-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better way of downloding wheels for the final Debian packages #6
Comments
Here is a demo of the automation (related to freedomofpress/securedrop-builder#6 ) 13MB in size. |
We can also remove all hash generation steps if we use our index in |
Hey, I'm new to the project so I have some basic questions/ follow-up comments after my meeting with @kushaldas today (sorry kushal if you already answered any of these questions). Questions:
Why don't we download the wheels from PyPI? Why do we instead download the source tarballs and build them locally?
You mentioned this is not yet merged, and I don't think you mentioned this during our meeting. Is this a new step that we didn't need before or is replacing some other step(s)? If I recall correctly, it seemed like the first step was running |
Because we can trust the binary wheels which we built than build by a third-party (it can be any of the upstream developers).
Yes, as the docs need more updates. The Makefile now has a |
Ah, so even if we verified the wheels that we download from PyPI, we still can't be 100% sure that what we're verifying only contains the code from the source distribution. By building the code directly ourselves, on our own build system, we can see exactly how the build and deploy process is done. If that's what you mean! |
For all of the Debian package building, we are not using any binary wheels from https://pypi.org. Instead we download source tarballs from there, and build binary wheels locally and then use those in the final Debian packages.
We are going to take
securedrop-client
as an example, the project is under~/code/securedrop-client
directory.Steps needs to be done before doing any packaging
1. Sync the wheels locally
In our main securedrop-debian-packaging we can download all of the already built wheels and sources by the following command (not yet merged).
2. Thing required in the package/code level
From the
securedrop-debian-packaging
directory,This will create the proper
requirements.txt
file in the project directory along with the binary wheelhashes from our own PyPI.
If we are missing any wheels from our cache/build/PyPI, it will let you know with a following message.
So, the next step is to build the wheels. To do this step, you will need the GPG key of @kushaldas and @conorsch @redshiftzero @emkll on the same user as the actual list of hashes will be signed by one of us.
This above command will let you know about any new wheels+sources. It will build/download sources from PyPI (by verifying it against the sha256sums from the
Pipfile.lock
of the project).And then go to the very end of this comment for the make file target to build (example)
Sync the localwheels directory back to the s3 bucket. (if only any update)
This has to be manual step for security reason. In future all of these wheel building steps should be done by a different system, not at the devloper's laptop.
This is an important step, we should any sync updates/new wheel into the s3 bucket.
Look out for the names of the sources and wheels in the is step.
4. Update the index files for the bucket (no need before release)
If there is any new package (source/wheel), then we will have to update our index.
Then update the corresponding packages's
index.html
.If new package, then update the main index.
Finally sync the index.
Build any of the python based debian packages
The final
rules
files should only use our index.For Pure development purpose, developer can modify the
rules
file to download from upstreampypi
for the testing on a system.Also, this means thanks @msheiny I managed to deply https://dev-bin.ops.securedrop.org/simple ❤️
The text was updated successfully, but these errors were encountered: