libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.2 is to be installed

I wonder if I deployed just in the middle of a new version being rolled.

$ apt policy libssl3
libssl3:
  Installed: 3.0.2-0ubuntu1.2
  Candidate: 3.0.2-0ubuntu1.2
  Version table:
     3.0.2-0ubuntu1.4 1 (phased 10%)
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
 *** 3.0.2-0ubuntu1.2 100
        100 /var/lib/dpkg/status
     3.0.2-0ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Status changed to 'Confirmed' because the bug affects multiple users.

https://askubuntu.com/questions/1414956/libssl3-3-0-2-0ubuntu1-2-required-but-only-3-0-2-0ubuntu1-1-is-available-on-t/1414986

It's now been 14+ hours and this dependency tree is still broken. This (libssl) was last touched by Simon Chopin around that time.

The same error when trying to install postgresql-server-dev package.

I can't reproduce this in a jammy VM.
What's the output of "apt policy libssl-dev"?

$ apt policy libssl-dev
libssl-dev:
  Installed: (none)
  Candidate: 3.0.2-0ubuntu1.1
  Version table:
     3.0.2-0ubuntu1.4 1 (phased 30%)
        500 http://se.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     3.0.2-0ubuntu1.1 500
        500 http://se.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://se.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

I need the same person to do "apt policy" on the package they are trying to install, on "libssl-dev" and on "libssl3", and to also paste the error message they are getting when trying to install the package that is failing.

I have the info here:
https://bugs.launchpad.net/charm-mysql-innodb-cluster/+bug/1979311

Hi, from my side the output is:
root@vps:/home/ubuntu# apt install libssl-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.
root@vps:/home/ubuntu# apt install libssl3
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
libssl3 is already the newest version (3.0.2-0ubuntu1.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@vps:/home/ubuntu# apt policy libssl-dev
libssl-dev:
  Installed: (none)
  Candidate: 3.0.2-0ubuntu1.1
  Version table:
     3.0.2-0ubuntu1.4 1 (phased 30%)
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     3.0.2-0ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
root@vps:/home/ubuntu# apt policy libssl3
libssl3:
  Installed: 3.0.2-0ubuntu1.4
  Candidate: 3.0.2-0ubuntu1.4
  Version table:
 *** 3.0.2-0ubuntu1.4 1 (phased 30%)
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.0.2-0ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     3.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

@mdeslaur Here are the details you want. This is a freshly launched AWS EC2 instance (AMI ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220609). "update" pulls from apt repos jammy, jammy-updates, jammy-backports, and jammy-security. Issue is 100% reproducible.

$ sudo -i
# apt-get -y update
Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy InRelease
Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates InRelease [109 kB]
Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:5 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB]
Get:6 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB]
Get:7 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB]
Get:8 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB]
Get:9 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB]
Get:10 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B]
Get:11 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [303 kB]
Get:12 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [72.9 kB]
Get:13 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [4952 B]
Get:14 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [184 kB]
Get:15 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [27.9 kB]
Get:16 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [125 kB]
Get:17 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [44.1 kB]
Get:18 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [2560 B]
Get:19 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [4192 B]
Get:20 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [1016 B]
Get:21 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [232 B]
Get:22 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [112 B]
Get:23 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B]
Get:24 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [2036 B]
Get:25 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [7012 B]
Get:26 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [216 B]
Get:27 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B]
Get:28 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [185 kB]
Get:29 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [43.6 kB]
Get:30 http://security.ubuntu.com/ubuntu jammy-security/main amd6...

This is happening because of phased updates. The libssl3 package was either manually installed, or it came preinstalled in an image, and now phased updates is preventing libssl-dev from being installed. There are two ways to get out of this stalemate:

1- Manually request the libssl-dev version to be installed: "apt install libssl-dev=3.0.2-0ubuntu1.4"
2- Disable phased updates, see the configuration options here: https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345

Thanks for the information. We will begin disabling phased updates on all our systems being imaged going forward.

BTW, with regards to libssl3 being "manually installed or coming preinstalled", it comes preinstalled because package linux-headers relies on it:

# aptitude why libssl3
i linux-headers-5.15.0-1011-aws Depends libssl3 (>= 3.0.0~~alpha1)

As such, I'm not so sure doing A/B testing (re: phased updates) on anything OpenSSL-related is a wise idea.

