Product SiteDocumentation Site

章 6. 維護與更新:APT 工具

6.1. 寫入 sources.list 檔案
6.1.1. 語法
6.1.2. 穩定版 使用者的典藏庫
6.1.3. 供 測試版/不穩定版 使用者的典藏庫
6.1.4. Using Alternate Mirrors
6.1.5. 非官方資源:mentors.debian.net
6.1.6. Debian 套件快取代理
6.2. aptitudeapt-get、與 apt 命令
6.2.1. 初始化
6.2.2. 安裝與移除
6.2.3. 系統升級
6.2.4. 組態選項
6.2.5. 管理套件優先性
6.2.6. 在多個發行版工作
6.2.7. 自動追蹤已安裝的套件
6.2.8. APT Patterns
6.3. The apt-cache 命令
6.3.1. The apt-cache policy Command
6.4. The apt-file Command
6.5. 前置:aptitudesynaptic
6.5.1. aptitude
6.5.2. synaptic
6.6. 檢查套件真偽
6.7. 升級至下個穩定發行版
6.7.1. 建議程序
6.7.2. 處理升級後的問題
6.7.3. Cleaning Up after an Upgrade
6.8. 保持系統在最新狀態
6.9. 自動升級
6.9.1. 組態 dpkg
6.9.2. 組態 APT
6.9.3. 組態 debconf
6.9.4. 處理命令列介面
6.9.5. 神奇的組合
6.10. 搜尋套件
What makes Debian so popular with administrators is how easily software can be installed and how easily the whole system can be updated. This unique advantage is largely due to the APT program, which Falcot Corp administrators studied with enthusiasm.
APT is the abbreviation for Advanced Packaging Tool. What makes this program “advanced” is its approach to packages. It doesn't simply evaluate them individually, but it considers them as a whole and produces the best possible combination of packages depending on what is available and compatible according to dependencies.
APT needs to be given a “list of package sources (repositories)”: the file /etc/apt/sources.list will list the different repositories that publish Debian packages. APT will then import the list of packages published by each of these sources. This operation is achieved by downloading Packages.xz files or a variant such as Packages.gz or .bz2 (using a different compression method) in case of a source of binary packages and by analyzing their contents. In case of a source of source packages, APT downloads Sources.xz files or a variant using a different compression method. When an old copy of these files is already present, APT can update it by only downloading the differences (see sidebar TIP Incremental updates).

6.1. 寫入 sources.list 檔案

6.1.1. 語法

Each active line in the /etc/apt/sources.list file represents a package source (repository) and is made of at least three parts separated by spaces. For a complete description of the file format and the accepted entry compositions see sources.list(5).

範例 6.1. Example entry format in /etc/apt/sources.list

deb url distribution component1 component2 component3 [..] componentX
deb-src url distribution component1 component2 component3 [..] componentX
第一個欄位指示來源類型:
deb
package source (repository) of binary packages
deb-src
package source (repository) of source packages
The second field gives the base URL of the source. Combined with the filenames listed in the Packages.xz files, it must give a full and valid URL. This can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with file:// to indicate a local source installed in the system's file hierarchy, with http:// or https:// to indicate a source accessible from a web server, or with ftp:// or ftps:// for a source available on an FTP server. The URL can also start with cdrom: for CD-ROM/DVD/Blu-ray disc based installations, although this is less frequent, since network-based installation methods are eventually more common. More methods like ssh:// or tor+http(s):// are supported and are either described in sources.list(5) or their respective apt-transport-method package documentation.
The syntax of the last field depends on the structure of the repository. In the simplest case, you can simply indicate a subdirectory (with a required trailing slash) of the desired source. This is often a simple “./” which refers to the absence of a subdirectory. The packages are then directly at the specified URL. But in the most common case, the repositories will be structured like a Debian mirror, with multiple distributions, each having multiple components. In those cases, name the chosen distribution by its “codename” — see the list in sidebar 社群 布魯斯·佩倫斯,另類的領導者 — or by the corresponding “suite” (oldoldstable, oldstable, stable, testing, unstable) and then the components to enable. A typical Debian mirror provides the components main, contrib, and non-free.
cdrom 條目表示您有此 CD/DVD-ROMs。相對於其他條目,CD-ROM 並非經常存在,一次祗能塞入一張。基於這個理由,以不同的方式管理此來源,需用到 apt-cdrom 程式,及 add 參數。要求將光碟插入光碟機,並找尋 套件 檔案。以此等檔案更新可用套件的資料庫 (通常以 apt update 命令完成它)。然後,APT 才能要求插入包括其套件的光碟。

6.1.2. 穩定版 使用者的典藏庫

以下是標準的 sources.list 供系統執行 穩定 版 Debian:

