packaging: replace stdeb by pybuild

As a result, a new `debian` folder is now living in the repository.
Debian packaging is now done manually rather than using tools that do
the heavy-lifting for us.

The `build-deb.py` script has also been updated to use `dpkg-buildpackage`

.circleci/config.yml

@@ -5,25 +5,12 @@ aliases:
     name: Install Podman in Ubuntu Focal
     command: ./install/linux/install-podman-ubuntu-focal.sh
 
-    # FIXME: Remove the following step once we drop Ubuntu Focal support. The
-    # python-all dependency is an artificial requirement due to an stdeb bug
-    # prior to v0.9.1. See:
-    #
-    # * https://github.com/astraw/stdeb/issues/153
-    # * https://github.com/freedomofpress/dangerzone/issues/292#issuecomment-1349967888
-  - &install-python-all
-    name: Install python-all package
-    command: |
-      export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
-      apt-get update
-      apt-get install -y python-all
-
   - &install-dependencies-deb
     name: Install dependencies (deb)
     command: |
       export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
       apt-get update
-      apt-get install -y dh-python python3 python3-stdeb
+      apt build-dep -y .
 
   - &install-dependencies-rpm
     name: Install dependencies (rpm)
@@ -470,8 +457,8 @@ jobs:
       - image: ubuntu:24.04
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -482,8 +469,8 @@ jobs:
       - image: ubuntu:23.10
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -494,8 +481,8 @@ jobs:
       - image: ubuntu:22.04
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -506,9 +493,8 @@ jobs:
       - image: ubuntu:20.04
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
-      - run: *install-python-all
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -519,8 +505,8 @@ jobs:
       - image: debian:trixie
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -531,8 +517,8 @@ jobs:
       - image: debian:bookworm
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -543,8 +529,8 @@ jobs:
       - image: debian:bullseye
     resource_class: medium+
     steps:
-      - run: *install-dependencies-deb
       - checkout
+      - run: *install-dependencies-deb
       - run: *calculate-cache-key
       - restore_cache: *restore-cache
       - run: *copy-image
@@ -613,13 +599,9 @@ workflows:
       - ci-fedora-39:
           requires:
             - build-container-image
-      # FIXME: Currently disabled because `stdeb` does not work with Python
+      - build-ubuntu-noble:
-      # 3.12, which is the default in Ubuntu Noble. See also:
+          requires:
-      # https://github.com/freedomofpress/dangerzone/issues/773
+            - build-container-image
-      #
-      #- build-ubuntu-noble:
-      #    requires:
-      #      - build-container-image
       - build-ubuntu-mantic:
           requires:
             - build-container-image
@@ -632,13 +614,9 @@ workflows:
       - build-debian-bullseye:
           requires:
             - build-container-image
-      # FIXME: Currently disabled because `stdeb` does not work with Python
+      - build-debian-trixie:
-      # 3.12, which has become the default in Debian Trixie. See also:
+          requires:
-      # https://github.com/freedomofpress/dangerzone/issues/773
+            - build-container-image
-      #
-      #- build-debian-trixie:
-      #    requires:
-      #      - build-container-image
       - build-debian-bookworm:
           requires:
             - build-container-image

.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: Tests
 on:
   push:
   pull_request:
-    branches: [ main ]
+    branches: [main]
   schedule:
-    - cron: '0 0 * * *' # Run every day at 00:00 UTC.
+    - cron: "0 0 * * *" # Run every day at 00:00 UTC.
   workflow_dispatch:
 
 jobs:
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       - run: pip install poetry
       - run: poetry install
       - name: Run CLI tests
@@ -37,7 +37,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       - run: pip install poetry
       - run: poetry install
       - name: Run CLI tests
@@ -55,7 +55,7 @@ jobs:
 
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.10'
+          python-version: "3.10"
 
       - name: Build dev environment
         run: |
@@ -79,7 +79,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: dangerzone.deb
-          path: "deb_dist/dangerzone_*_all.deb"
+          path: "deb_dist/dangerzone_*_*.deb"
 
   install-deb:
     runs-on: ubuntu-latest
@@ -115,7 +115,7 @@ jobs:
 
       - uses: actions/setup-python@v5
         with:
-          python-version: '3.10'
+          python-version: "3.10"
 
       - name: Download Dangerzone .deb
         uses: actions/download-artifact@v4

.gitignore

@@ -127,6 +127,13 @@ dmypy.json
 # Pyre type checker
 .pyre/
 
+# Debian packaging
+
+debian/.debhelper
+debian/dangerzone
+debian/files
+debian/debhelper-build-stamp
+debian/dangerzone.*
 # Other
 .vscode
 *.tar.gz

BUILD.md

@@ -58,8 +58,8 @@ Install dependencies:
 
 
 ```sh
-sudo apt install -y podman dh-python build-essential fakeroot make libqt6gui6 \
+sudo apt install -y podman dh-python build-essential make libqt6gui6 \
-    pipx python3 python3-dev python3-stdeb python3-all
+    pipx python3 python3-dev
 ```
 
 Install Poetry using `pipx` (recommended) and add it to your `$PATH`:

INSTALL.md

@@ -46,12 +46,6 @@ Dangerzone is available for:
   sudo apt update
   ```
 
-  Also, you need to install the `python-all` package, due to an `stdeb` bug that
-  existed before v0.9.1:
-
-  ```
-  sudo apt-get install python-all -y
-  ```
 </details>
     </td>
   </tr>

debian/changelog

@@ -0,0 +1,5 @@
+dangerzone (0.7.0) unstable; urgency=low
+
+  * Removed stdeb in favor of direct debian packaging tools
+
+ -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 27 Aug 2024 14:39:28 +0200

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,15 @@
+Source: dangerzone
+Maintainer: Freedom of the Press Foundation <info@freedom.press>
+Section: python
+Priority: optional
+Build-Depends: dh-python, python3-setuptools, python3, dpkg-dev, debhelper (>= 9)
+Standards-Version: 4.5.1
+Homepage: https://github.com/freedomofpress/dangerzone
+Rules-Requires-Root: no
+
+Package: dangerzone
+Architecture: any
+Depends: ${misc:Depends}, ${python3:Depends}, podman, python3, python3-pyside2.qtcore, python3-pyside2.qtgui, python3-pyside2.qtwidgets, python3-pyside2.qtsvg, python3-appdirs, python3-click, python3-xdg, python3-colorama, python3-requests, python3-markdown, python3-packaging
+Description: Take potentially dangerous PDFs, office documents, or images
+  Dangerzone is an open source desktop application that takes potentially dangerous PDFs, office documents, or images and converts them to safe PDFs. It uses disposable VMs on Qubes OS, or container technology in other OSes, to convert the documents within a secure sandbox.
+  .

debian/copyright

@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: dangerzone
+Source: https://github.com/freedomofpress/dangerzone
+
+Files: *
+Copyright: 2020-2021 First Look Media
+           2022- Freedom of the Press Foundation, and Dangerzone contributors
+License: AGPL-3.0-or-later

debian/rules

@@ -0,0 +1,7 @@
+#!/usr/bin/make -f
+export PYBUILD_NAME=dangerzone
+export DEB_BUILD_OPTIONS=nocheck
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
+

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

debian/source/options

@@ -0,0 +1,4 @@
+compression = "gzip"
+tar-ignore = "dev_scripts"
+tar-ignore = ".*"
+tar-ignore = "__pycache__"

dev_scripts/env.py

@@ -139,8 +139,7 @@ RUN apt-get update \
     && rm -rf /var/lib/apt/lists/*
 RUN apt-get update \
     && apt-get install -y --no-install-recommends dh-python make build-essential \
-        git fakeroot {qt_deps} pipx python3 python3-dev python3-venv python3-stdeb \
+        git {qt_deps} pipx python3 python3-venv dpkg-dev debhelper python3-setuptools \
-        python3-all \
     && rm -rf /var/lib/apt/lists/*
 # NOTE: `pipx install poetry` fails on Ubuntu Focal, when installed through APT. By
 # installing the latest version, we sidestep this issue.
@@ -676,7 +675,7 @@ class Env:
                 "noble",
             ):
                 install_deps = DOCKERFILE_UBUNTU_REM_USER + DOCKERFILE_BUILD_DEBIAN_DEPS
-            package_pattern = f"dangerzone_{version}-*_all.deb"
+            package_pattern = f"dangerzone_{version}-*_*.deb"
