Translation(s): English - Italiano


Apt is configured by several resources, including:


apt_preferences (APT pinning)

When multiple Apt repositories are enabled, a package can exist in several of them. To know which one should be installed, Apt assigns priorities to packages. The default is 500.

Pinning allows changing priorities for only some packages/repositories, so that you can:

<!> With a few exceptions (DebianBackports) it is not recommended to mix repositories/releases unless they were specially prepared . See DontBreakDebian.. Don't enable DebianUnstable repositories on DebianStable. When pinning, you must ensure compatibility of packages by yourself since Debian does not guarantee it. If you must do it keep in mind to assign (DebianTesting) or higher a lower Priority than 100 to prevent automatic upgrades.

To view the priority of a specific package, use apt-cache policy mypackage:

$ apt-cache policy claws-mail
claws-mail:
  Installed : (none)
  Candidate : 3.14.1-3+b1
 Version table :
     3.17.1-1~bpo9+1 100
        100 https://deb.debian.org/debian stretch-backports/main amd64 Packages
     3.14.1-3+b1 500
        500 https://deb.debian.org/debian stretch/main amd64 Package

In the example above, the package that would be installed (Candidate) would be the older, 3.14 version from stretch/main. stretch-backports/main has a newer version 3.17, but a lower priority (100 vs 500 for stretch)

To view the global priority for each Apt source (repository):

$ apt-cache policy 
Package files: 
 # The default https://wiki.debian.org/DebianStable repository with a priority of 500
 500 https://deb.debian.org/debian stable/main amd64 Packages
     o=Debian,n=stable,l=Debian,c=main,b=amd64
     origin deb.debian.org

 # The repository for Debian https://wiki.debian.org/PointReleases (security and grave bug fixes ~every 2 months)
 500 https://deb.debian.org/debian stable-updates/main amd64 Packages
     release o=Debian,a=oldstable-updates,n=stable-updates,l=Debian,c=main,b=amd64
     origin deb.debian.org

 # The https://wiki.debian.org/DebianSecurity repository with short response time for security fixes
 500 http://security.debian.org stable/updates/main amd64 Packages
     release v=9,o=Debian,a=oldstable,n=stable,l=Debian-Security,c=main,b=amd64
     origin security.debian.org

 # The https://wiki.debian.org/DebianBackports repository, comes with a default priority of 100
 100 https://deb.debian.org/debian stable-backports/main amd64 Packages
     release o=Debian Backports,a=stable-backports,n=stable-backports,l=Debian Backports,c=main,b=amd64
     origin deb.debian.org

 # The priority of locally installed packages
 100 /var/lib/dpkg/status 
     release a=now

Force installation of a package from a repository

To tell Apt to install a package from stretch-backports, even if the package has a low priority:

apt install -t stretch-backports claws-mail

Note that the package will not be automatically upgraded when running an Apt Upgrade.

Always prefer packages from a repository

To always prefer packages from stretch-backports (and hence allow Apt Upgrades), set a higher priority for this package coming from the stretch-backports release. Edit the file /etc/apt/preferences.d/99debian-backports (create it):

Package: claws-mail
Pin: release a=stretch-backports
Pin-Priority: 900

Now installing the claws-mail package will install the version from  stretch-backports. Running an Apt Upgrade will automatically pick up newer versions from stable-backports. Running apt-cache policy again you would see:

Pinned packages:
     claws-mail -> 3.17.1-1~bpo9+1 with priority 900

Prevent/selective installation from a third-party repository

To prevent installation of newer packages from a third-party repository (DontBreakDebian), even if it has equal priority, edit the file /etc/apt/preferences.d/99my-custom-repository by origin url:

# Never prefer packages from the my-custom-repo repository
Package: *
Pin: origin my.custom.repo.url
Pin-Priority: 1

# Allow upgrading only my-specific-software from my-custom-repo
Package: my-specific-software
Pin: origin my.custom.repo.url
Pin-Priority: 500

or by repository name:

# Never prefer packages from the my-custom-repo repository
Package: *
Pin: release o=my-custom-repo-name
Pin-Priority: 1

# Allow upgrading only my-specific-software from my-custom-repo
Package: my-specific-software
Pin: release o=my-custom-repo-name
Pin-Priority: 500

File naming in /etc/apt/preferences.d/ is free but the last in alphabetical order takes precedence.

The * after Package: is not a wildcard, but a special case that means "everything". Wildcards are NOT supported. However, trailing wildcards are accepted in versions (2.6* will match both 2.6 and 2.6.18).

Other pinning notes

In addition to origin, you can pin packages based on other variables. apt-cache policy shows other variables that can be used as the Pin: key:

   1 https://deb.debian.org/debian stretch-backports/non-free i386 Packages
     release o=Debian Backports,a=stretch-backports,n=stretch-backports,l=Debian Backports,c=non-free,b=i386
     origin deb.debian.org

These variables are provided by Release files in Debian repositories.

See also:

apt.conf

Apt accepts configuration files (without extension) in /etc/apt/apt.conf.d/. These are processed by Apt in numeric/alphabetical order. /etc/apt/apt.conf is also valid but deprecated.

These files contain directives used by all tools in the Apt suite, you can get a list of all current values with apt-config dump

If you really have to use FTP, this sets the FTP proxy:

 Acquire::ftp
 {
   Proxy "ftp://proxy:2121/";
   ProxyLogin
   {
      "USER $(SITE_USER)@$(SITE)";
      "PASS $(SITE_PASS)";
   }
 }

Be careful with APT::Default-Release

Maybe you have noticed examples like setting APT::Default-Release "stable"; or APT::Default-Release "bookworm";. It prevents installing security updates by apt upgrade, so avoid it. Instead of increasing priority of the current release, consider setting lower priority of added repositories through #apt_preferences (APT pinning). Since Debian 11 bullseye the security repository is labeled as stable-security and e.g. bookworm-security, so at least use regular expression matching all primary suites

APT::Default-Release "/^bookworm(|-security|-updates)$/";


CategoryPackageManagement | CategorySoftware | CategorySystemAdministration