dpkg -l runs from an upgraded and freshly installed noble instance:

upgrade_app_dpkg.txt

upgrade_mon_dpkg.txt

fresh_app_dpkg.txt

fresh_mon_dpkg.txt

Thanks, I extracted the raw package lists (grep "ii" fresh_mon_dpkg.txt | awk '{print $2}') and then diffed them:

• app: https://gist.github.com/legoktm/18aa7dcd519c9bd57aa8a8bca79274f2
• mon: https://gist.github.com/legoktm/2bcf47f456ebb95f84a71fd9324471a7

Looking up all the individual packages now.

• appstream: don't need it
• e2fsprogs-l10n: don't need it
• firmware-sof-signed: firmware for audio devices - don't need it
• ibverbs-providers: userspace drivers for specialized ethernet hardware. My guess is that NUCs don't need this, but will examine a bit more.
• jq: don't need it? (only used in dev AFAICT)
• libgpg-error-l10n: don't need it, just translations

[skipping all the other lib* packages because they're dependencies]

• lxd-installer: don't need it
• needrestart: don't need it
• nftables: I believe this is just the CLI frontend? don't need it but might be nice to have.
• numactl: don't need it
• python3-boto3, python3-botocore, python3-s3transfer: don't need it
• python3-dateutil: don't need it
• python3-jmespath: don't need it
• python3-markdown-it, python3-mdurl: don't need it
• python3-pygments: don't need it
• python3-rich: don't need it
• sysstat: don't need it
• systemd-hwe-hwdb: "udev rules for hardware enablement", I don't know what this is and it's an Ubuntu-specific thing.
• systemd-resolved: !!!
• trace-cmd: don't need it

On mon specifically, we have:

-media-types
+mime-support

media-types replaced mime-support, but we missed the transitional package, so we'll have to do it manually. Not sure what dependency is pulled it in though and why app wouldn't have it.

In focal, the systemd-resolved component was included in the main systemd package:

$ dpkg -c systemd_245.4-4ubuntu3.24_amd64.deb | grep resolved
-rwxr-xr-x root/root      3786 2024-06-17 20:29 ./etc/dhcp/dhclient-enter-hooks.d/resolved
-rw-r--r-- root/root       642 2024-06-17 20:29 ./etc/systemd/resolved.conf
-rw-r--r-- root/root      1731 2024-06-17 20:29 ./lib/systemd/system/systemd-resolved.service
-rwxr-xr-x root/root    415968 2024-06-17 20:29 ./lib/systemd/systemd-resolved
-rw-r--r-- root/root      4227 2024-06-17 20:29 ./usr/share/man/man5/resolved.conf.5.gz
-rw-r--r-- root/root      4512 2024-06-17 20:29 ./usr/share/man/man8/systemd-resolved.service.8.gz
lrwxrwxrwx root/root         0 2024-06-17 20:29 ./usr/share/man/man5/resolved.conf.d.5.gz -> resolved.conf.5.gz
lrwxrwxrwx root/root         0 2024-06-17 20:29 ./usr/share/man/man8/systemd-resolved.8.gz -> systemd-resolved.service.8.gz

This meant there was no way to uninstall it, so we only stopped it.

In noble, it was split out into a separate package. But nothing explicitly depends on it, so we don't install it during upgrade, and lose it.

Knowing that, my preference would be to have the securedrop-config package gain a dependency on systemd-resolved, but only for the noble version. We already have similar logic in app-code for this. This is a small, self-contained change that's easy to statically verify by looking at the package metadata. And then running through the actual upgrade. Once everyone is on noble, we can remove the systemd-resolved package across the board.

I can put a PR in for this after figuring out the systemd-hwe-hwdb thing and nftables.

On the QA side, I think we should add a step like, "After an in-place upgrade, all the ./securedrop-admin commands still work, e.g. install, backup, etc."

On mon specifically, we have:

-media-types
+mime-support

On my upgraded mon server, I see mime-support being removed, so it's weird that yours still has it.

Currently systemd-hwe-hwdb contains exactly one udev rule:

# Dell Pro Rugged microphone mute
evdev:name:Dell WMI hotkeys:dmi:bvn*:bvr*:bd*:svnDell*:pnDellProRugged*:*
 KEYBOARD_KEY_100150=f20

I think it's easiest just to install it the same way we're going to do with systemd-resolved.