範例 6.2. 供 Debian 穩定版使用者的 /etc/apt/sources.list

# Security updates
deb http://security.debian.org/ bullseye-security main contrib non-free
deb-src http://security.debian.org/ bullseye-security main contrib non-free

## Debian mirror

# Base repository
deb https://deb.debian.org/debian bullseye main contrib non-free
deb-src https://deb.debian.org/debian bullseye main contrib non-free

# Stable updates
deb https://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src https://deb.debian.org/debian bullseye-updates main contrib non-free

# Stable backports
deb https://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src https://deb.debian.org/debian bullseye-backports main contrib non-free
This file lists all sources of packages associated with the Bullseye version of Debian (the current Stable suite as of this writing). In the example above, we opted to name “bullseye” explicitly instead of using the corresponding “stable“ aliases (stable, stable-updates, stable-backports) because we don't want to have the underlying distribution changed outside of our control when the next stable release comes out.
Most packages will come from the “base repository”, which contains all packages but is seldom updated (about once every 2 months for a “point release”). The other repositories are partial (they do not contain all packages) and can host updates (packages with newer version) that APT might install. The following sections will explain the purpose and the rules governing each of those repositories.
請注意,指定版本的套件可能同時存在多個典藏庫,將取用列在 sources.list 檔案前面的典藏庫。所以,非官方的來源多半放在此檔案的最後面。
補充說明,本節有關 穩定版 的內容同樣適用於 舊穩定版,因為後者祗是較舊的 穩定版,仍然同步維護中。

6.1.2.1. 安全更新

Debian takes security seriously. Known software vulnerabilities in Debian are tracked in the Security Bug Tracker and usually get fixed in a reasonable timeframe. The security updates are not hosted on the usual network of Debian mirrors but on security.debian.org, a small set of machines maintained by the Debian System Administrators. This archive contains security updates prepared by the Debian Security Team and/or by package maintainers for the Stable and Oldstable distribution.
The server can also host security updates for Testing but this doesn't happen very often since those updates tend to reach that suite via the regular flow of updates coming from Unstable.
For serious issues, the security team issues a Debian Security Advisory (DSA) and announces it together with the security update on the mailing list (archive).

6.1.2.2. 穩定更新

穩定更新與安全無關,但認為在下個穩定釋出點前值得使用者更新它。
This repository will typically contain fixes for critical and serious bugs which could not be fixed before release or which have been introduced by subsequent updates. Depending on the urgency, it can also contain updates for packages that have to evolve over time, like spamassassin's spam detection rules, clamav's virus database, the daylight-saving time rules of all timezones (tzdata), the ESR version of Firefox (firefox-esr) or cryptographic keyrings like debian-archive-keyring.
In practice, this repository is a subset of the proposed-updates repository, carefully selected by the Stable Release Managers. All updates are announced on the mailing list (archive) and will be included in the next Stable point release anyway.

6.1.2.3. 建議更新

出版之後,穩定 發行版是唯一固定 2 個月更新的版本。建議的更新 典藏庫是儲放更新資料的地方 (由穩定版釋出經理管轄)。
此典藏所包括前一節的安全與穩定更新文件,以及其他的文件,因為套件維護者也需修護不需立即釋出的重要錯誤。
Anyone can use this repository to test those updates before their official publication. The extract below uses the bullseye-proposed-updates alias which is both more explicit and more consistent since buster-proposed-updates also exists (for the Oldstable updates):
deb https://deb.debian.org/debian bullseye-proposed-updates main contrib non-free

6.1.2.4. 穩定回移

穩定回移 典藏庫儲存 “回移的套件”。係指重新編譯供舊發行版使用的套件,通常係供 h穩定版 使用。
When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current Stable suite, which is only modified to address the most critical problems, such as security issues. Since the Testing and Unstable suites can be more risky, package maintainers sometimes voluntarily offer recompilations of recent software applications for Stable, which has the advantage to users and system administrators to limit potential instability to a small number of chosen packages. The page https://backports.debian.org provides more information.
Backports from stable-backports are only created from packages available in Testing. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
Even though this repository provides newer versions of packages, APT will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
$ sudo apt-get install package/bullseye-backports
$ sudo apt-get install -t bullseye-backports package

6.1.3. 供 測試版/不穩定版 使用者的典藏庫

這裡是標準的 sources.list 供執行 Debian 測試版不穩定版 之用:

範例 6.3. /etc/apt/sources.list 檔案供 Debian 測試版/不穩定版 使用者

# Unstable
deb https://deb.debian.org/debian unstable main contrib non-free
deb-src https://deb.debian.org/debian unstable main contrib non-free

# Testing
deb https://deb.debian.org/debian testing main contrib non-free
deb-src https://deb.debian.org/debian testing main contrib non-free

# Testing security updates
deb http://security.debian.org/ testing-security main contrib non-free
deb-src http://security.debian.org/ testing-security main contrib non-free