Also, the recommended advice does not work/apply. Adding this to /etc/apt/apt.conf does not relieve the problem (I tried all these permutations, since apt_preferences(5) is not clear what syntax is truly wanted, and web searches turn up varying opinions depending on if you're using Update Manager or not, alongside questioning why there is a Never and an Always, re: tri-state switch):

Update-Manager::Always-Include-Phased-Updates "0";
Update-Manager::Always-Include-Phased-Updates "False";
Update-Manager::Always-Include-Phased-Updates False;
Update-Manager::Never-Include-Phased-Updates "1";
Update-Manager::Never-Include-Phased-Updates "True";
Update-Manager::Never-Include-Phased-Updates True;
APT::Get::Always-Include-Phased-Updates "0";
APT::Get::Always-Include-Phased-Updates "False";
APT::Get::Always-Include-Phased-Updates False;
APT::Get::Never-Include-Phased-Updates "1";
APT::Get::Never-Include-Phased-Updates "True";
APT::Get::Never-Include-Phased-Updates True;

I believe the answer is easily overlooked in the initial post from juliank: "Note that this does not apply to fresh package installs".

Next, I tried the other workaround, by force-pinning a version. Note that the original recommendation was "apt install libssl-dev=3.0.2-0ubuntu1.4", which will not work; "apt install libssl3=3.0.2-0ubuntu1.4" did work (understandably) -- except not really.

Forced pinning get us no further than before, because package libssl-dev explicitly depends on a specific version of libssl3 (note equals, not greater-than-equals or tilde):

# dpkg -l | grep libssl3
ii libssl3:amd64 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - shared libraries

# apt-get install libmysqlclient-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.

# apt-cache show libssl-dev
...
Depends: libssl3 (= 3.0.2-0ubuntu1)
...

So either libssl-dev needs to be updated alongside this, and somehow these two packages (libssl-dev and libssl3) need to be "tied together" when it comes to phased updates (I don't even know if that's possible), or there is further packaging work (version bumping) that needs to happen.

Additionally, I suspect what all this implies is that phased updates were enabled by default on the latest AWS AMI when it was made by Canonical, and now there is (effectively) no way to "opt out" of them. This is not a good system, folks. Please CC whoever is responsible for this model so they can witness real-world failure of it (and how getting out of this situation doesn't seem possible).

apt install libssl-dev=3.0.2-0ubuntu1.4 should work, but you might have to force additional packages up. Certainly the error will be different.

I don't understand your config options, you already have the phased update installed, so you need the reverse of what you did to get the still-phasing libssl-dev to be installed.

And no, the implementation changed to fix the opposite corollary bug, so it applies to not-yet-installed packages as well. Where people had libssl3=...1.1 installed and then tried to install libssl-dev and it would fail because libssl-dev Depends libssl3 (= ...1.4)

No, it doesn't work. Is there a reason developers here are not actually launching new instances and confirming the statements themselves? Why do I have to keep proving this? Another fresh instance, AMI ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220609 (ami-0d70546e43a941d70), absolutely nothing tuned, touched, or otherwise:

ubuntu@ip-172-31-53-51:~$ dpkg -l | grep libssl
ii libssl3:amd64 3.0.2-0ubuntu1.2 amd64 Secure Sockets Layer toolkit - shared libraries

ubuntu@ip-172-31-53-51:~$ sudo apt install libssl-dev=3.0.2-0ubuntu1.4
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.4) but 3.0.2-0ubuntu1.2 is to be installed

ubuntu@ip-172-31-53-51:~$ sudo aptitude why libssl3
i linux-headers-5.15.0-1011-aws Depends libssl3 (>= 3.0.0~~alpha1)

Now, if you do what I said earlier -- please note the package version name difference compared to what everyone keeps referring to:

ubuntu@ip-172-31-53-51:~$ sudo apt install libssl3=3.0.2-0ubuntu1.4
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  libssl3
1 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
Need to get 1900 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libssl3 amd64 3.0.2-0ubuntu1.4 [1900 kB]
Fetched 1900 kB in 0s (29.4 MB/s)
Preconfiguring packages ...
(Reading database ... 64038 files and directories currently installed.)
Preparing to unpack .../libssl3_3.0.2-0ubuntu1.4_amd64.deb ...
Unpacking libssl3:amd64 (3.0.2-0ubuntu1.4) over (3.0.2-0ubuntu1.2) ...
Setting up libssl3:amd64 (3.0.2-0ubuntu1.4) ...
Processing triggers for libc-bin (2.35-0ubuntu3) ...
{snipping for brevity}

ubuntu@ip-172-31-53-51:~$ dpkg -l | grep libssl
ii libssl3:amd64 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - shared libraries

ubuntu@ip-172-31-53-51:~$ sudo apt-get install libmysqlclient-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libssl-dev : Depends: libssl3 (= 3.0.2-0ubuntu1.1) but 3.0.2-0ubuntu1.4 is to be installed
E: Unable to correct problems, you have held broken packages.

