Hi,

The following fails:
- In bookworm, install strongswan
- dist-upgrade to trixie
I would expect strongswan to be upgraded, but it is not. It remains at the bookworm version.
'apt install'ing manually in trixie works fine.

There might be some missing Replaces/Provides somewhere to hint apt at upgrading the package.

MWE:
PKG=strongswan; mmdebstrap --chrooted-customize-hook="set -x ; apt -y install $PKG  && sed -e s/bookworm/trixie/ -i /etc/apt/sources.list && apt update && apt dist-upgrade -y -o Debug::pkgProblemResolver=true && apt -y install $PKG" bookworm /dev/null

Relevant part:
Investigating (0) strongswan-charon:amd64 < 5.9.8-5+deb12u1 -> 6.0.1-5 @ii umU Ib >
Broken strongswan-charon:amd64 Conflicts on charon-systemd:amd64 < none -> 6.0.1-5 @un uN Ib >
  Considering charon-systemd:amd64 -1 as a solution to strongswan-charon:amd64 1
  Added charon-systemd:amd64 to the remove list
  Fixing strongswan-charon:amd64 via keep of charon-systemd:amd64
Investigating (0) libgdbm-compat4t64:amd64 < none -> 1.24-2 @un uN Ib >
Broken libgdbm-compat4t64:amd64 Breaks on libgdbm-compat4:amd64 < 1.23-3 @ii mK > (< 1.24-2)
  Considering libgdbm-compat4:amd64 -2 as a solution to libgdbm-compat4t64:amd64 1
  Added libgdbm-compat4:amd64 to the remove list
  Fixing libgdbm-compat4t64:amd64 via remove of libgdbm-compat4:amd64
Investigating (0) strongswan:amd64 < 5.9.8-5+deb12u1 -> 6.0.1-5 @ii umU Ib >
Broken strongswan:amd64 Depends on charon-systemd:amd64 < none | 6.0.1-5 @un uH >
  Considering charon-systemd:amd64 -1 as a solution to strongswan:amd64 0
  Holding Back strongswan:amd64 rather than change charon-systemd:amd64
 Try to Re-Instate (1) strongswan:amd64

 [...]

+ apt -y install strongswan
The following packages were automatically installed and are no longer required:
  libapt-pkg6.0  libargon2-1  libgnutls30  libtasn1-6  libunistring2  strongswan-starter
Use 'apt autoremove' to remove them.

Upgrading:
  strongswan

Installing dependencies:
  charon-systemd  strongswan-swanctl

REMOVING:
  strongswan-charon

Hi Lucas, thanks for the report but I'm not too sure what happens here.
There's indeed a change in the metapackage dependencies for Bookworm and I had
the impression everything was working.

I noticed you used dist-upgrade and not full upgrade. Does that change
anything? I'll try to reproduce using the above command line but if you
already have a working setup it might be faster for you.

Regards,

Hi Yves-Alexis,

No, it's the same with full-upgrade.

Lucas

control: tag -1 help

Hey Lucas,

I tried using my pbuilder chroot and it seems that I'm able to reproduce, but
I'm honestly not sure how to fix that. I don't know enough about apt solver to
really understand the debug output.

The strongswan metapackage was indeed updated between Bookworm and Trixie.

In bookworm strongswan pulls strongswan-charon and strongswan-starter
In trixie strongswan pulls charon-systemd and strongswan-swanctl

That's expected and it's especially ok for new installs.

For existing ones it'll likely need administrator action (to port the
configuration) and they're warned by a NEWS.Debian entry (and I think it might
deserve a release note entry as well).

I guess it could be argued that manually upgrading the strongswan metapackage
would be best so the administrator wouldn't be too surprised by the change,
but maybe that's suboptimal for unattended upgrades?

In any case, help would be appreciated on how to interpret apt output and how
to make it accept the removal of strongswan-charon for upgrading the
strongswan metapackage.

Maybe I need to add Replaces: strongswan-charon to the charon-systemd package
but I'm not sure it really express the situation.

Regards,

I'm still not sure it's the right solution but I tried to add:

Package: charon-systemd
[...]
Replaces: strongswan-charon (<< 6.0.1-1~)

But I still get the same during the upgrade:

Investigating (0) strongswan:amd64 < 5.9.8-5+deb12u1 -> 6.0.1-6 @ii umU Ib >
Broken strongswan:amd64 Depends on charon-systemd:amd64 < none | 6.0.1-6 @un
uH >
  Considering charon-systemd:amd64 -1 as a solution to strongswan:amd64 0
  Holding Back strongswan:amd64 rather than change charon-systemd:amd64
 Try to Re-Instate (1) strongswan:amd64

I have no idea why apt doesn't want to 'change charon-systemd:amd64'.

Regards,

Hi Yves-Alexis,

* Yves-Alexis Perez <corsac@debian.org> [2025-07-20 16:29]:

The problem is that bookworm apt prefers keeping strongswan-charon
installed over other solutions. This is described in:

https://wiki.debian.org/RenamingPackages

So strongswan-charon would need to become a transitional dummy package
that depend on charon-systemd and the maintainer scripts should take
care of transitioning the configuration files. The Conflicts: can also
be dropped then.

