Just a note on this. I use snaps a lot in my primary servers. They work, reliably and well, but I can see why someone with a rich toolkit of scripts to work at the apt and dpkg level would shy away from snapcraft - it takes a very different approach.

But I think that underlying to the problem we’ve seen here and before is what I’ve heard about Python-dependancy hell. If you don’t cookk up anything in Python yourself having stuff that’s written in it has a better chance of not going wrong, but if you start having version preferences or dependencies for your own code base that can and apparently often does clash with the runtime environment other Python packages encounters on your and some machines.

That’s why snaps makes things better. Snaps controls the entire environment for the package and while it goes to some lengths to avoid duplication, it keeps different packages from geting in each other’s way.

Howdy

When dupe broke, I just spent some time at my keyboard searching for an archive of previous releases of duplicity and downloaded and installed it. Issue resolved. It didn’t take long to find the dist. I provided a link and it all worked for me on my 3 mail servers:

1. Download 3.0.4 version .deb from:
   https://code.launchpad.net/~duplicity-team/+archive/ubuntu/duplicity-release-git/+files/duplicity_3.0.4-ppa202502081832~ubuntu22.04.1_amd64.deb

I reckon that the MIAB install should mark duplicity “hold” for all updates by default and as long as the author/devs highlight that, no-one can come back and complain about this fine and amazing mail server product. Users of Josh’s project can take some responbility i feel. perhaps have a staging server somewhere in a VM to test all updates?

That spending time at the keyboard part is the piece of magic I failed to pull so could you share a) how you actually went about that, and/or b) whether what you found would have been a once-off find or perhaps something that can be either automated or written down as a repeatable set of instructions to follow when the chips are down and the brain is in crisis mode?

@JoshData about that, I run my 2 MiaB servers on my own hardware at home behind redundant fibre links as a side-show to self-hosting the root cluster for my app. Running another miab server or two for testing should not tax my resources much so the cost will be absorbed into my sunken costs. I’d be more than happy to offer that towards a type of staging/testing platform if it would help you and the rest of the community.

@MarthinL i literally did a deep dive and persevered with google searching for a repository somewhere of old versions of duplicity and one cam up trumps. I wasnt prepared to wait for a new release to try. I wanted to roll back. In essence I am not a Linux person, however I am very good at problem solving and finding solutions. I will admit it was only on the second attempt that i managed to find a solution. The right answer now that it is all working is to put duplicity on hold for updating and wait for a few weeks after the release is dont before applying it, and apply to a staging servers on a VM to ensure it works. I am adamnt that as its email I will never run without a current backup.

sure brother there probably you ran apt clean, thats it but am happy it helped other way, have great day

I’m currently drafting a blog post about this issue, plus the solution. According to my publication schedule, it will be published on 23 July at 12:34 CET.
The URL will be https://amedee.be/?p=1924

This is the text of the blog post: (copypasta messed up the layout a bit)

How I Tamed Duplicity’s Buggy Versions — and Made Sure I Always Have a Backup

• 23 July 2025

If you’re running Mail-in-a-Box like me, you might rely on Duplicity to handle backups quietly in the background. It’s a great tool — until it isn’t. Recently, I ran into some frustrating issues caused by buggy Duplicity versions. Here’s the story, a useful discussion from the Mail-in-a-Box forums, and a neat trick I use to keep fallback versions handy. Spoiler: it involves an APT hook and some smart file copying!

The Problem with Duplicity Versions

Duplicity 3.0.1 and 3.0.5 have been reported to cause backup failures — a real headache when you depend on them to protect your data. The Mail-in-a-Box forum post “Something is wrong with the backup” dives into these issues with great detail. Users reported mysterious backup failures and eventually traced it back to specific Duplicity releases causing the problem.

Here’s the catch: those problematic versions sometimes sneak in during automatic updates. By the time you realize something’s wrong, you might already have upgraded to a buggy release.

