From 2a4632a0206084eaf6d8baba082b6f636e57d56a Mon Sep 17 00:00:00 2001 From: Date Huang Date: Tue, 14 Jul 2026 14:10:41 +0800 Subject: openssl: T9083: fix APT detected package downgrade despite identical versions VyOS rolling APT repo (packages.vyos.net/repositories/rolling) publishing its own openssl/libssl3 packages, pinned at priority 600 (higher than Debian's 500) causes a "poisoning" of the APT cache policy inside the chroot: openssl: Installed: 3.0.20-1~deb12u2 Candidate: 3.0.20-1~deb12u2 Version table: * 3.0.20-1~deb12u2 500 <- debian bookworm + bookworm-security * 3.0.20-1~deb12u2 600 <- packages.vyos.net rolling (same version string, higher pin) * 3.0.17-1~deb12u2 500 <- bookworm-updates This results in APT seeing a version-string tie between Debian's build and the VyOS repo build of the same package and, because of the pin-priority swap, classifies switching to the VyOS repo copy as a "downgrade". This is fixed by appending a clear VyOS related marked to the package version, preventing any possible downgrade detection. Signed-off-by: Date Huang Co-authored-by: Christian Breunig --- scripts/package-build/openssl/package.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'scripts') diff --git a/scripts/package-build/openssl/package.toml b/scripts/package-build/openssl/package.toml index 6dfd32e0..b38022ca 100644 --- a/scripts/package-build/openssl/package.toml +++ b/scripts/package-build/openssl/package.toml @@ -2,4 +2,5 @@ name = "openssl" commit_id = "debian/openssl-3.0.20-1_deb12u2" scm_url = "https://salsa.debian.org/debian/openssl.git" -build_cmd = "dpkg-buildpackage -us -uc -tc -b" +pre_build_hook = "git reset --hard HEAD && git clean -ffdx" +build_cmd = "sed -i '1s/)/+vyos1)/' debian/changelog && dpkg-buildpackage -us -uc -tc -b" -- cgit v1.2.3