My bookworm upgrade problems and solutions

Final Sate

Everything is okay. I left for a week and when I came back expecting to deal with Post Upgrade State my 38 packages not upgraded were current.

I manually reinstalled tt-rss from plinth and the app worked at that point and retained all of my old RSS feeds.

Total victory.

Post Upgrade State

Freedombox is running and mostly pleased with itself. tt-rss didn’t make it through the upgrade. I have about 38 packages which didn’t get upgraded:

calibre-bin/stable 6.13.0+repack-2 amd64 [upgradable from: 5.44.0+dfsg-1~bpo11+1]
calibre/stable 6.13.0+repack-2 all [upgradable from: 5.12.0+dfsg-1+deb11u1]
default-mysql-server/stable 1.1.0 all [upgradable from: 1.0.7]
gsasl-common/stable 2.2.0-1 all [upgradable from: 1.10.0-4+deb11u1]
libinput-bin/stable 1.22.1-1 amd64 [upgradable from: 1.16.4-3]
libinput10/stable 1.22.1-1 amd64 [upgradable from: 1.16.4-3]
libqt5core5a/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5dbus5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5designer5/stable 5.15.8-2 amd64 [upgradable from: 5.15.2-5]
libqt5gui5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5network5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5positioning5/stable 5.15.8+dfsg-3 amd64 [upgradable from: 5.15.2+dfsg-2]
libqt5printsupport5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5qml5/stable 5.15.8+dfsg-3 amd64 [upgradable from: 5.15.2+dfsg-6]
libqt5qmlmodels5/stable 5.15.8+dfsg-3 amd64 [upgradable from: 5.15.2+dfsg-6]
libqt5quick5/stable 5.15.8+dfsg-3 amd64 [upgradable from: 5.15.2+dfsg-6]
libqt5quickwidgets5/stable 5.15.8+dfsg-3 amd64 [upgradable from: 5.15.2+dfsg-6]
libqt5sql5-sqlite/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5sql5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5svg5/stable 5.15.8-3 amd64 [upgradable from: 5.15.2-3]
libqt5test5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5webchannel5/stable 5.15.8-2 amd64 [upgradable from: 5.15.2-2]
libqt5webengine-data/stable 5.15.13+dfsg-1~deb12u1 all [upgradable from: 5.15.2+dfsg-3]
libqt5webengine5/stable 5.15.13+dfsg-1~deb12u1 amd64 [upgradable from: 5.15.2+dfsg-3]
libqt5webenginecore5/stable 5.15.13+dfsg-1~deb12u1 amd64 [upgradable from: 5.15.2+dfsg-3]
libqt5webenginewidgets5/stable 5.15.13+dfsg-1~deb12u1 amd64 [upgradable from: 5.15.2+dfsg-3]
libqt5widgets5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libqt5xml5/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
libsemanage-common/stable 3.4-1 all [upgradable from: 3.1-1]
libwacom-bin/stable 2.6.0-1 amd64 [upgradable from: 1.8-2]
libwacom-common/stable 2.6.0-1 all [upgradable from: 1.8-2]
passwd/stable 1:4.13+dfsg1-1+b1 amd64 [upgradable from: 1:4.8.1-1]
python3-pyqt5.qtsvg/stable 5.15.9+dfsg-1 amd64 [upgradable from: 5.15.2+dfsg-3]
python3-pyqt5.qtwebchannel/stable 5.15.9+dfsg-1 amd64 [upgradable from: 5.15.2+dfsg-3]
python3-pyqt5.qtwebengine/stable 5.15.6-1 amd64 [upgradable from: 5.15.2-2]
python3-pyqt5/stable 5.15.9+dfsg-1 amd64 [upgradable from: 5.15.2+dfsg-3]
qt5-gtk-platformtheme/stable 5.15.8+dfsg-11 amd64 [upgradable from: 5.15.2+dfsg-9]
snapper/stable 0.10.4-1 amd64 [upgradable from: 0.8.15-1]

Next Steps

Figure out the tt-rss issue after next week, and then work through the held packages and see what I can do about them.

Updates during upgrade

Update june 11 13:00 I’m back on the internet. @cas wins the internet today with his firewalld comment below. @cas - you may want to post that in support where people will find it. I had this problem, and your solution worked. Thanks!

