Coping with Ubuntu 18.04's partial transition to openssl 1.1

Ubuntu 18.04 migrated many packages to openssl 1.1... but not all. And since openssl-1.0-dev and openssl-dev cannot be installed at the same time, building any code that depends on libraries of both flavors is doomed to fail. See https://bugs.launchpad.net/bugs/1794589 for some discussion on the problem.

For instance, the packages xmltooling, xml-security-c, and opensaml2 all still depend on the older openssl. Happily, Ubuntu 18.10 has updated these packages, and it's not hard to backport them to Ubuntu 18.04. I did that and uploaded the backport sources to a ppa.

Using the openssl-uplift ppa

If you really need the backports, you can install them from the openssl-uplift ppa, e.g.
$ sudo add-apt-repository ppa:dank/openssl-uplift
$ sudo apt dist-upgrade
$ sudo apt install libsaml2-dev libxml-security-c-dev libxmltooling-dev
To stop using them, uninstall the packages you installed (!), then purge the ppa (which also removes any remaining packages from that ppa), e.g.
$ sudo apt install ppa-purge aptitude
$ sudo apt remove libsaml2-dev libxml-security-c-dev libxmltooling-dev
$ sudo ppa-purge ppa:dank/openssl-uplift
It's a bit odd that I had to do apt dist-upgrade before installing the dev packages, and uninstall them manually before running ppa-purge, but apt needs a little manual help to avoid getting confused by the twisty dependencies.

Creating the openssl-uplift ppa

Here's how I dunnit:

First, I created a fresh ubuntu 18.10 instance with

$ lxc launch ubuntu:18.10 demo-ubu1810
In it, I retrieved the new package sources with the small script grab.sh.txt.

I then created a fresh ubuntu 18.04 instance with

$ lxc launch ubuntu:18.04 demo-ubu1804
logged into it, transferred the downloaded sources to it, and applied two very small patches to fix dependencies, version numbers, and add appropriate changelog entries:
$ wget http://kegel.com/linux/openssl-ubuntu18.04-snafu/ubu1804-backport.patch
$ wget http://kegel.com/linux/openssl-ubuntu18.04-snafu/changelogs.patch
$ rm -f *.debian.tar*    # old debian tarballs now stale...
$ patch -p0 < ubu1804-backport.patch 
$ patch -p1 < changelogs.patch

Then I backed up the edited source trees, and did a check build with the small script build.sh.txt.

Once that succeeded, I followed Gert van Dijk's backport tutorial to set up for building signed packages.

Dealing with gpg is always traumatic for me, mostly because I forget the passphrase for my secret key... so I had to generate a new one and upload it to the ubuntu keyserver.

I then repeated the build without the "-b -uc -us" options on debuild, and verified that nice signed packages were generated.

I then restored the backup to get the source trees without any build products, and did a source-only build with the small script srcbuild.sh.txt. since launchpad does not allow mixed source/binary builds.

When that succeeded, I the source packages to my ppa. Because they have to build in a certain order, I did this one at a time in build order, i.e. I first did

dput ppa:dank/openssl-uplift xml-security-c_2.0.1-1~bionic_source.changes
and waited for the ppa page to show the build succeeded, then I uploaded xmltooling, waited again, and uploaded opensaml2.

Careful, if you forget to specify the ppa to dput, it tries to upload... elsewhere, which is probably bad.