# Stable
deb https://deb.debian.org/debian stable main contrib non-free
deb-src https://deb.debian.org/debian stable main contrib non-free

# Stable security updates
deb http://security.debian.org/ stable-security main contrib non-free
deb-src http://security.debian.org/ stable-security main contrib non-free
With this sources.list file APT will install packages from the Unstable suite. If that is not desired, use the APT::Default-Release setting (see 節 6.2.3, “系統升級”) to instruct APT to pick packages from another suite (most likely Testing in this case).
There are good reasons to include all those repositories, even though a single one should be enough. Testing users will appreciate the possibility to cherry-pick a fixed package from Unstable when the version in Testing is affected by an annoying bug. On the other hand, Unstable users bitten by unexpected regressions have the possibility to downgrade packages to their (supposedly working) Testing version.
The inclusion of Stable is more debatable but it often gives access to some packages, which have been removed from the development versions. It also ensures that you get the latest updates for packages, which have not been modified since the last stable release.

6.1.3.1. 實驗性 典藏所

實驗性 典藏所的套件是所有 Debian 鏡射站的內容,包括因為品質關係尚未被納入 不穩定版 的套件 — 通常是發展中的軟體版本或前置版 (alpha、beta、待釋出…)。修改過的套件多少有點問題,可送至此處。在進階使用者的協助下,維護者努力找出該等問題。經過第一階段後,把套件移至 不穩定版,更多的使用者以更詳細的方式測試它。
不在乎系統崩盤並有能力自行修復的使用者,就會取用 實驗性 的套件。使用者匯入此等套件並測試其功能、檢查是否滿足其需求。這就是 Debian 的訴求,加入 APT 的 sources.list 內,並不表示該套件可順利使用,應加入這一個行:
deb https://deb.debian.org/debian experimental main contrib non-free

6.1.4. Using Alternate Mirrors

The sources.list examples in this chapter refer to package repositories hosted on deb.debian.org. Those URLs will redirect you to servers which are close to you and which are managed by Content Delivery Networks (CDN) whose main role is to store multiple copies of the files across the world, and to deliver them as fast as possible to users. The CDN companies that Debian is working with are Debian partners who are offering their services freely to Debian. While none of those servers are under direct control of Debian, the fact that the whole archive is sealed by GPG signatures makes it a non-issue.
Picky users who are not satisfied with the performance of deb.debian.org can try to find a better mirror in the official mirror list:
But when you don't know which mirror is best for you, this list is of not much use. Fortunately for you, Debian maintains DNS entries of the form ftp.country-code.debian.org (e.g. ftp.us.debian.org for the USA, ftp.fr.debian.org for France, etc.) which are covering many countries and which are pointing to one (or more) of the best mirrors available within that country.
As an alternative to deb.debian.org, there used to be httpredir.debian.org. This service would identify a mirror close to you (among the list of official mirrors, using GeoIP mainly) and would redirect APT's requests to that mirror. This service has been deprecated due to reliability concerns and now httpredir.debian.org provides the same CDN-based service as deb.debian.org.

6.1.5. 非官方資源:mentors.debian.net

There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software — Ubuntu made this popular with their Personal Package Archive (PPA) service — by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online.
The mentors.debian.net site is interesting (although it only provides source packages), since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
安裝套件就是把根權限給其創造者,因為他們決定執行該等腳本的內容。Debian 官方的套件由志願者建立,並封閉套件以確保其完整。
In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package.

6.1.6. Debian 套件快取代理

當機器的整個網路都組態成使用同個遠端伺服器下載同個更新套件,管理者就知道中介性質的代理做為在地網路的快取,是最有益的。(見專欄 術語 快取)。
可以用 "標準" 代理組態 APT (見 節 6.2.4, “組態選項” 給 APT 使用,把 節 11.6, “HTTP/FTP Proxy” 給代理端),但 Debian 的生態系統以更好的選擇解決此問題。本區列出的專用軟體比純快取更聰明,因為他們使用特定構架的 APT 典藏所 (例如他們知道檔案是否已過時,且在持有時調整其內容)。
apt-cacherapt-cacher-ng 就像一般快取伺服器般運作。APT 的 sources.list 不變,但 APT 組態成像是快取。
換句話說,approx 就像是 “鏡射” 至高層 URL 的遠端 HTTP 伺服器典藏所。高層典藏所與遠端 URL 典藏所是儲存在 /etc/approx/approx.conf
# <name>   <repository-base-url>
debian     https://deb.debian.org/debian
security   http://security.debian.org/debian-security
approx runs by default on port 9999 via a systemd socket and requires the users to adjust their sources.list file to point to the approx server:
# Sample sources.list pointing to a local approx server
deb http://localhost:9999/security bullseye-security main contrib non-free
deb http://localhost:9999/debian   bullseye main contrib non-free