Update june 11 9:30
I am getting a configuration prompt by LDAP package. Note I have two network interfaces one of which is in shared mode. I did this for the LDAP config option:

LDAP uri as <shared interface IP> with no port specified

My bookworm upgrade problems and solutions

My bookworm upgrade is just started and I can see a few things I may need to work out. I’ll keep my notes in this thread.

How to look for things you may need to correct

Upgrade Logs

  1. Look in https://freedombox/plinth/sys/upgrades
  2. Select Show recent update logs button towards the bottom
  3. Read the messages starting from yesterday or today (or later) to see those about bookworm upgrade

Warnings in my upgrade log

2023-06-11 06:28:59,622 WARNING package uwsgi upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
2023-06-11 06:28:59,814 WARNING package uwsgi upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
2023-06-11 06:29:19,922 WARNING package uwsgi-plugin-python3 upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
2023-06-11 06:29:20,129 WARNING package uwsgi-plugin-python3 upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
2023-06-11 06:30:10,627 WARNING Package firewalld has conffile prompt and needs to be upgraded manually


uwsgi is used by several services including searx, radicale, and bepasty. I suspect that my hand modified /etc/uwsgi/apps-available/searx.ini may be the issue.


This turned out okay in the end.


  1. confirm that debian will not upgrade a package when the configuration has been customized
  2. find other reason the package may be flagged broken and skipped for upgrade



not a problem - everything is fine.

I suspect this package will not upgrade because it uses uwsgi. When we talk about package dependencies this is it. Because uwsgi is considered broken and will not be upgraded, Debian will also not upgrade uwsgi-plugin-python3 because the the new version of uwsgi-plugin-python3 expects to use the new version of uwsgi which in this case I will not have. When I get uwsgi worked out then I can get this package sorted.


The firewalld message indicates that the installation process has questions in it that the user should answer. I’m not sure of the questions and correct answers at this point, but I can see that firewalld won’t be upgraded because of this. Hopefully in the short term firewalld will run on the old version, we’ll see.

The answer to this will be to use either Cockpit Terminal or SSH to manually upgrade the package. When doing this the configuration tool will be able to get answers to the questions it needs using interactive installation from a terminal.

Thank you, @cas, for sharing this firewall issue, I’ll take note of that if there are firewalld problems after getting this package updated.


I did not have internet after upgrade and needed to manually add firewall policies to allow internal zone to external zone forwarding. I’ve linked this in a couple places in this post, and you can also see it in the Bookworm Update discussion in Community.

Don’t do it like I did.

I have a trip scheduled tomorrow for the week. I wanted to get this out of the way on my own terms. Here’s my best recollection of what I did to get upgraded and back on line.

  1. I saw the large list of packages marked for upgrade in the upgrade logs for plinth.
  2. I connected with ssh and did:

#export LC_ALL=C
# apt update
# apt upgrade --without-new-pkgs

This gave me some configuration dialogs which I wasn’t prepared to answer. This is why the best idea is to wait it out for the automatic upgrade process (which worked well for me last time).

  1. I needed to supply the LDAP URI. My configuration has two network interfaces, so I provided the internal zone static IP address and skipped the optional port number.
  2. I was asked about what to do with the tt-rss database. tt-rss is down right now, so I must have done the wrong answers. Need to check into this.

After this was several goes at apt update/apt upgrade, apt autoremove, etc. I didn’t need to do any manual additions or removals, I just thrashed around until I though my chances were good that Freedombox would reboot. Also a problem in here invoking this manually was that bullseye-backports were still included in my sources.list - I had to modify this file created by Freedombox. FB didn’t get a chance to remove it in timely fashion because I didn’t let FB do the upgrade. I still think it is best to wait it out.

  1. I had no internet service when the system booted, but I could connect to plinth on the local interface. These firewalld configuration steps done from the command line established internet service again for me. Many thanks to @cas for that.
  2. tt-rss did not upgrade properly and does not work.
  3. 38 held packages to sort out.

So I have internet, I have plinth, I have my dynamic DNS hostname updating, and my SSL certificate works. There’s some cleanup to attend to, but I’m in a pretty good place.