Feel free to ask if you need more explanation.

Cheers Jochen

Hi Jochen, thanks but it's not a case of renaming packages.

Both strongswan-charon and charon-systemd exist in Bookworm and Trixie. Both
are working and can be installed if the users choses so. They fill the same
role (they include an IKE daemon for setting up IPsec tunnels) but
differently.

strongswan-charon is the "historical" (legacy) charon daemon, which is beeing
phased out in favor of charon-systemd. That's why we updated the dependency
for the strongswan metapackage. We recommend people to migrate to the new
daemon, and for new install that'll be the case. For old installations one
could actually wonder if we should actually migrate, but in any case we would
still want to actually upgrade the packages.

So I'm not sure how to express that in apt relationships.

Regards,

Yes indeed, we just don't want to force that on them. They can still keep
strongswan-charon (and strongswan-starter) along with their current
configuration, and migrate on their own term.

Ah, good point, that might work, let's try that. I'll report back here.

Regards,

So, it seems to work on Bookworm -> Trixie but won't that mean we'll have the
same problem again (for those installs) in Trixie -> Forky if I remove the
alternate dependency at that point?

Regards,

* Yves-Alexis Perez <corsac@debian.org> [2025-07-21 18:50]:

For Forky you would have to do the transition dummy package and
maintainer scripts conversion then.

Cheers Jochen

Hey Jochen

as already said, that's not an option for us. There's no plan to retire
strongswan-charon (and strongswan-starter) packages.

Regards,

* Yves-Alexis Perez <corsac@debian.org> [2025-07-22 08:04]:

Why would you drop the alternate dependency in Forky then?

What should happen to users having strongswan and strongswan-charon
installed when upgrading to Forky?

Btw. there is currently a new solver in apt that would remove
strongswan-charon and install charon-systemd instead. That will likely
become the default in Forky so it could work without a transition dummy
package then.

In any case, I would propose to add the alternate dependency for Trixie
and do do an upload soon as time is running out.

Cheers Jochen

Because at some point I'd like that strongswan only dependency would be for
charon-systemd and strongswan-swanctl.

I think I would have expected strongswan to be upgraded, strongswan-charon
(and strongswan-starter) removed and charon-systemd/strongswan-swanctl
installed.

It would have been better to have the package co-installable but they bind on
the same port so that doesn't really make sense.

That would be nice, yes.

I guess so…

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 22 Jul 2025 18:24:43 +0200
Source: strongswan
Architecture: source
Version: 6.0.1-6
Distribution: unstable
Urgency: medium
Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Closes: 1109510
Changes:
 strongswan (6.0.1-6) unstable; urgency=medium
 .
   * d/control: keep strongswan-charon and strongswan-starter as acceptable
     dependencies for strongswan
     (Closes: #1109510)
Checksums-Sha1:
 aceacba977d6a09fb2e2cdab807a194a9f003dfa 3179 strongswan_6.0.1-6.dsc
 240b9108b781016b21436c63b2dbcd34e7b2d8f6 128228 strongswan_6.0.1-6.debian.tar.xz
 2d36b5484fc0144c90a09ffdb47eaeb6d33089e7 18265 strongswan_6.0.1-6_amd64.buildinfo
Checksums-Sha256:
 e74f116e6bb03c9aeb510cb49209805e072409e53bcdbe8afeb822d29ac6d6e2 3179 strongswan_6.0.1-6.dsc
 75714aa0262e5d93006bc1960f86c7c69093d213e98a15380835d642e79f1c43 128228 strongswan_6.0.1-6.debian.tar.xz
 4f7f6bb0cb4bf46e8f54000703e726debcf695dceeb37404ab84480943812668 18265 strongswan_6.0.1-6_amd64.buildinfo
Files:
 5ae8bbc480fd99aec309bf41f56ca763 3179 net optional strongswan_6.0.1-6.dsc
 a4947e930b0cc642655ed02ae1fca419 128228 net optional strongswan_6.0.1-6.debian.tar.xz
 e3868f137bd714c93b11f5663f8599a8 18265 net optional strongswan_6.0.1-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmh/vLYACgkQ3rYcyPpX
RFtUrgf+IwTjvaSFh+Vnzf8LhE/NbrJcVLL65aa3UcrOT2vg2mYS0uocb6CvmLJL
iLPa0hpQS80p+GnJwg6/JZyY7oVBP0/eqTgR0527KFZpRdPNmqhIz+P4eerQvMA1
+AF7ZVdPb60bJ40XPPItDYh8O/1HOP0KS2K2JwqGjD897YOSGSaa4KJxMOBRmRn9
g+MiJt8SiwZD5R96kALyh9Q4E1IM4Z44dUs8+qGXHY295AH4MA2+FjPUS4v4MuNT
pajG+pgArSzfiZdjcbG5ES7AxkrR0mEQeHpE+cZqFIj9SdpgqyqDA2eW84C/25Y+
LfwVLNsJzwl1+QdUKVYTH5NdKA5dSw==
=5GIM
-----END PGP SIGNATURE-----