[Freedombox-discuss] Dependency problem for matrix-synapse.

Diederik de Haas didi.debian at cknow.org
Wed Jan 12 23:56:00 GMT 2022

First I want to make a few remarks, possibly for you but surely for other 
people who may be reading this (too).

1) It is perfectly fine to have no updates for days or even weeks on a Debian 
Stable system. FreedomBox is primarily based on Stable, but it also has 
stable-backports and therefor *may* have more frequent updates then a purely 
Stable system.

2) One of FreedomBox's goal is to take system maintenance out the hands of 
users, so that inexperienced users can (fully) use the system too.
Having said that, it is a Debian system which consists of FREE(dom) software, 
so you have every right to modify it as you see fit (as long as you respect the 
licenses). And you as the system administrator of FreedomBox ofc have that 
right too :-)
Experimenting (and breaking) things is a great way to learn more how the 
system works, which can be useful in several ways. And it can be fun.

I've 'shuffled' the previous mail/answers a bit as I hope that'll improve the 
learning experience.

On Wednesday, 12 January 2022 19:30:07 CET A. F. Cano wrote:
> On Wed, Jan 12, 2022 at 05:47:30PM +0100, Diederik de Haas wrote:
> > On woensdag 12 januari 2022 15:19:25 CET A. F. Cano wrote:
> It doesn't seem right that matrix-synapse-ldap3 is a recommendation (not
> a dependency) and yet...

In Debian a Dependency relation indicates that a piece of software can not, in 
any way, function (at all) without that other software package.

>From the description of matrix-synapse-ldap3:
"This package allows synapse to use LDAP for authentication as opposed to 
usual authentication via registering using a matrix client."

This shows that the package is not required and even the non-standard way, so 
surely not a dependency.
In other cases the link between 2 packages may be stronger, like you *really* 
want that other package installed too for most of the functionality (in the 
most used use-case), but *technically* you can use package A without package 
B, then that is a Recommended relation.
Quite a number of years ago it was different, but nowadays you REALLY should 
install Recommends. It's also the default.
If you don't, you should be capable of detecting and fixing things when they 
break, which will likely happen at some point.

Then there's a Suggests relation, which indicates that there's a (good?) 
chance you want package C too as it can be useful, but it is not required to 
use the software.
(There's also an Enhances relation, but I actually don't know in what sense 
that differs from Suggests)

What often causes confusion wrt Depends and Recommends is that something may 
feel like a dependency relation, but it technically is not.
It may even be a package which is needed for most use cases, but there is a 
use case where it is not, then it's still a Recommends.

Now let's examine your situation.

> > What may help is the output of the following commands:
> > - aptitude versions matrix-synapse
> $ sudo aptitude versions matrix-synapse
>  i   1.48.0-1~bpo11+1                                                    100
> p   1.49.0-1~bpo11+2         bullseye-backports     100

The version you have installed is no longer known to any repositories you have 
configured on your system, while the one that is, is not (yet) installed.
Not catastrophic, but not good either. Let's find out why that is...

FTR: you can do many 'aptitude' commands without sudo. You only need sudo when 
you modify the system by installing or upgrading packages. But the 'versions', 
'why', 'search' and also 'install/upgrade -s' where the -s stands for 
simulate, can be done without sudo (and you therefor should).

> > - aptitude search ~b
> The -b option doesn't seem to be valid

It's not 'minus b', but 'tilde b' and it would return broken dependencies.
See https://www.debian.org/doc/manuals/aptitude/ch02s04s05.en.html for that 
and many more options you can use to query (APT through) aptitude.
If there are broken dependencies, that is bad and should be remedied asap.

> > > turns out it needed python3-authlib and python3-jwt.  Installed those
> > > manually and then tried again.
> $ sudo aptitude why python3-authlib
> i   matrix-synapse Suggests python3-authlib (>= 0.14.0)
> > - aptitude why python3-jwt
> $ sudo aptitude why python3-jwt
> i   matrix-synapse Suggests python3-jwt (>= 1.6.4)

This shows there is no Depends or Recommends relation, only a Suggests.
Why do you think they are needed (which I interpret as Depends/Recommends)?

I'll now explain something about package state, because it seems like the best 
place _sequentially_ in my response. But it shows the package state of the 
first shown package, which is matrix-synapse in this case, not python3-jwt.

Note that the 1st 'column' in aptitude's result gives useful info:
- 'i' means MANUALLY installed
- 'i A' means AUTOMATICALLY installed (as Depends or Recommends)
- 'p' means available but not installed.

The difference between manually and automatically installed is important for 
aptitude in finding possible solutions to an upgrade problem.
If a package was automatically installed, but it is no longer needed, then it 
can safely be removed (and aptitude (usually?) does that).
If a package is manually installed (by the system administrator, ie you), then 
you tell aptitude "I want to have this package" and aptitude respects that.
If there is an installation/upgrade issue to be resolved, then aptitude 
searches for possible solutions (this is one of the great strengths of 
aptitude over just apt(-get)) and solutions which would result in removing 
manually installed package get put at the bottom of the list as you 
(apparently) had a good reason to install that package.
If you 'push' aptitude long enough by rejecting (many) possible solutions (or 
explicitly directing towards such a solution), then it may 'at last resort' 
even offer that, but you'd normally not see those.

So if you don't have an *explicit* reason why you want/need python3-authlib 
and/or python3-jwt, I would suggest to change it (package) state to 
automatically installed, if they're not already.
This is changing the system so you do need sudo for this:
$ sudo aptitude markauto python3-authlib python3-jwt

If they were already marked as automatically installed, the above command will 
not actually do anything.

This likely will not remove those packages as there's still a Suggests 
relation, but it will give aptitude more freedom in finding possible solutions.

> > > It now needs python3-frozendict, which is already installed (at version
> > > 3.38.0-2).  It now breaks matrix-synapse-ldap3.  Removed it. 
> > > Reinstalled it. Actually 2 packages were re-installed, but it's back at
> > > "Breaks matrix-synapse-ldap3 (< 0.1.3-2-)".

The python3-frozendict package is an actual Depends of matrix-synapse so if 
you actually removed it, you very likely forced things (hard).
When you 'need' to force things, that likely means things are not in a very 
healthy 'state' and you'd make it (far) worse by forcing it. There is (very) 
likely a better solution, which _can_ also be to wait a few days.

While typing this response, I saw Sunil's mail come by. Having backports 
enabled, which FreedomBox does, can complicate things. But forcing things 
really should be considered a last-resort type of action.

> $ sudo aptitude search matrix-synapse
> i   matrix-synapse                  - Matrix reference homeserver
> i   matrix-synapse-ldap3      - LDAP auth provider for the Matrix homeser
> v python3-matrix-synapse-ldap3    -

I would mark matrix-synapse-ldap3 as automatically installed. It is useless by 
itself, without matrix-synapse, and it is Recommended by matrix-synapse, so it 
won't be removed. IMO it would improve the 'health' of the apt/aptitude 
package state database.

> > The 2 'why' queries are because those packages are *suggested* by matrix-
> > synapse, so I'd like to know what makes them needed.
> That is the question, isn't it? Even with those packages installed,
> there is still the issue with matrix-synapse-ldap3

I have not yet found a relationship between python3-jwt/python3-authlib and 
matrix-synapse-ldap3, so for the time being I'll assume those are not 

> In interactive aptitude

That is often (also) called the TUI interface.
I will only give commands for the 'CLI' interface, to be executed directly in 
the terminal. Mostly because that's what I'm (quite) familiar with, but also 
because it's easy, and very useful in 'debugging', to copy the full response 
in the/a reply. The *full* response of aptitude tends to be quite informative.

> python3-frozendict is reported at 1.2-2, so it looks like this is the
> explanation: 1.4.9 matrix-synapse requires 1.2-3.
> Whether it is correct that this dependency prevents the upgrade to 1.49,
> I don't know.

Given Sunil's response, it looks like your conclusion is correct :)

> After deleting and undeleting (from within aptitude) frozendict is no longer
> marked as UNSATISFIED, the dependencies part only says:

Within aptitude's TUI you can 'mock about' quite a bit (IIRC), but if you'd 
have committed the 'deletion' of python3-frozendict, you would've broken your 

> But matrix-synapse still breaks matrix-synapse-ldap3 and the 1.49
> version is still broken:
>   --\ Versions of matrix-synapse (2)
> id   1.48.0-1~bpo11+1                   -8,164 kB
> pB   1.49.0-1~bpo11+2                   +8,288 kB

https://www.debian.org/doc/manuals/aptitude/ch02s02s02.en.html explains those 
state and action flags ... not good.

> I don't know what else to try.

While Sunil may already have found the (full) solution, if you've managed to 
read this ridiculously long reply this far ;-P I should also tell/explain how 
I would (try to) solve it. And this is exactly/actually why aptitude is so 
great (IMO): dependency resolving.

As mentioned earlier, I suggest to do this via the CLI interface and first try 
it with the '-s' parameter for 'simulate' and you can do that without sudo.

$ aptitude -s install matrix-synapse=1.49.0-1~bpo11+2

This will install/upgrade matrix-synapse to version 1.49.0-1~bpo11+2 and 
aptitude will search for a way to make that happen and suggest it to you.
It may be that you don't like its first suggestion and if so, you should 
respond with 'n' (No) and aptitude will search for another suggestion. You can 
keep doing that until you find a proper solution or aptitude (really) can't find 
any other solution to suggest to you.

With each suggestion, it will tell you (in detail) what/why that suggestion is 
'problematic'. If it is in no way problematic, it'll just install/upgrade the 
package, but that doesn't seem to be the case here.
You can share the output here and I can help you interpret what aptitude is 
telling you. But if you understand it enough, you should be able to fix it by 
yourself. You can say 'q' to any suggestion aptitude gives, to quit the 
problem resolver and fix the problem you found. And then you run the command 
again. You're in simulate-mode, so you can do whatever you want without 
breaking your system. So do feel free to experiment in this mode!

You can do that as many times as you like until you're satisfied with the 
result. And then you do the same command, but now without '-s' and with sudo 
to actually apply the solution you found earlier.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20220113/d7fc1d6c/attachment.sig>

More information about the Freedombox-discuss mailing list