Changing package dependency info in Ubuntu

Below I describe a general technique for modifying dependency info of a package to fool the package manager into allowing the package to be installed. I describe this technique using the specific example of installing firefox-3.5 from a third-party repository which contained the dependency problem I needed to resolve.


Recently I wanted to test out the new firefox-3.5 on my Ubuntu 8.10 (Intrepid) and I didn’t want to upgrade (I don’t think its in jaunty anyway) due to a previous upgrade disaster to jaunty. Googling around I found Ubuntu Mozilla Daily Build Team, which has an ubuntu repository of the latest firefox builds, among other mozilla related stuff.

So I did the whole “add foreign repository” process, adding the repository and verification key. Then I did did an update and tried to install the firefox-3.5 package through the synaptics gui. It complained about not being able to satisfy dependencies and wouldn’t let me mark it for installation.

Upon further investigation, I concluded that the issue was that firefox-3.5 had a dependency for xulrunner-1.9.1 (>= 1.9.1~rc2). But the only version of xulrunner that the repository had was version 1.9.1~hg20090620r26001+nobinonly-0ubuntu1~umd1~intrepid. Since the firefox-3.5 package was version 3.5~hg20090620r26001+nobinonly-0ubuntu1~umd1~intrepid, I assumed that was the correct version of the xulrunner-1.9.1. I haven’t looked into it, but it must be that debian/ubuntu’s version comparison routine thinks that 1.9.1~rc2 > 1.9.1~hg20090620r26001+nobinonly-0ubuntu1~umd1~intrepid, but the package maintainers actually thought that should be false. Thus, I concluded that it should be safe to force the installation of the packages, even if I had to fool the package manager.

Fooling the package manager

Here’s what I did and I know there are other ways of achieving the same thing. Since synaptics wouldn’t even let me mark the package for upgrade, I didn’t have the firefox-3.5 deb package in the package cache. So to get synaptics to retrieve the deb, I first had to fool it into thinking the dependency could be met. I did this by modifying the cached repository list for the packages, which in my cases was /var/lib/apt/lists/ppa.launchpad.net_ubuntu-mozilla-daily_ppa_ubuntu_dists_intrepid_main_binary-i386_Packages. I searched for the line “Package: firefox-3.5”, which will get you to the section on that package. In that section, there is dependency information about the package and I modified “xulrunner-1.9.1 (>= 1.9.1~rc2)” to “xulrunner-1.9.1 (>= 1.9.0)”, which I figured was sure to pass the version test.

I restarted synaptics and was able to mark the packages fro upgrade. However, when I tried to then install the packages, they were downloaded but failed on installation. This was the debian package management system, which ubuntu is built on, has dependency information in the packages as well. That makes sense, because one might want to install a package that didn’t come from a repository, but causes more work for me.

So I needed to now modify the dependency information inside the deb package file. I went to the package cache directory, /var/cache/apt/archives, where the downloaded deb packages are stored. The firefox-3.5 package was extracted with dpkg-deb -x <deb file> <extracted archive dir> and dpkg-deb -e <deb file> <extracted archive dir>/DEBIAN, the latter being needed to extract the dependency file. The contents of <extracted archive dir>/DEBIAN/control look very similar to the firefox-3.5 section of the cached package listing file we modified earlier. I changed the dependency to match the change in the cached package listing file and rebuilt the deb package with dpkg-deb -b.

Now, at this point I thought I would be good to go. It turns out that now your package won’t match file verification values in the package listing (noticed the MD5sum and SHA1 lines?). So I modified the size, md5, and sha1 values in the package listing. Upon reinstalling firefox-3.5 from synaptics, everything installed with out a hitch and I now have a functioning firefox 3.5 to play with.

NOTE: Make sure that in the last step of reinstalling firefox-3.5 from synaptics that you aren’t downloading any files. If you are, then your size, md5, and/or sha1 values are probably not correct. It definitely won’t work if you are downloading data because your modified package in the package cache will get overwritten with the original.


One Response to “Changing package dependency info in Ubuntu”

  1. stranger Says:

    this is awesome! very thorough and easy-to-follow
    much thanks) helped a lot

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: