Product SiteDocumentation Site

6.2. aptitude and apt-get Commands

APT is a vast project, whose original plans included a graphical interface. It is based on a library which contains the core application, and apt-get is the first interface — command-line based — which was developed within the project.
Numerous other graphical interfaces then appeared as external projects: synaptic, aptitude (which includes both a text mode interface and a graphical one — even if not complete yet), wajig, etc. The most recommended interface, aptitude, is the one used during the installation of Debian. Since its command-line syntax is very similar to apt-get's, we will be focusing on aptitude in the examples given in this section. When there are major differences between aptitude and apt-get, these differences will be detailed.

6.2.1. Initialization

For any work with APT, the list of available packages needs to be updated; this can be done simply through aptitude update. Depending on the speed of your connection, the operation can take a while since it involves downloading a certain number of Packages.(gz|bz2) files (or even Sources.(gz|bz2)), which have gradually become bigger and bigger as Debian has developed (more than 8 MB for the largest Packages.gz — from the main section). Of course, installing from a CD-ROM set does not require any downloading — in this case, the operation is very fast.

6.2.2. Installing and Removing

With APT, packages can be added or removed from the system, respectively with aptitude install package and aptitude remove package. In both cases, APT will automatically install the necessary dependencies or delete the packages which depend on the package that is being removed. The aptitude purge package or apt-get purge package commands involve a complete uninstallation — the configuration files are also deleted.

TIP Installing the same selection of packages several times

It can be useful to systematically install the same list of packages on several computers. This can be done quite easily.
First, retrieve the list of packages installed on the computer which will serve as the “model” to copy. 
$ dpkg --get-selections >pkg-list
The pkg-list file then contains the list of installed packages. Next, transfer the pkg-list file on the computers you want to update and use the following commands: 
# dpkg --set-selections <pkg-list
# apt-get dselect-upgrade
The first command registers the list of packages you wish to install, then the apt-get invocation executes the required operations! aptitude does not have this command.

TIP Removing and installing at the same time

It is possible to ask aptitude (or apt-get) to install certain packages and remove others on the same command line by adding a suffix. With an aptitude install command, add “-” to the names of the packages you wish to remove. With an aptitude remove command, add “+” to the names of the packages you wish to install.
The next example shows two different ways to install package1 and to remove package2. 
# aptitude install package1 package2-
[...]
# aptitude remove package1+ package2
[...]

TIP apt-get --reinstall and aptitude reinstall

The system can sometimes be damaged after the removal or modification of files in a package. The easiest way to retrieve these files is to reinstall the affected package. Unfortunately, the packaging system finds that the latter is already installed and politely refuses to reinstall it; to avoid this, use the --reinstall option of the apt-get command. The following command reinstalls postfix even if it is already present: 
# apt-get --reinstall install postfix
The aptitude command line is slightly different, but achieves the same result with aptitude reinstall postfix.
The problem does not arise with dpkg, but the administrator rarely uses it directly.
Be careful, using apt-get --reinstall to restore packages modified during an attack certainly cannot recover the system as it was. Section 14.6, “Dealing with a Compromised Machine” details the necessary steps to take with a compromised system.
If the file sources.list mentions several distributions, it is possible to give the version of the package to install. A specific version number can be requested with aptitude install package=version, but indicating its distribution of origin (Stable, Testing or Unstable) — with aptitude install package/distribution — is usually preferred. With this command, it is possible to go back to an older version of a package (if for instance you know that it works well), provided that it is still available in one of the sources referenced by the sources.list file. Otherwise the snapshot.debian.org archive can come to the rescue (see sidebar GOING FURTHER Old package versions: snapshot.debian.org).

Example 6.2. Installation of the unstable version of spamassassin

# aptitude install spamassassin/unstable

GOING FURTHER The cache of .deb files

APT keeps a copy of each downloaded .deb file in the directory /var/cache/apt/archives/. In case of frequent updates, this directory can quickly take a lot of disk space with several versions of each package; you should regularly sort through them. Two commands can be used: aptitude clean entirely empties the directory; aptitude autoclean only removes packages which cannot be downloaded (because they have disappeared from the Debian mirror) and are therefore clearly useless (the configuration parameter APT::Clean-Installed can prevent the removal of .deb files that are currently installed).

6.2.3. System Upgrade

Regular upgrades are recommended, because they include the latest security updates. To upgrade, use aptitude safe-upgrade or apt-get upgrade (of course after aptitude update). This command looks for installed packages which can be upgraded without removing any packages. In other words, the goal is to ensure the least intrusive upgrade possible. apt-get is slightly more demanding than aptitude because it will refuse to install packages which were not installed beforehand.

TIP Incremental upgrade

As we explained earlier, the aim of the aptitude update command is to download for each package source the corresponding Packages (or Sources) file. However, even after a bzip2 compression, these files can remain rather large (the Packages.bz2 for the main section of Squeeze takes more than 8 MB). If you wish to upgrade regularly, these downloads can take up a lot of time.
A “new feature” (available since Etch) is that APT can now download the changes since the previous update, as opposed to the entire file. To achieve this, official Debian mirrors distribute different files which list the differences between one version of the Packages file and the following version. They are generated at each update of the archives and a history of one week is kept. Each of these “diff” files only takes a few dozen kilobytes for Unstable, so that the amount of data downloaded by a weekly aptitude update is often divided by 10. For distributions like Stable and Testing, which change less, the gain is even more noticeable.
However, it can sometimes be of interest to force the download of the entire Packages.bz2 file, especially when the last upgrade is very old and when the mechanism of incremental differences would not contribute much. This can also be interesting when network access is very fast but when the processor of the machine to upgrade is rather slow, since the time saved on the download is more than lost when the computer calculates the new versions of these files (starting with the older versions and applying the downloaded differences). To do that, you can use the configuration parameter Acquire::Pdiffs and set it to false.
aptitude will generally select the most recent version number (except for Experimental packages, which are ignored by default whatever their version number). If you specified Testing or Unstable in your sources.list, aptitude safe-upgrade will switch most of your Stable system to Testing or Unstable, which might not be what you intended.
To tell aptitude to use a specific distribution when searching for upgraded packages, you need to use the option -t or --target-release, followed by the name of the distribution you want (for example: aptitude -t stable safe-upgrade). To avoid specifying this option every time you use aptitude, you can add APT::Default-Release "stable"; in the file /etc/apt/apt.conf.d/local.
For more important upgrades, such as the change from one major Debian version to the next, you need to use aptitude full-upgrade (the option used to be named dist-upgrade, for “distribution upgrade”). With this instruction, aptitude will complete the upgrade even if it has to remove some obsolete packages or install new dependencies. This is also the command used by users who work daily with the Debian Unstable release and follow its evolution day by day. It is so simple that it hardly needs explanation: APT's reputation is based on this great functionality.
aptitude dist-upgrade is still available as a synonym for aptitude full-upgrade; apt-get only recognizes the former.

6.2.4. Configuration Options

Besides the configuration elements already mentioned, it is possible to configure certain aspects of APT by adding directives in a file of the /etc/apt/apt.conf.d/ directory. Remember for instance that it is possible for APT to tell dpkg to ignore file conflict errors by specifying DPkg::Options { "--force-overwrite"; }.
If the Web can only be accessed through a proxy, add a line like Acquire::http::proxy "http://yourproxy:3128". For an FTP proxy, write Acquire::ftp::proxy "ftp://yourproxy". To discover more configuration options, read the apt.conf(5) manual page with the command man apt.conf (for details on manual pages, see next chapter).

BACK TO BASICS Directories ending in .d

Directories with a .d suffix are used more and more often. Each directory represents a configuration file which is split over multiple files. In this sense, all of the files in /etc/apt/apt.conf.d/ are instructions for the configuration of APT. APT includes them in alphabetical order, so that the last ones can modify a configuration element defined in one of the first ones.
This structure brings some flexibility to the machine administrator and to the package maintainers. Indeed, the administrator can easily modify the configuration of the software by adding a ready-made file in the directory in question without having to change an existing file. Package maintainers use the same approach when they need to adapt the configuration of another software to ensure that it perfectly co-exists with theirs. However, the Debian policy explicitly forbids modifying configuration files of other packages — only users are allowed to do this. Remember that during a package upgrade, the user gets to choose the version of the configuration file that should be kept when a modification has been detected. Any external modification of the file would trigger that request, which would disturb the administrator, who is sure not to have changed anything.
Without a .d directory, it is impossible for an external package to change the settings of a program without modifying its configuration file. Instead it must invite the user to do it himself and lists the operations to be done in the file /usr/share/doc/package/README.Debian.
Depending on the application, the .d directory is used directly or managed by an external script which will concatenate all the files to create the configuration file itself. It is important to execute the script after any change in that directory so that the most recent modifications are taken into account. In the same way, it is important not to work directly in the configuration file created automatically, since everything would be lost at the next execution of the script. Choosing one method (.d directory used directly or a file generated from that directory) is usually imposed by implementation constraints, but in both cases the gains in terms of configuration flexibility more than make up for the small complications that they entail. The Exim 4 mail server is an example of the generated file method: it can be configured through several files (/etc/exim4/conf.d/*) which are concatenated into /var/lib/exim4/config.autogenerated by the update-exim4.conf command.

6.2.5. Managing Package Priorities

One of the most important aspects in the configuration of APT is the management of the priorities associated with each package source. For instance, you might want to extend one distribution with one or two newer packages from Testing, Unstable or Experimental. It is possible to assign a priority to each available package (the same package can have several priorities depending on its version or the distribution providing it). These priorities will influence APT's behavior: for each package, it will always select the version with the highest priority (except if this version is older than the installed one and if its priority is less than 1000).
APT defines several default priorities. Each installed package version has a priority of 100. A non-installed version has a priority of 500 by default, but it can jump to 990 if it is part of the target release (defined with the -t command-line option or the APT::Target-Release configuration directive).
You can modify the priorities by adding entries in the file /etc/apt/preferences with the names of the affected packages, their version, their origin and their new priority.
APT will never install an older version of a package (that is, a package whose version number is lower than the one of the currently installed package) except if its priority is higher than 1000. APT will always install the highest priority package which follows this constraint. If two packages have the same priority, APT installs the newest one (whose version number is the highest). If two packages of same version have the same priority but differ in their content, APT installs the version that is not installed (this rule has been created to cover the case of a package update without the increment of the revision number, which is usually required).
In more concrete terms, a package whose priority is less than 0 will never be installed. A package with a priority ranging between 0 and 100 will only be installed if no other version of the package is already installed. With a priority between 100 and 500, the package will only be installed if there is no other newer version installed or available in another distribution. A package of priority between 500 and 990 will only be installed if there is no newer version installed or available in the target distribution. With a priority between 990 and 1000, the package will be installed except if the installed version is newer. A priority greater than 1000 will always lead to the installation of the package even if it forces APT to downgrade to an older version.
When APT checks /etc/apt/preferences, it first takes into account the most specific entries (often those specifying the concerned package), then the more generic ones (including for example all the packages of a distribution). If several generic entries exist, the first match is used. The available selection criteria include the package's name and the source providing it. Every package source is identified by the information contained in a Release file that APT downloads together with the Packages.gz files. It specifies the origin (usually “Debian” for the packages of official mirrors, but it can also be a person's or an organization's name for third-parties repositories). It also gives the name of the distribution (usually Stable, Testing, Unstable or Experimental for the standard distributions provided by Debian) together with its version (for example 5.0 for Debian Lenny). Let's have a look at its syntax through some realistic case studies of this mechanism.

