sources.list
Fileaptitude
, apt-get
, and apt
Commandsapt-cache
Commandapt-file
Commandaptitude
, synaptic
/etc/apt/sources.list
will list the different repositories that publish Debian packages. APT will then import the list of packages published by each of these sources. This operation is achieved by downloading Packages.xz
files or a variant such as Packages.gz
or .bz2
(using a different compression method) in case of a source of binary packages and by analyzing their contents. In case of a source of source packages, APT downloads Sources.xz
files or a variant using a different compression method. When an old copy of these files is already present, APT can update it by only downloading the differences (see sidebar TIP Incremental updates).
/etc/apt/sources.list
file represents a package source (repository) and is made of at least three parts separated by spaces. For a complete description of the file format and the accepted entry compositions see sources.list(5).
Example 6.1. Example entry format in /etc/apt/sources.list
deb url distribution component1 component2 component3 [..] componentX deb-src url distribution component1 component2 component3 [..] componentX
deb
deb-src
Packages.xz
files, it must give a full and valid URL. This can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with file://
to indicate a local source installed in the system's file hierarchy, with http://
or https://
to indicate a source accessible from a web server, or with ftp://
or ftps://
for a source available on an FTP server. The URL can also start with cdrom:
for CD-ROM/DVD/Blu-ray disc based installations, although this is less frequent, since network-based installation methods are eventually more common. More methods like ssh://
or tor+http(s)://
are supported and are either described in sources.list(5) or their respective apt-transport-method package documentation.
./
” which refers to the absence of a subdirectory. The packages are then directly at the specified URL. But in the most common case, the repositories will be structured like a Debian mirror, with multiple distributions, each having multiple components. In those cases, name the chosen distribution by its “codename” — see the list in sidebar COMMUNITY Bruce Perens, a controversial leader — or by the corresponding “suite” (oldoldstable
, oldstable
, stable
, testing
, unstable
) and then the components to enable. A typical Debian mirror provides the components main
, contrib
, and non-free
.
cdrom
entries describe the CD/DVD-ROMs you have. Contrary to other entries, a CD-ROM is not always available since it has to be inserted into the drive and since only one disc can be read at a time. For those reasons, these sources are managed in a slightly different way, and need to be added with the apt-cdrom
program, usually executed with the add
parameter. The latter will then request the disc to be inserted in the drive and will browse its contents looking for Packages
files. It will use these files to update its database of available packages (this operation is usually done by the apt update
command). From then on, APT can require the disc to be inserted if it needs one of its packages.
sources.list
for a system running the Stable version of Debian:
Example 6.2. /etc/apt/sources.list
file for users of Debian Stable
# Security updates deb http://security.debian.org/ bullseye-security main contrib non-free deb-src http://security.debian.org/ bullseye-security main contrib non-free ## Debian mirror # Base repository deb https://deb.debian.org/debian bullseye main contrib non-free deb-src https://deb.debian.org/debian bullseye main contrib non-free # Stable updates deb https://deb.debian.org/debian bullseye-updates main contrib non-free deb-src https://deb.debian.org/debian bullseye-updates main contrib non-free # Stable backports deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb-src https://deb.debian.org/debian bullseye-backports main contrib non-free
stable
, stable-updates
, stable-backports
) because we don't want to have the underlying distribution changed outside of our control when the next stable release comes out.
sources.list
file will be used. For this reason, non-official sources are usually added at the end of the file.
security.debian.org
, a small set of machines maintained by the Debian System Administrators. This archive contains security updates prepared by the Debian Security Team and/or by package maintainers for the Stable and Oldstable distribution.
Debian Security Advisory
(DSA) and announces it together with the security update on the debian-security-announce@lists.debian.org
mailing list (archive).
proposed-updates
repository, carefully selected by the Stable Release Managers. All updates are announced on the debian-stable-announce@lists.debian.org
mailing list (archive) and will be included in the next Stable point release anyway.
proposed-updates
repository is where the expected updates are prepared (under the supervision of the Stable Release Managers).
bullseye-proposed-updates
alias which is both more explicit and more consistent since buster-proposed-updates
also exists (for the Oldstable updates):
deb https://deb.debian.org/debian bullseye-proposed-updates main contrib non-free
stable-backports
repository hosts “package backports”. The term refers to a package of some recent software which has been recompiled for an older distribution, generally for Stable.
stable-backports
are only created from packages available in Testing. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
APT
will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
$
sudo apt-get install package/bullseye-backports
$
sudo apt-get install -t bullseye-backports package
sources.list
for a system running the Testing or Unstable version of Debian:
Example 6.3. /etc/apt/sources.list
file for users of Debian Testing/Unstable
# Unstable deb https://deb.debian.org/debian unstable main contrib non-free deb-src https://deb.debian.org/debian unstable main contrib non-free # Testing deb https://deb.debian.org/debian testing main contrib non-free deb-src https://deb.debian.org/debian testing main contrib non-free # Testing security updates deb http://security.debian.org/ testing-security main contrib non-free deb-src http://security.debian.org/ testing-security main contrib non-free # Stable deb https://deb.debian.org/debian stable main contrib non-free deb-src https://deb.debian.org/debian stable main contrib non-free # Stable security updates deb http://security.debian.org/ stable-security main contrib non-free deb-src http://security.debian.org/ stable-security main contrib non-free
sources.list
file APT will install packages from the Unstable suite. If that is not desired, use the APT::Default-Release
setting (see Section 6.2.3, “System Upgrade”) to instruct APT to pick packages from another suite (most likely Testing in this case).
sources.list
file does not lead to the systematic use of its packages. The line to be added is:
deb https://deb.debian.org/debian experimental main contrib non-free
sources.list
examples in this chapter refer to package repositories hosted on deb.debian.org
. Those URLs will redirect you to servers which are close to you and which are managed by Content Delivery Networks (CDN) whose main role is to store multiple copies of the files across the world, and to deliver them as fast as possible to users. The CDN companies that Debian is working with are Debian partners who are offering their services freely to Debian. While none of those servers are under direct control of Debian, the fact that the whole archive is sealed by GPG signatures makes it a non-issue.
deb.debian.org
can try to find a better mirror in the official mirror list:
ftp.country-code.debian.org
(e.g. ftp.us.debian.org
for the USA, ftp.fr.debian.org
for France, etc.) which are covering many countries and which are pointing to one (or more) of the best mirrors available within that country.
deb.debian.org
, there used to be httpredir.debian.org
. This service would identify a mirror close to you (among the list of official mirrors, using GeoIP mainly) and would redirect APT's requests to that mirror. This service has been deprecated due to reliability concerns and now httpredir.debian.org
provides the same CDN-based service as deb.debian.org
.
mentors.debian.net
site is interesting (although it only provides source packages), since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
sources.list
is left unchanged, but APT is configured to use them as proxy for outgoing requests.
/etc/approx/approx.conf
:
# <name> <repository-base-url> debian https://deb.debian.org/debian security http://security.debian.org/debian-security
sources.list
file to point to the approx server:
# Sample sources.list pointing to a local approx server deb http://localhost:9999/security bullseye-security main contrib non-free deb http://localhost:9999/debian bullseye main contrib non-free