             package_src = self.find_dz_package(git_root() / "deb_dist", package_pattern)
             package = package_src.name
             package_dst = build_dir / package

dev_scripts/qa.py

@@ -250,8 +250,8 @@ Install dependencies:
 
 
 ```sh
-sudo apt install -y podman dh-python build-essential fakeroot make libqt6gui6 \
+sudo apt install -y podman dh-python build-essential make libqt6gui6 \
-    pipx python3 python3-dev python3-stdeb python3-all
+    pipx python3 python3-dev
 ```
 
 Install Poetry using `pipx` (recommended) and add it to your `$PATH`:

install/linux/build-deb.py

@@ -2,19 +2,17 @@
 # -*- coding: utf-8 -*-
 
 import argparse
-import inspect
 import os
 import shutil
 import subprocess
 import sys
+from pathlib import Path
 
-root = os.path.dirname(
+# .absolute() is needed for python<=3.8, for which
-    os.path.dirname(
+# __file__ returns an absolute path.
-        os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
+root = Path(__file__).parent.parent.parent.absolute()
-    )
-)
 
-with open(os.path.join(root, "share", "version.txt")) as f:
+with open(root / "share" / "version.txt") as f:
     version = f.read().strip()
 
 
@@ -39,8 +37,8 @@ def main():
     )
     args = parser.parse_args()
 
-    dist_path = os.path.join(root, "dist")
+    dist_path = root / "dist"
-    deb_dist_path = os.path.join(root, "deb_dist")
+    deb_dist_path = root / "deb_dist"
 
     print("* Deleting old dist and deb_dist")
     if os.path.exists(dist_path):
@@ -49,31 +47,28 @@ def main():
         shutil.rmtree(deb_dist_path)
 
     print("* Building DEB package")
-    # NOTE: This command first builds the Debian source package, and then creates the
-    # final DEB package. We could simply call `bdist_deb`, which performs `sdist_dsc`
-    # implicitly, but we wouldn't be able to pass the Debian version argument. Because
-    # we do this in a single invocation though, there's no performance cost.
     if args.distro is None:
-        deb_ver_args = ()
         deb_ver = "1"
     else:
-        deb_ver_args = ("--debian-version", args.distro)
         deb_ver = args.distro
 
     run(
         [
-            "python3",
+            "dpkg-buildpackage",
-            "setup.py",
-            "--command-packages=stdeb.command",
-            "sdist_dsc",
-            *deb_ver_args,
-            "bdist_deb",
         ]
     )
 
+    os.makedirs(deb_dist_path, exist_ok=True)
     print("")
     print("* To install run:")
-    print(f"sudo dpkg -i deb_dist/dangerzone_{version}-{deb_ver}_all.deb")
+
+    # dpkg-buildpackage produces a .deb file in the parent folder
+    # that needs to be copied to the `deb_dist` folder manually
+    for item in root.parent.glob(f"dangerzone_{version}_*.deb"):
+        arch = item.stem.split("_")[-1]
+        destination = root / "deb_dist" / f"dangerzone_{version}-{deb_ver}_{arch}.deb"
+        shutil.move(item, destination)
+        print(f"sudo dpkg -i {destination}")
 
 
 if __name__ == "__main__":

stdeb.cfg

@@ -1,11 +0,0 @@
-[DEFAULT]
-Package3: dangerzone
-Depends3: podman, python3, python3-pyside2.qtcore, python3-pyside2.qtgui, python3-pyside2.qtwidgets, python3-pyside2.qtsvg, python3-appdirs, python3-click, python3-xdg, python3-colorama, python3-requests, python3-markdown, python3-packaging
-Build-Depends: dh-python, python3, python3-setuptools, python3-stdeb
-Suite: bionic
-X-Python3-Version: >= 3.8
-# Do not trigger testing when we build the package. Assume that the user
-# has tested the package already. For more info, see:
-# https://github.com/freedomofpress/dangerzone/issues/292#issuecomment-1349967888
-Setup-Env-Vars: DEB_BUILD_OPTIONS=nocheck
-Maintainer: Freedom of the Press Foundation <info@freedom.press>