More yolofix to avoid openssl being re-upgraded right away after we downgrade it (gotta hold openssl during regular package upgrades)

src/yunohost/tools.py

@@ -559,7 +559,7 @@ def tools_upgrade(operation_logger, apps=None, system=False, allow_yunohost_upgr
 
         # Critical packages are packages that we can't just upgrade
         # randomly from yunohost itself... upgrading them is likely to
-        critical_packages = ["moulinette", "yunohost", "yunohost-admin", "ssowat"]
+        critical_packages = ["moulinette", "yunohost", "yunohost-admin", "ssowat", "openssl"]
 
         critical_packages_upgradable = [p["name"] for p in upgradables if p["name"] in critical_packages]
         noncritical_packages_upgradable = [p["name"] for p in upgradables if p["name"] not in critical_packages]
@@ -614,6 +614,10 @@ def tools_upgrade(operation_logger, apps=None, system=False, allow_yunohost_upgr
                 operation_logger.error(m18n.n('packages_upgrade_failed'))
                 raise YunohostError(m18n.n('packages_upgrade_failed'))
 
+            # Mark all critical packages as unheld
+            for package in critical_packages:
+                check_output("apt-mark unhold %s" % package)
+
         #
         # Critical packages upgrade
         #