Product SiteDocumentation Site

Chapter 6. Maintenance and Updates: The APT Tools

6.1. Filling in the sources.list File
6.1.1. Other Available Official Repositories
6.1.2. Non-Official Resources: apt-get.org and mentors.debian.net
6.2. aptitude and apt-get Commands
6.2.1. Initialization
6.2.2. Installing and Removing
6.2.3. System Upgrade
6.2.4. Configuration Options
6.2.5. Managing Package Priorities
6.2.6. Working with Several Distributions
6.3. The apt-cache Command
6.4. Frontends: aptitude, synaptic
6.4.1. aptitude
6.4.2. synaptic
6.5. Checking Package Authenticity
6.6. Upgrading from One Stable Distribution to the Next
6.6.1. Recommended Procedure
6.6.2. Handling Problems after an Upgrade
6.7. Keeping a System Up to Date
6.8. Automatic Upgrades
6.8.1. Configuring dpkg
6.8.2. Configuring APT
6.8.3. Configuring debconf
6.8.4. Handling Command Line Interactions
6.8.5. The Miracle Combination
6.9. Searching for Packages
What makes Debian so popular with administrators is how easily software can be installed and how easily the whole system can be updated. This unique advantage is largely due to the APT program, the features of which Falcot Corp administrators studied with enthusiasm.
APT is the abbreviation for Advanced Package Tool. What makes this program “advanced” is its approach to packages. It doesn't simply evaluate them individually, but it considers them as a whole and produces the best possible combination of packages depending on what is available and compatible (according to dependencies).

VOCABULARY Package source and source package

The word source can be ambiguous. A source package — a package containing the source code of a program — should not be confused with a package source — a repository (website, FTP server, CD-ROM, local directory, etc.) which contains packages.
APT needs to be given a “list of package sources”: the file /etc/apt/sources.list will list the different repositories (or “sources”) that publish Debian packages. APT will then import the list of packages published by each of these sources. This operation is achieved by downloading Packages.gz or Packages.bz2 files (in case of a source of binary packages) and Sources.gz or Sources.bz2 files (in case of a source of source packages) and by analyzing their contents. When an old copy of these files is already present, APT can update it by only downloading the differences (see sidebar TIP Incremental upgrade).

BACK TO BASICS gzip, bzip2, LZMA and XZ Compression

A .gz extension refers to a file compressed with the gzip utility. gzip is the fast and efficient traditional Unix utility to compress files. Newer tools achieve better rates of compression but require more calculation time to compress a file. Among them, and by order of appearance, there are bzip2 (generating files with a .bz2 extension), lzma (generating .lzma files) and xz (generating .xz files).

6.1. Filling in the sources.list File

Each active line of the /etc/apt/sources.list file contains the description of a source, made of 3 parts separated by spaces.
The first field indicates the source type:
  • deb” for binary packages,
  • deb-src” for source packages.
The second field gives the base URL of the source (combined with the filenames present in the Packages.gz files, it must give a full and valid URL): this can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with file:// to indicate a local source installed in the system's file hierarchy, with http:// to indicate a source accessible from a web server, or with ftp:// for a source available on an FTP server. The URL can also start with cdrom:// for CD-ROM based installations, although this is less frequent, since network-based installation methods are more and more common.
The syntax of the last field depends on whether the source corresponds to a Debian mirror or not. In the case of a Debian mirror, name the chosen distribution (stable, testing, unstable or their current code names — see the list in sidebar COMMUNITY Bruce Perens, a controversial leader), then the sections to enable (chosen between main, contrib, and non-free). In all other cases, simply indicate the subdirectory of the desired source (this is often a simple “./” which refers to the absence of a subdirectory — the packages are then directly at the specified URL).

VOCABULARY The main, contrib and non-free archives

Debian uses three sections to differentiate packages according to the licenses chosen by the authors of each work. Main (the main archive) gathers all packages which fully comply with the Debian Free Software Guidelines.
The non-free archive is different because it contains software which does not (entirely) conform to these principles but which can nevertheless be distributed without restrictions. This archive, which is not officially part of Debian, is a service for users who could need some of those programs — however Debian always recommends giving priority to free software. The existence of this section represents a considerable problem for Richard M. Stallman and keeps the Free Software Foundation from recommending Debian to users.
Contrib (contributions) is a stock of open source software which cannot function without some non-free elements. These elements can be software from the non-free section, or non-free files such as game ROMs, BIOS of consoles, etc. Contrib also includes free software whose compilation requires proprietary elements. This was initially the case for the OpenOffice.org office suite, which used to require a proprietary Java environment.
Generally, the contents of a standard sources.list file can be the following:

Example 6.1. /etc/apt/sources.list file

# Security updates
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free

# Debian mirror
deb http://ftp.debian.org/debian stable main contrib non-free
deb-src http://ftp.debian.org/debian stable main contrib non-free

This file lists all sources of packages associated with the stable version of Debian. If you would like to use Testing or Unstable, you will of course have to add (or replace them with) the appropriate lines. When the desired version of a package is available on several mirrors, the first one listed in the sources.list file will be used. For this reason, non-official sources are usually added at the end of the file.

TIP /etc/apt/sources.list.d/*.list files

If many package sources are referenced, it can be useful to split them in multiple files. Each part is then stored in /etc/apt/sources.list.d/filename.list (see sidebar BACK TO BASICS Directories ending in .d).

QUICK LOOK apt-spy

This software tests the download speed from several Debian mirrors and generates a sources.list file which points to the fastest mirror.
The mirror selected during installation is generally suitable since its selection is based on the country. However, if the download is a little slow, or after a move, you can try running the application available in the apt-spy package.
The sources.list file contains several other entry types: some describe the Debian CD-ROMs you have. Contrary to other entries, a CD-ROM is not always available since it has to be inserted into the drive and since only one disc can be read at a time — consequently, these sources are managed in a slightly different way. These entries need to be added with the apt-cdrom program, usually executed with the add parameter. The latter will then request the disc to be inserted in the drive and will browse its contents looking for Packages files. It will use these files to update its database of available packages (this is usually done by the aptitude update command). From then on, APT can require the disc to be inserted if it needs one of its packages.

6.1.1. Other Available Official Repositories

6.1.1.1. Stable Updates

Once published, the Stable distribution is only updated about once every 2 months in order to integrate the security updates published on security.debian.org.
This minor release can also include updates for packages that have to evolve over time... like spamassassin's spam detection rules, clamav's virus database, or the daylight-saving rules of all timezones (tzdata).
All those updates are prepared in a repository known as proposed-updates. Anyone can use this repository to test those updates before their official publication. The extract below uses the squeeze-proposed-updates alias which is both more explicit and more consistent since lenny-proposed-updates also exists (for the Oldstable updates): 
deb http://ftp.debian.org/debian squeeze-proposed-updates main contrib non-free
Once ready, the most important updates — those which cannot wait for the next minor Debian release — are published in the stable-updates repository (which most systems are expected to use): 
deb http://ftp.debian.org/debian stable-updates main contrib non-free

6.1.1.2. The Backports From backports.debian.org

Unsurprisingly, the backports.debian.org server hosts “package backports”. The term refers to a package of some recent software which has been recompiled for an older distribution, generally for Stable. When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current Stable (which is only modified to address the most critical problems, such as security problems). Since the Testing and Unstable distributions can be more risky, some volunteers sometimes offer recompilations of recent software applications for Stable, which has the advantage to limit potential instability to a small number of chosen packages.
→ http://backports.debian.org/
The sources.list entry for backports targeting the Squeeze distribution is the following: 
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free

6.1.1.3. The Experimental Repository

The archive of Experimental packages is present on all Debian mirrors, and contains packages which are not in the Unstable version yet because of their substandard quality — they are often software development versions or pre-versions (alpha, beta, release candidate…). A package can also be sent there after undergoing subsequent changes which can generate problems. The maintainer then tries to uncover them thanks to advanced users who can manage important issues. After this first stage, the package is moved into Unstable, where it reaches a much larger audience and where it will be tested in much more detail.
Experimental is generally used by users who do not mind breaking their system and then repairing it. This distribution gives the possibility to import a package which a user wants to try or use as the need arises. That is exactly how Debian approaches it, since adding it in APT's sources.list file does not lead to the systematic use of its packages. The line to be added is: 
deb http://ftp.debian.org/debian experimental main contrib non-free

6.1.2. Non-Official Resources: apt-get.org and mentors.debian.net

There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software, by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online. A web site was set up to find these alternative sources more easily. It contains an impressive amount of Debian package sources which can immediately be integrated into sources.list files. However, be careful not to add random packages. Each source is designed for a particular version of Debian (the one used to compile the packages in question); each user should maintain a certain coherence in what they choose to install.
→ http://www.apt-get.org/
The mentors.debian.net site is also interesting, since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.

COMMUNITY The debian.net sites

The debian.net domain is not an official resource of the Debian project. Each Debian developer may use that domain name for their own use. These websites can contain unofficial services (sometimes personal sites) hosted on a machine which does not belong to the project and set up by Debian developers, or even prototypes about to be moved on to debian.org. Two reasons can explain why some of these prototypes remain on debian.net: either no one has made the necessary effort to transform it into an official service (hosted on the debian.org domain, and with a certain guarantee of maintenance), or the service is too controversial to be officialized.
Installing a package means giving root rights to its creator, because they decide on the contents of the initialization scripts which are run under that identity. Official Debian packages are created by volunteers who have been co-opted and reviewed and who can seal their packages so that their origin and integrity can be checked.
In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package.
→ http://mentors.debian.net/

GOING FURTHER Old package versions: snapshot.debian.org

A new service (introduced in April 2010) can be used to “go backwards in time” and to find an old version of a package. It can be used for example to identify which version of a package introduced a regression, and more concretely, to come back to the former version while waiting for the regression fix.