Explicitly install systemd-resolved, systemd-hwe-hwdb on noble

These two packages are installed on fresh systems, but not on upgrades because they were split out of the systemd package. Set the dependency ourselves to make sure it's always pulled in. In the future once all SecureDrops are on noble, we can uninstall systemd-resolved entirely instead of merely stopping it. Fixes #7464.
freedomofpress · Mar 6, 2025 · 29d08d7 · 29d08d7
1 parent 2659fdd
commit 29d08d7
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/builder/tests/test_securedrop_deb_package.py b/builder/tests/test_securedrop_deb_package.py
@@ -130,3 +130,22 @@ def test_apparmor_conditional():
 
     print(info)
     assert found, "Depends: line wasn't found"
+
+
+def test_systemd_conditional():
+    try:
+        path = [pkg for pkg in DEB_PATHS if pkg.name.startswith("securedrop-config")][0]
+    except IndexError:
+        raise RuntimeError("Unable to find securedrop-config package in build/ folder")
+    info = subprocess.check_output(["dpkg", "--info", path]).decode()
+    found = False
+    for line in info.splitlines():
+        if line.startswith(" Depends:"):
+            found = True
+            if UBUNTU_VERSION == "focal":
+                assert "systemd-resolved" not in line, "focal has no systemd-resolved dependency"
+            else:
+                assert "systemd-resolved" in line, "noble has systemd-resolved dependency"
+
+    print(info)
+    assert found, "Depends: line wasn't found"
diff --git a/securedrop/debian/control b/securedrop/debian/control
@@ -15,7 +15,7 @@ Description: SecureDrop application code, dependencies, Apache configuration, sy
 
 Package: securedrop-config
 Architecture: amd64
-Depends: ${shlibs:Depends}, unattended-upgrades, update-notifier-common
+Depends: ${shlibs:Depends}, ${systemd:Depends}, unattended-upgrades, update-notifier-common
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
 

diff --git a/securedrop/debian/rules b/securedrop/debian/rules
@@ -67,8 +67,10 @@ override_dh_strip_nondeterminism:
 override_dh_gencontrol:
 ifneq ($(findstring +noble,$(DEB_VERSION)),)
 	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends=apparmor (>= 4.0.1really4.0.1-0ubuntu0.24.04.3)"
+	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends=systemd-resolved, systemd-hwe-hwdb"
 else
 	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends="
+	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends="
 endif
 	dh_gencontrol -psecuredrop-ossec-agent -- "-v3.6.0+${DEB_VERSION}"
 	dh_gencontrol -psecuredrop-ossec-server -- "-v3.6.0+${DEB_VERSION}"