-$OCI_BIN inspect fpf.local/sd-server-builder > /dev/null 2>&1 || missing=true
+$OCI_BIN inspect "${IMAGE_NAME}" > /dev/null 2>&1 || missing=true
 
 if $missing; then
     # Build it if it doesn't
-    $OCI_BIN build -t fpf.local/sd-server-builder builder/ --no-cache
+    $OCI_BIN build \
+        --build-arg=UBUNTU_VERSION="${UBUNTU_VERSION}" \
+        -t "${IMAGE_NAME}" builder/ --no-cache
 fi
 
 # Uncomment the following for fast development on adjusting builder logic
-# $OCI_BIN build -t fpf.local/sd-server-builder builder/
+$OCI_BIN build --build-arg=UBUNTU_VERSION="${UBUNTU_VERSION}" -t "${IMAGE_NAME}" builder/
 
 # Run the dependency check
 status=0
 $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
-    --entrypoint "/dep-check" fpf.local/sd-server-builder || status=$?
+    --entrypoint "/dep-check" "${IMAGE_NAME}" || status=$?
 
 if [[ $status == 42 ]]; then
     # There are some pending updates, so force rebuilding the image from scratch
     # and try again!
     echo "Rebuilding container to update dependencies"
-    $OCI_BIN rmi fpf.local/sd-server-builder
-    $OCI_BIN build -t fpf.local/sd-server-builder builder/ --no-cache
+    $OCI_BIN rmi "${IMAGE_NAME}"
+    $OCI_BIN build --build-arg=UBUNTU_VERSION="${UBUNTU_VERSION}" \
+        -t "${IMAGE_NAME}" builder/ --no-cache
     # Reset $status and re-run the dependency check
     status=0
     $OCI_BIN run --rm $OCI_RUN_ARGUMENTS \
-        --entrypoint "/dep-check" fpf.local/sd-server-builder || status=$?
+        --entrypoint "/dep-check" "${IMAGE_NAME}" || status=$?
 fi
 
 if [[ $status != 0 ]]; then

builder/tests/test_ossec_package.py

@@ -1,13 +1,15 @@
+import os
 import re
 import subprocess
 from pathlib import Path
 
 OSSEC_VERSION = "3.6.0"
 
+UBUNTU_VERSION = os.environ.get("UBUNTU_VERSION", "focal")
 SECUREDROP_ROOT = Path(
     subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode().strip()
 )
-BUILD_DIRECTORY = SECUREDROP_ROOT / "build/focal"
+BUILD_DIRECTORY = SECUREDROP_ROOT / f"build/{UBUNTU_VERSION}"
 
 
 def test_ossec_binaries_are_present_agent():
@@ -25,7 +27,7 @@ def test_ossec_binaries_are_present_agent():
         "/var/ossec/bin/util.sh",
         "/var/ossec/bin/ossec-execd",
     ]
-    path = BUILD_DIRECTORY / f"ossec-agent_{OSSEC_VERSION}+focal_amd64.deb"
+    path = BUILD_DIRECTORY / f"ossec-agent_{OSSEC_VERSION}+{UBUNTU_VERSION}_amd64.deb"
     contents = subprocess.check_output(["dpkg-deb", "-c", str(path)]).decode()
     for wanted_file in wanted_files:
         assert re.search(
@@ -67,7 +69,7 @@ def test_ossec_binaries_are_present_server():
         "/var/ossec/bin/ossec-execd",
         "/var/ossec/bin/ossec-authd",
     ]
-    path = BUILD_DIRECTORY / f"ossec-server_{OSSEC_VERSION}+focal_amd64.deb"
+    path = BUILD_DIRECTORY / f"ossec-server_{OSSEC_VERSION}+{UBUNTU_VERSION}_amd64.deb"
     contents = subprocess.check_output(["dpkg-deb", "-c", str(path)]).decode()
     for wanted_file in wanted_files:
         assert re.search(

builder/tests/test_securedrop_deb_package.py

@@ -5,11 +5,13 @@
 
 import pytest
 
+UBUNTU_VERSION = os.environ.get("UBUNTU_VERSION", "focal")
 SECUREDROP_ROOT = Path(
     subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode().strip()
 )
-DEB_PATHS = list((SECUREDROP_ROOT / "build/focal").glob("*.deb"))
-SITE_PACKAGES = "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
+DEB_PATHS = list((SECUREDROP_ROOT / f"build/{UBUNTU_VERSION}").glob("*.deb"))
+PYTHON_VERSION = {"focal": "8", "noble": "12"}[UBUNTU_VERSION]
+SITE_PACKAGES = f"/opt/venvs/securedrop-app-code/lib/python3.{PYTHON_VERSION}/site-packages"
 
 
 @pytest.fixture(scope="module")
@@ -70,7 +72,7 @@ def test_deb_package_contains_expected_conffiles(deb: Path):
         "/var/www/securedrop/.well-known/pki-validation/",
         "/var/www/securedrop/translations/messages.pot",
         "/var/www/securedrop/translations/de_DE/LC_MESSAGES/messages.mo",
-        f"{SITE_PACKAGES}/redwood/redwood.cpython-38-x86_64-linux-gnu.so",
+        f"{SITE_PACKAGES}/redwood/redwood.cpython-3{PYTHON_VERSION}-x86_64-linux-gnu.so",
     ],
 )
 def test_app_code_paths(securedrop_app_code_contents: str, path: str):

ossec/ossec-agent/debian/changelog

@@ -1,4 +1,4 @@
-ossec-agent (3.6.0+focal) focal; urgency=low
+ossec-agent (3.6.0) unstable; urgency=low
 
   [ SecureDrop Team ]
   * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.6.0

ossec/ossec-agent/debian/control

@@ -8,5 +8,5 @@ Standards-Version: 4.5.1
 Package: ossec-agent
 Architecture: amd64
 Conflicts: ossec-server
-Depends: libc6, libssl1.1, expect, inotify-tools, adduser
+Depends: ${shlibs:Depends}, expect, inotify-tools, adduser
 Description: Installs the generic ossec agent

ossec/ossec-agent/debian/rules

@@ -10,7 +10,9 @@ override_dh_install:
 	cp debian/preloaded-vars.conf etc/preloaded-vars.conf
 	# Disable JIT (TODO, ask upstream to make this configurable)
 	sed -i s/USE_PCRE2_JIT=yes/USE_PCRE2_JIT=no/ src/Makefile
-	bash ./install.sh
+	# LDFLAGS overrides warning; see https://github.com/ossec/ossec-hids/issues/2022#issuecomment-982121913
+	# (fixed in ossec 3.7.0)
+	LDFLAGS="-Wl,-z,muldefs" bash ./install.sh
 	# Override date to be reproducible
 	sed -i "s/DATE=\".*\"/DATE=\"${HUMAN_DATE}\"/" /var/ossec/etc/ossec-init.conf
 	# Use a fixed resolv.conf instead of whatever the container might have from the host

ossec/ossec-server/debian/changelog

@@ -1,4 +1,4 @@
-ossec-server (3.6.0+focal) focal; urgency=low
+ossec-server (3.6.0) unstable; urgency=low
 
   [ SecureDrop Team ]
   * Release Notes https://github.com/ossec/ossec-hids/releases/tag/3.6.0

ossec/ossec-server/debian/control

@@ -8,5 +8,5 @@ Standards-Version: 4.5.1
 Package: ossec-server
 Architecture: amd64
 Conflicts: ossec-agent
-Depends: libc6 (>=2.7), libssl1.1, adduser, expect, inotify-tools
+Depends: ${shlibs:Depends}, adduser, expect, inotify-tools
 Description: Installs generic OSSEC server