Pinning Problematic Versions with APT Preferences

One way to stop apt from installing those broken versions is to use APT pinning. Here’s an example file I created in /etc/apt/preferences/pin_duplicity.pref:

Explanation: Duplicity version 3.0.1* has a bug and should not be installed

Package: duplicity

Pin: version 3.0.1*

Pin-Priority: -1

Explanation: Duplicity version 3.0.5* has a bug and should not be installed

Package: duplicity

Pin: version 3.0.5*

Pin-Priority: -1

This tells apt to refuse to install these specific buggy versions. Sounds great, right? Except — it often comes too late. You could already have updated to a broken version before adding the pin.

Also, since Duplicity is installed from a PPA, older versions vanish quickly as new releases push them out. This makes rolling back to a known good version a pain.

My Solution: Backing Up Known Good Duplicity .deb Files Automatically

To fix this, I created an APT hook that runs after every package operation involving Duplicity. It automatically copies the .deb package files of Duplicity from apt’s archive cache — and even from my local folder if I’m installing manually — into a safe backup folder.

Here’s the script, saved as /usr/local/bin/apt-backup-duplicity.sh:

#!/bin/bash

set -x

mkdir -p /var/backups/debs/duplicity

cp -vn /var/cache/apt/archives/duplicity_ *.deb /var/backups/debs/duplicity/ 2> /dev/null || true

cp -vn /root/duplicity_ *.deb /var/backups/debs/duplicity/ 2> /dev/null || true

And here’s the APT hook configuration I put in /etc/apt/apt.conf.d/99backup-duplicity-debs to run this script automatically after DPKG operations:

DPkg::Post - Invoke { "/usr/local/bin/apt-backup-duplicity.sh" ; };

How to Use Your Backup Versions to Roll Back

If a new Duplicity version breaks your backups, you can easily reinstall a known-good .deb file from your backup folder:

sudo apt install --reinstall /var/backups/debs/duplicity/duplicity_ <version>.deb

Replace <version> with the actual filename you want to roll back to. Because you saved the .deb files right after each update, you always have access to older stable versions — even if the PPA has moved on.

Final Thoughts

While pinning bad versions helps, having a local stash of known-good packages is a game changer. It’s a small extra step but pays off hugely when things go sideways. Plus, it’s totally automated with the APT hook, so you don’t have to remember to save anything manually.

If you run Mail-in-a-Box or rely on Duplicity in any critical backup workflow, I highly recommend setting up this safety net.

Stay safe and backed up!

I’m probably also going to add a paragraph on apt hold.

3.0.5.1 worked.

3.0.5.1 just landed via the regular apt updates for me today. You saw it working (according to the post date) 17 days ago.

1. Did you install a pre-release, were you part of a canary release or how did 17 days pass between you and me seeing the update?
2. Would you call it safe / recommended to release the hold on 3.0.4, or should we hold off some more?
3. Do we know if upgrading to v73 (which I’ve held back on as well) will force an upgrade of duplicity despite holding the pakage at the apt level?

Thank you for the suggestion.

In the situation I found myself in though it appears to be guard against future failures but leaves your first upgrade after implementing your solution vulnerable.

After fixing the Hook syntax, I was able to confirm that the hook script finds nothing to copy until after the upgrade has already taken place. It therefore does not provide an insurance against a bad update until it has at least been in place to have recorded one known good version.

You may need to know this:

If you do place a hold on duplicity using apt-mark hold duplicity, doing a version update of mailinabox terminates mid-process with the message:

The following held packages will be changed:
duplicity
The following packages will be upgraded:
duplicity
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
E: Held packages were changed and -y was used without --allow-change-held-packages.

resulting in the upgrade being incomplete and the system in a undefined state.

BTW, normal ubuntu users use apt instead of dpkg, so for those invoking updates themselves prior to a reboot or some, the hook syntax would be:

DPkg::Post-Invoke { “/usr/local/bin/apt-backup-duplicity.sh” ; };
APT::Update::Post-Invoke { “/usr/local/bin/apt-backup-duplicity.sh” ; };

Had the exact same issue. Seems it is not possible to upgrade maib with duplicity on hold. Needed to remove the hold for it to complete.

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.