Coping with Ubuntu 18.04's partial transition to openssl 1.1

Ubuntu 18.04 migrated many packages to openssl 1.1... but not all. And since openssl-1.0-dev and openssl-dev cannot be installed at the same time, building any code that depends on libraries of both flavors is doomed to fail. See for some discussion on the problem.

For instance, the packages xmltooling, xml-security-c, and opensaml2 all still depend on the older openssl. Happily, Ubuntu 18.10 has updated these packages, and it's not hard to backport them to Ubuntu 18.04. I did that and uploaded the backport sources to a ppa.

Using the openssl-uplift ppa

If you really need the backports, you can install them from the openssl-uplift ppa, e.g.
$ sudo add-apt-repository ppa:dank/openssl-uplift
$ sudo apt dist-upgrade
$ sudo apt install libsaml2-dev libxml-security-c-dev libxmltooling-dev
To stop using them, uninstall the packages you installed (!), then purge the ppa (which also removes any remaining packages from that ppa), e.g.
$ sudo apt install ppa-purge aptitude
$ sudo apt remove libsaml2-dev libxml-security-c-dev libxmltooling-dev
$ sudo ppa-purge ppa:dank/openssl-uplift
It's a bit odd that I had to do apt dist-upgrade before installing the dev packages, and uninstall them manually before running ppa-purge, but apt needs a little manual help to avoid getting confused by the twisty dependencies.

Creating the openssl-uplift ppa

Here's how I dunnit:

First, I created a fresh ubuntu 18.10 instance with

$ lxc launch ubuntu:18.10 demo-ubu1810
In it, I retrieved the new package sources with the small script

I then created a fresh ubuntu 18.04 instance with

$ lxc launch ubuntu:18.04 demo-ubu1804
logged into it, transferred the downloaded sources to it, and applied two very small patches to fix dependencies, version numbers, and add appropriate changelog entries:
$ wget
$ wget
$ rm -f *.debian.tar*    # old debian tarballs now stale...
$ patch -p0 < ubu1804-backport.patch 
$ patch -p1 < changelogs.patch

Then I backed up the edited source trees, and did a check build with the small script

Once that succeeded, I followed Gert van Dijk's backport tutorial to set up for building signed packages.

Dealing with gpg is always traumatic for me, mostly because I forget the passphrase for my secret key... so I had to generate a new one and upload it to the ubuntu keyserver; see my Uploading to an Ubuntu PPA page.

I then repeated the build without the "-b -uc -us" options on debuild, and verified that nice signed packages were generated.

I then restored the backup to get the source trees without any build products, and did a source-only build with the small script since launchpad does not allow mixed source/binary builds.

When that succeeded, I the source packages to my ppa. Because they have to build in a certain order, I did this one at a time in build order, i.e. I first did

dput ppa:dank/openssl-uplift xml-security-c_2.0.1-1~bionic_source.changes
and waited for the ppa page to show the build succeeded, then I uploaded xmltooling, waited again, and uploaded opensaml2.

Careful, if you forget to specify the ppa to dput, it tries to upload... elsewhere, which is probably bad.