My application requires liblsan0 10.3.0, but it was removed from Ubuntu repos

We run an application based on ubuntu 20.04. It is an open-source LTE solution called magma (here's how we deploy it: https://magma.github.io/magma/docs/lte/deploy_install)

One of the application dependencies is the liblsan0, which is used for monitoring leaks as far as I understand.

Recently, liblsan0 got upgraded from version 10.3.0 to 10.5.0 and the older version was removed from the Ubuntu repositories. This was automatically executed in all of our systems due to the unattended upgrades default config.

This change caused a critical bug in the Magma AGW as described here: https://github.com/magma/magma/issues/15279

We still don't understand the root cause of the application crashes and therefore can't fix it, but we worked around the issue by installing an older version of gcc-10-base and liblsan0. This is done by manually downloading 10.2.1 or 10.3.0 versions of these packages, and then holding these packages with apt-mark hold.

However, this workaround puts our systems in a deadlock:

• we can't further upgrade almost any packages in the system due to broken dependencies. We may want to upgrade openvswitch dkms from time to time.
• we can't install new systems either, as new installations come with version 10.5.0 and do not work. The installation process contains apt update / install which forces updates of these core packages.

Forcing a downgrade to 10.3.0 locks our system in a state of broken dependencies. If I take a fresh ubuntu system with 20.04, hold the 10.3.0 packages, and try to install the application, I get errors like this one:

# apt install po-debconf gettext intltool-debian libgomp1
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libgomp1 : Depends: gcc-10-base (= 10.5.0-1ubuntu1~20.04) but 10.3.0-1ubuntu1~20.04 is to be installed
E: Unable to correct problems, you have held broken packages.

I understand that the best solution would be to make the application work with liblsan0=10.5.0, but at the moment it is beyond our abilities to debug/fix that problem.

We are looking for a way of freezing our ubuntu systems with the gcc-10-base and corresponding packages in the 10.3.0 version while still keeping everything else functional (e.g. apt update/install).

Freezing the system and repos would also have the advantage of making all the new deployments of our gateways identical, which is crucial for stable network operation. We need to have full control of the systems packages all the time, and can't rely on upstream repos that delete packages.

Older versions of many packages are readily available from Ubuntu mirrors. It's just that apt cannot see them. Open the mirror in a web browser, look for the pool directory, and browse to the version of each package that you want.

It's also possible that you might have older versions in your local package cache: /var/cache/apt

Then use apt to downgrade: sudo apt install </path/to/package1>=<version> </path/to/package2>=<version> </path/to/packageN>=version

Then use apt-marking to prevent upgrades: sudo apt-mark hold package1 package2 packageN

Be sure to record what you did so you can undo it safely someday.

To undo your hold and restore an updated Ubuntu system:

sudo apt-mark unhold package1 package2 packageN
sudo apt upgrade