SPECIFIC CASE Priority of experimental

If you listed Experimental in your sources.list file, the corresponding packages will almost never be installed because their default APT priority is 1. This is of course a specific case, designed to keep users from installing Experimental packages by mistake. The packages can only be installed by typing aptitude install package/experimental — users typing this command can only be aware of the risks that they take. It is still possible (though not recommended) to treat packages of Experimental like those of other distributions by giving them a priority of 500. This is done with a specific entry in /etc/apt/preferences: 
Package: *
Pin: release a=experimental
Pin-Priority: 500
Let's suppose that you only want to use packages from the stable version of Debian. Those provided in other versions should not be installed except if explicitly requested. You could write the following entries in the /etc/apt/preferences file: 
Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10
a=stable defines the name of the selected distribution. o=Debian limits the scope to packages whose origin is “Debian”.
Let's now assume that you have a server with several local programs depending on the version 5.10 of Perl and that you want to ensure that upgrades will not install another version of it. You could use this entry: 
Package: perl
Pin: version 5.10*
Pin-Priority: 1001
The reference documentation for this configuration file is available in the manual page apt_preferences(5), which you can display with man apt_preferences.

TIP Comments in /etc/apt/preferences

There is no official syntax to put comments in the /etc/apt/preferences file, but some textual descriptions can be provided by putting one or more “Explanation” fields at the start of each entry: 
Explanation: The package xserver-xorg-video-intel provided
Explanation: in experimental can be used safely
Package: xserver-xorg-video-intel
Pin: release a=experimental
Pin-Priority: 500

6.2.6. Working with Several Distributions

aptitude being such a marvelous tool, it is tempting to pick packages coming from other distributions. For example, after having installed a Stable system, you might want to try out a software package available in Testing or Unstable without diverging too much from the system's initial state.
Even if you will occasionally encounter problems while mixing packages from different distributions, aptitude manages such coexistence very well and limits risks very effectively. The best way to proceed is to list all distributions used in /etc/apt/sources.list (some people always put the three distributions, but remember that Unstable is reserved for experienced users) and to define your reference distribution with the APT::Default-Release parameter (see Section 6.2.3, “System Upgrade”).
Let's suppose that Stable is your reference distribution but that Testing and Unstable are also listed in your sources.list file. In this case, you can use aptitude install package/testing to install a package from Testing. If the installation fails due to some unsatisfiable dependencies, let it solve those dependencies within Testing by adding the -t testing parameter. The same obviously applies to Unstable.
In this situation, upgrades (safe-upgrade and dist-upgrade) are done within Stable except for packages already upgraded to an other distribution: those will follow updates available in the other distributions. We'll explain this behavior with the help of the default priorities set by APT below. Do not hesitate to use apt-cache policy (see sidebar) to verify the given priorities.
Everything centers around the fact that APT only considers packages of higher or equal version than the installed one (assuming that /etc/apt/preferences has not been used to force priorities higher than 1000 for some packages).

TIP apt-cache policy

To gain a better understanding of the mechanism of priority, do not hesitate to execute apt-cache policy to display the default priority associated with each package source. You can also use apt-cache policy package to display the priorities of all available versions of a given package.
Let's assume that you have installed version 1 of a first package from Stable and that version 2 and 3 are available respectively in Testing and Unstable. The installed version has a priority of 100 but the version available in Stable (the very same) has a priority of 990 (because it is part of the target release). Packages in Testing and Unstable have a priority of 500 (the default priority of a non-installed version). The winner is thus version 1 with a priority of 990. The package “stays in Stable”.
Let's take the example of another package whose version 2 has been installed from Testing. Version 1 is available in Stable and version 3 in Unstable. Version 1 (of priority 990 — thus lower than 1000) is discarded because it is lower than the installed version. This only leaves version 2 and 3, both of priority 500. Faced with this alternative, APT selects the newest version, the one from Unstable.If you don't want a package installed from Testing to migrate to Unstable, you have to assign a priority lower than 500 (490 for example) to packages coming from Unstable. You can modify /etc/apt/preferences to this effect: 
Package: *
Pin: release a=unstable
Pin-Priority: 490