Explicitly install systemd-hwe-hwdb

This package is installed on fresh systems, but not on upgrades because it was split out of the systemd package. Set the dependency ourselves to make sure it's always pulled in. Currently none of these udev rules apply to expected SecureDrop hardware, but it's good to futureproof ourselves just in case.
freedomofpress · Mar 7, 2025 · c7bb893 · c7bb893
1 parent 9b5ede9
commit c7bb893
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/builder/tests/test_securedrop_deb_package.py b/builder/tests/test_securedrop_deb_package.py
@@ -130,3 +130,22 @@ def test_apparmor_conditional():
 
     print(info)
     assert found, "Depends: line wasn't found"
+
+
+def test_systemd_conditional():
+    try:
+        path = [pkg for pkg in DEB_PATHS if pkg.name.startswith("securedrop-config")][0]
+    except IndexError:
+        raise RuntimeError("Unable to find securedrop-config package in build/ folder")
+    info = subprocess.check_output(["dpkg", "--info", path]).decode()
+    found = False
+    for line in info.splitlines():
+        if line.startswith(" Depends:"):
+            found = True
+            if UBUNTU_VERSION == "focal":
+                assert "systemd-hwe-hwdb" not in line, "focal has no systemd-hwe-hwdb dependency"
+            else:
+                assert "systemd-hwe-hwdb" in line, "noble has systemd-hwe-hwdb dependency"
+
+    print(info)
+    assert found, "Depends: line wasn't found"
diff --git a/securedrop/debian/control b/securedrop/debian/control
@@ -15,7 +15,7 @@ Description: SecureDrop application code, dependencies, Apache configuration, sy
 
 Package: securedrop-config
 Architecture: amd64
-Depends: ${shlibs:Depends}, unattended-upgrades, update-notifier-common
+Depends: ${shlibs:Depends}, ${systemd:Depends}, unattended-upgrades, update-notifier-common
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
 

diff --git a/securedrop/debian/rules b/securedrop/debian/rules
@@ -67,8 +67,10 @@ override_dh_strip_nondeterminism:
 override_dh_gencontrol:
 ifneq ($(findstring +noble,$(DEB_VERSION)),)
 	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends=apparmor (>= 4.0.1really4.0.1-0ubuntu0.24.04.3)"
+	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends=systemd-hwe-hwdb"
 else
 	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends="
+	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends="
 endif
 	dh_gencontrol -psecuredrop-ossec-agent -- "-v3.6.0+${DEB_VERSION}"
 	dh_gencontrol -psecuredrop-ossec-server -- "-v3.6.0+${DEB_VERSION}"