Translation(s): English - Italiano
Apt is configured by several resources, including:
SourcesList - lists of software repositories (sources)
SecureApt - keys for secure authentication of packages
apt_preferences and apt.conf described below
Runtime options/command-line flags of PackageManagementTools
Contents
apt_preferences (APT pinning)
Debian Reference - Debian package management - 2.7.3. Tweaking candidate version
man 5 apt_preferences
man 5 apt.conf
man 8 apt-config
When multiple Apt repositories are enabled, a package can exist in several of them. To know which one should be installed, Apt assigns priorities to packages. The default is 500.
- If the packages have the same priority, the package with a higher version number (most recent) wins.
- If packages have different priorities, the one with the higher priority wins.
Pinning allows changing priorities for only some packages/repositories, so that you can:
Prefer a DebianBackports package over a DebianStable one: by default Debian backports repositories have a lower priority than stable (100). They won't be installed or upgraded unless explicitly configured to (or the package only exists in backports).
Only allow some packages from a third-party repository, and ignore the other even if more recent: you may want to add experimental/unstable/third-party repositories with extra/more recent software, but only allow some of these packages to be installed.
- Force a package downgrade (not recommended)
With a few exceptions (DebianBackports) it is not recommended to mix repositories/releases unless they were specially prepared . See DontBreakDebian.. Don't enable DebianUnstable repositories on DebianStable. When pinning, you must ensure compatibility of packages by yourself since Debian does not guarantee it. If you must do it keep in mind to assign (DebianTesting) or higher a lower Priority than 100 to prevent automatic upgrades.
To view the priority of a specific package, use apt-cache policy mypackage:
$ apt-cache policy claws-mail claws-mail: Installed : (none) Candidate : 3.14.1-3+b1 Version table : 3.17.1-1~bpo9+1 100 100 https://deb.debian.org/debian stretch-backports/main amd64 Packages 3.14.1-3+b1 500 500 https://deb.debian.org/debian stretch/main amd64 Package
In the example above, the package that would be installed (Candidate) would be the older, 3.14 version from stretch/main. stretch-backports/main has a newer version 3.17, but a lower priority (100 vs 500 for stretch)
To view the global priority for each Apt source (repository):
$ apt-cache policy Package files: # The default https://wiki.debian.org/DebianStable repository with a priority of 500 500 https://deb.debian.org/debian stable/main amd64 Packages o=Debian,n=stable,l=Debian,c=main,b=amd64 origin deb.debian.org # The repository for Debian https://wiki.debian.org/PointReleases (security and grave bug fixes ~every 2 months) 500 https://deb.debian.org/debian stable-updates/main amd64 Packages release o=Debian,a=oldstable-updates,n=stable-updates,l=Debian,c=main,b=amd64 origin deb.debian.org # The https://wiki.debian.org/DebianSecurity repository with short response time for security fixes 500 http://security.debian.org stable/updates/main amd64 Packages release v=9,o=Debian,a=oldstable,n=stable,l=Debian-Security,c=main,b=amd64 origin security.debian.org # The https://wiki.debian.org/DebianBackports repository, comes with a default priority of 100 100 https://deb.debian.org/debian stable-backports/main amd64 Packages release o=Debian Backports,a=stable-backports,n=stable-backports,l=Debian Backports,c=main,b=amd64 origin deb.debian.org # The priority of locally installed packages 100 /var/lib/dpkg/status release a=now
Force installation of a package from a repository
To tell Apt to install a package from stretch-backports, even if the package has a low priority:
apt install -t stretch-backports claws-mail
Note that the package will not be automatically upgraded when running an Apt Upgrade.