ossec/ossec-server/debian/rules

@@ -10,7 +10,9 @@ override_dh_install:
 	cp debian/preloaded-vars.conf etc/preloaded-vars.conf
 	# Disable JIT (TODO, ask upstream to make this configurable)
 	sed -i s/USE_PCRE2_JIT=yes/USE_PCRE2_JIT=no/ src/Makefile
-	bash ./install.sh
+	# LDFLAGS overrides warning; see https://github.com/ossec/ossec-hids/issues/2022#issuecomment-982121913
+	# (fixed in ossec 3.7.0)
+	LDFLAGS="-Wl,-z,muldefs" bash ./install.sh
 	# Override date to be reproducible
 	sed -i "s/DATE=\".*\"/DATE=\"${HUMAN_DATE}\"/" /var/ossec/etc/ossec-init.conf
 	# Override hostname to be reproducible

securedrop/debian/app-code/etc/apparmor.d/usr.sbin.apache2

@@ -68,6 +68,7 @@
   /etc/lsb-release r,
   /etc/magic r,
   /etc/mime.types r,
+  /etc/python3.12/sitecustomize.py r,
   /etc/python3.8/sitecustomize.py r,
   /etc/services r,
   /etc/timezone r,
@@ -82,6 +83,7 @@
   /proc/*/status r,
   /proc/sys/kernel/random/entropy_avail r,
   /run/apache2/apache2.pid rw,
+  /run/apache2/apache2.pid* rw,
   /run/apache2/wsgi.*.lock rwk,
   /run/apache2/wsgi.*.sock rw,
   /run/lock/apache2/rewrite-map.* rw,
@@ -105,13 +107,16 @@
   /usr/bin/touch rix,
   /usr/bin/uname rix,
   /usr/lib{,32,64}/** mr,
+  /usr/local/lib/python3.12/dist-packages/ r,
   /usr/local/lib/python3.8/dist-packages/ r,
   /usr/share/distro-info/debian.csv r,
   /usr/share/file/magic r,
   /usr/share/file/magic.mgc r,
   /opt/venvs/securedrop-app-code/**/__pycache__/ r,
   /opt/venvs/securedrop-app-code/**/__pycache__/* r,
   /opt/venvs/securedrop-app-code/bin/python3 r,
+  /opt/venvs/securedrop-app-code/lib/python3.12/ r,
+  /opt/venvs/securedrop-app-code/lib/python3.12/** rm,
   /opt/venvs/securedrop-app-code/lib/python3.8/ r,
   /opt/venvs/securedrop-app-code/lib/python3.8/** rm,
   /opt/venvs/securedrop-app-code/pyvenv.cfg r,

securedrop/debian/changelog

@@ -1,6 +1,6 @@
-securedrop (2.11.0~rc1+focal) focal; urgency=medium
+securedrop (2.11.0~rc1) unstable; urgency=medium
 
-  * 
+  * see changelog.md
 
  -- SecureDrop Team <[email protected]>  Tue, 22 Oct 2024 16:50:19 -0400
 

securedrop/debian/control

@@ -10,7 +10,7 @@ Package: securedrop-app-code
 Architecture: amd64
 Conflicts: libapache2-mod-wsgi, supervisor
 Replaces: libapache2-mod-wsgi, supervisor
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
 Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
 
 Package: securedrop-config

securedrop/debian/gen-mods.py

@@ -0,0 +1,11 @@
+import sysconfig
+
+python = f"python{sysconfig.get_config_var('VERSION')}"
+nodot = sysconfig.get_config_var("py_version_nodot")
+base = "/opt/venvs/securedrop-app-code"
+text = f"""\
+LoadModule wsgi_module "/opt/venvs/securedrop-app-code/lib/{python}/site-packages/mod_wsgi/server/mod_wsgi-py{nodot}{sysconfig.get_config_var('EXT_SUFFIX')}"
+WSGIPythonHome "/opt/venvs/securedrop-app-code"
+"""  # noqa: E501
+
+print(text.strip())