But now that libssl3 is using 3.0.2-0ubuntu1.4, let's see what happens if we try...

Hi,

I have the same issue with a fresh LXC image of Ubuntu 22.04.

So it's a real bug affecting not just a single instance of Ubuntu.

Sorry, new to this, I just did and sudo apt-get update and sudo apt-get -y install libmysqlclient-dev and now looks to be working for me. Thank you if someone fixed it:)

An openssl security update was published today which superseded the openssl phased update, so this issue should be fixed for now.

Indeed, it's now fixed, I can confirm it.

Thanks a lot !

Can also confirm.

For postgresql-server-dev also confirm.

The same problem now happens with libsystemd0 and libsystemd-dev.

We rolled the change out in 21.10 to avoid regressing 22.04 with bugs, but only received a single instance of this issue back then which was dismissed, maybe a bit too quickly as something known that needs to be resolved in launchpad (bug 1929082).

@juliank Thanks for working on this issue!

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package apt - 2.5.1

---------------
apt (2.5.1) unstable; urgency=medium

  [ Américo Monteiro ]
  * Portuguese manpages translation update (Closes: #1011315)

  [ Ronan Desplanques ]
  * Fix integer underflow in flExtension

  [ Roberto C. Sánchez ]
  * Some minor tweaks of spelling/grammar for better readability.

  [ Tianon Gravi ]
  * Switch from "security.d.o" to "deb.d.o" (matching bullseye release notes)

  [ Julian Andres Klode ]
  * (Temporarily) Rewrite phased updates using a keep-back approach
    (LP: #1979244)
  * policy: Do not override negative pins with 1 due to phasing (LP: #1978125)

 -- Julian Andres Klode <email address hidden> Thu, 30 Jun 2022 13:27:30 +0200

> - a phased update that has a version in security

I see there is code here to special-case security updates, and there are also added tests for the scenario where there is a phased update in -security with a PUP of 0. Can you please clarify why you thought this necessary to implement? As an archive policy, all packages released to the security pocket are phased immediately to 100%, and in the exceptional case that we set the phasing to 0 for a package in the security pocket (instead of simply removing it in case of a problem), I would expect apt to honor that.

You misunderstood the test, the test has phased-security 2 in security and phased-security 3 is phasing in updates, at 0 to yield an easy test that it's really "not for us".

We don't have special casing for phased-update-percentage set on security updates. The behavior here is identical to update-manager and while I agree that it might make sense to handle that I feel like we can discuss that later rather than block this critical SRU now.

Surely everyone is aware that update-manager does not respect phasing on security updates already and takes care.

This SRU really is just "do what update-manager does, it worked so far". I prefer the pinning based implementation long term as it allows switching candidates (so it installs a good version from security rather than the bad version from updates) and works for install as well but needs more work in both launchpad dominator to keep previous versions in updates and apt to propagate candidate selections across a source package (set).

To add to that. In the classic update-manager algorithm if 2 is in security and 3 in updates is not for us, like phasing at 0 or just random chance, 3 is considered a security update and installed anyway.

The problem being that at this point we cannot adjust which version we're going to install or we'd pick version 2 (like the pinning based implementation). I mean I guess we could try that in the future, but it's riskier in terms of setting the solver on 🔥.

Since image building does not yet respect phasing at all and can't until launchpad preserves previous unphased updates, and update-manager does not either for security updates, removals will always be preferable over PUP of 0.

Hello Felipe, or anyone else affected,

Accepted apt into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.4.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Felipe, or anyone else affected,

Accepted apt into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.3.9ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apt (2.3.9ubuntu0.2) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

reprotest/0.7.16 (amd64, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted apt (2.4.6) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.11-0ubuntu82.1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Marking them as verified as the tests testing those cases have passed. We're also asking for community testing in parallel to make sure there are not any more regressions that the tests don't cover, but we are using the normal aging period for that, so it's best to tag it verified for now, if there's some regression in the period we can remove it, but otherwise people forget to look at it if it stays unverified.

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

This bug was fixed in the package apt - 2.4.6

---------------
apt (2.4.6) jammy; urgency=medium

  * (Temporarily) Rewrite phased updates using a keep-back approach
    (LP: #1979244)
  * policy: Do not override negative pins with 1 due to phasing (LP: #1978125)
  * Point branch to 2.4.y and use jammy in gitlab-ci

 -- Julian Andres Klode <email address hidden> Thu, 30 Jun 2022 15:33:22 +0200

The verification of the Stable Release Update for apt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.