Always prefer packages from a repository
To always prefer packages from stretch-backports (and hence allow Apt Upgrades), set a higher priority for this package coming from the stretch-backports release. Edit the file /etc/apt/preferences.d/99debian-backports (create it):
Package: claws-mail Pin: release a=stretch-backports Pin-Priority: 900
Now installing the claws-mail package will install the version from stretch-backports. Running an Apt Upgrade will automatically pick up newer versions from stable-backports. Running apt-cache policy again you would see:
Pinned packages: claws-mail -> 3.17.1-1~bpo9+1 with priority 900
Prevent/selective installation from a third-party repository
To prevent installation of newer packages from a third-party repository (DontBreakDebian), even if it has equal priority, edit the file /etc/apt/preferences.d/99my-custom-repository by origin url:
# Never prefer packages from the my-custom-repo repository Package: * Pin: origin my.custom.repo.url Pin-Priority: 1 # Allow upgrading only my-specific-software from my-custom-repo Package: my-specific-software Pin: origin my.custom.repo.url Pin-Priority: 500
or by repository name:
# Never prefer packages from the my-custom-repo repository Package: * Pin: release o=my-custom-repo-name Pin-Priority: 1 # Allow upgrading only my-specific-software from my-custom-repo Package: my-specific-software Pin: release o=my-custom-repo-name Pin-Priority: 500
File naming in /etc/apt/preferences.d/ is free but the last in alphabetical order takes precedence.
The * after Package: is not a wildcard, but a special case that means "everything". Wildcards are NOT supported. However, trailing wildcards are accepted in versions (2.6* will match both 2.6 and 2.6.18).
Other pinning notes
In addition to origin, you can pin packages based on other variables. apt-cache policy shows other variables that can be used as the Pin: key:
1 https://deb.debian.org/debian stretch-backports/non-free i386 Packages release o=Debian Backports,a=stretch-backports,n=stretch-backports,l=Debian Backports,c=non-free,b=i386 origin deb.debian.org
release: the DebianRelease full name, codename (n) or release number (v)
a, archive: archive (base directory in the repository)
c,component: main/contrib/non-free
origin: domain name of the repository (ToDo verify)
l,label: ToDo
b,architecture: processor architecture
version: package version
These variables are provided by Release files in Debian repositories.
See also:
Carlo Wood's Debian Cheat Sheet (2007)
John H. Robinson's Apt-Pinning for beginners (2002)
apt.conf
Apt accepts configuration files (without extension) in /etc/apt/apt.conf.d/. These are processed by Apt in numeric/alphabetical order. /etc/apt/apt.conf is also valid but deprecated.
These files contain directives used by all tools in the Apt suite, you can get a list of all current values with apt-config dump
Dpkg::Pre-Install-Pkgs {"mycommand";};: executes mycommand before package installation/unpacking by Dpkg.
Dpkg::Pre-Invoke {"mycommand";};: executes mycommand before apt calls dpkg
Dpkg::Post-Invoke {"mycommand";};: executes mycommand after apt calls dpkg
Acquire::http::Proxy "http://proxy:8080";: sets the proxy for HTTP downloads
Acquire::https::Proxy "https://proxy:8443";: sets the proxy for HTTPS downloads
Acquire::http::Timeout "2";: sets the timeout for HTTP downloads
Acquire::https::Timeout "2";: sets the timeout for HTTPS downloads
Acquire::ftp::Timeout "2";: sets the timeout for FTP downloads
If you really have to use FTP, this sets the FTP proxy:
Acquire::ftp { Proxy "ftp://proxy:2121/"; ProxyLogin { "USER $(SITE_USER)@$(SITE)"; "PASS $(SITE_PASS)"; } }
Be careful with APT::Default-Release
Maybe you have noticed examples like setting APT::Default-Release "stable"; or APT::Default-Release "bookworm";. It prevents installing security updates by apt upgrade, so avoid it. Instead of increasing priority of the current release, consider setting lower priority of added repositories through #apt_preferences (APT pinning). Since Debian 11 bullseye the security repository is labeled as stable-security and e.g. bookworm-security, so at least use regular expression matching all primary suites
APT::Default-Release "/^bookworm(|-security|-updates)$/";
Debian-security. Re: Setting APT::Default-Release prevents installation of security updates in bookworm!? message recommending against this setting.
Bug 1041708 has a comment with an opinion that APT::Default-Release is deprecated.
CategoryPackageManagement | CategorySoftware | CategorySystemAdministration