Apt
Configure
HTTPS
By default, Apt is able to use http sources but not https ones. This might cause problem with some external repositories.
$ sudo apt install apt-transport-https
sources.list
Here is the /etc/apt/sources.list for a Debian Jessie distribution.
The file is referencing versions names instead of the stable and testing aliases. The reason is that we don't want a massive uncontrolled upgrade on the day of the release of the next stable.
# Standard Debian repository
deb https://deb.debian.org/debian stretch main contrib non-free
deb-src https://deb.debian.org/debian stretch main contrib non-free
# Security updates
# No mirror is used here to avoid issues with propagation delay
deb https://security.debian.org/ stretch/updates main contrib non-free
deb-src https://security.debian.org/ stretch/updates main contrib non-free
# stable-updates repo
# Contain some package that are known to change frequently like antivirus or timezone data
deb https://deb.debian.org/debian stretch-updates main contrib non-free
deb-src https://deb.debian.org/debian stretch-updates main contrib non-free
# Backport repo
# Contains packages from the next release that where modified to work on the current one
# Note that security is not assured by security team so updates might be slower than for other packages
deb https://deb.debian.org/debian stretch-backports main contrib non-free
deb-src https://deb.debian.org/debian stretch-backports main contrib non-free
# Testing
# For package that are not backported but where you want the new version
# Be very careful when installing these as they might bring incompatibility with the rest of the system
# Security is the lowest of the sources here. No security team, and updates might get blocked waiting for other migrations
deb https://deb.debian.org/debian buster main contrib non-free
deb-src https://deb.debian.org/debian buster main contrib non-free
apt.conf
The file /etc/apt/apt.conf stores settings of apt. You can create the file if it doesn't exist.
# Select the default release. Check /etc/apt/preference for more flexibility
# Only needed when non-standard sources are present like backport or testing
APT::Default-Release "stretch";
# When adding new sources in sources.list, you can hit the APT cache limit
# This line increases its size
APT::Cache-Limit "100000000";
Pinning
Setup
Create file /etc/apt/preferences
Explanation: This priority correspond to the default set by "APT::Default-Release"
Explanation: We make it explicit
Package: *
Pin: release o=Debian, n=stretch
Pin-Priority: 990
Explanation: Assign the same priority than stable release so these are picked if they are newer
Package: *
Pin: release o=Debian, n=stretch-updates
Pin-Priority: 990
Explanation: Lower than stable as we don't want them installed by default.
Explanation: Higher than testing, we prefer to install from backports than testing.
Package: *
Pin: release o=Debian Backports, n=stretch-backports
Pin-Priority: 900
Explanation: Lower than others
Explanation: Higher than 500 so it's still preferred over external sources
Package: *
Pin: release o=Debian, n=buster
Pin-Priority: 700
Debugging
By default, it might be hard to understand why a particular version of a package is chosen for updates. Thankfully, apt-cache can help us with that.
$ apt-cache policy | grep -Ev Translation-..$
Package files:
100 /var/lib/dpkg/status
release a=now
700 http://httpredir.debian.org/debian/ stretch/non-free amd64 Packages
release o=Debian,a=testing,n=stretch,l=Debian,c=non-free
origin httpredir.debian.org
700 http://httpredir.debian.org/debian/ stretch/contrib amd64 Packages
release o=Debian,a=testing,n=stretch,l=Debian,c=contrib
origin httpredir.debian.org
700 http://httpredir.debian.org/debian/ stretch/main amd64 Packages
release o=Debian,a=testing,n=stretch,l=Debian,c=main
origin httpredir.debian.org
900 http://httpredir.debian.org/debian/ jessie-backports/non-free amd64 Packages
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=non-free
origin httpredir.debian.org
900 http://httpredir.debian.org/debian/ jessie-backports/contrib amd64 Packages
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=contrib
origin httpredir.debian.org
900 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=main
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie-updates/non-free amd64 Packages
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=non-free
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie-updates/contrib amd64 Packages
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=contrib
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie-updates/main amd64 Packages
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=main
origin httpredir.debian.org
990 http://security.debian.org/ jessie/updates/non-free amd64 Packages
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=non-free
origin security.debian.org
990 http://security.debian.org/ jessie/updates/contrib amd64 Packages
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=contrib
origin security.debian.org
990 http://security.debian.org/ jessie/updates/main amd64 Packages
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=main
origin security.debian.org
990 http://httpredir.debian.org/debian/ jessie/non-free amd64 Packages
release v=8.3,o=Debian,a=stable,n=jessie,l=Debian,c=non-free
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie/contrib amd64 Packages
release v=8.3,o=Debian,a=stable,n=jessie,l=Debian,c=contrib
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie/main amd64 Packages
release v=8.3,o=Debian,a=stable,n=jessie,l=Debian,c=main
origin httpredir.debian.org
Pinned packages:
$ apt-cache policy linux-image-amd64
linux-image-amd64:
Installed: 4.3+70~bpo8+1
Candidate: 4.3+70~bpo8+1
Version table:
4.3+70 0
700 http://httpredir.debian.org/debian/ stretch/main amd64 Packages
*** 4.3+70~bpo8+1 0
900 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages
100 /var/lib/dpkg/status
3.16+63 0
990 http://httpredir.debian.org/debian/ jessie/main amd64 Packages
Tools
needrestart
After a successful upgrade, needrestart will check if any daemon need to be restarted. If so, it will show a dialog where you can choose which ones should be restarted automatically.
It will also warn you in case the system need to be restarted.
$ sudo apt install needrestart
reboot-notifier
Sends you a daily email in case your server need to be restarted
Important: Your server needs be able to send Emails before you install this.
$ sudo apt install reboot-notifier
You can configure the destination email address in /etc/default/reboot-notifier.
apt-listchanges
Parse changelogs when you upgrade a package and display it. It will also send a copy by email so you can have a look latter in case you missed something.
$ sudo apt install apt-listchanges
apticron
Apticron will check for updates and send you emails with changelogs
Important: Your server needs be able to send Emails before you install this.
$ sudo apt install apticron
To configure apticron, edit /etc/apticron/apticron.conf and changes the following settings
EMAIL="youremail@example.org"
NOTIFY_HOLDS="0"
NOTIFY_NEW="0"
System Maintenance
Manually installed packages
Both apt and aptitude can automatically remove packages that are not used any more. This allows to keep a clean system over time. However it requires the system to know which packages were automatically installed.
To list packages that are marked as manually installed, you can use
$ apt-mark showmanual
Remove useless configuration files
When deinstalling a package, configuration files are kept in case you need to reinstall it latter. Overtime, this can led to a lot of useless files in /etc.
To list the removed packages that still have configuration files, you can use:
$ aptitude search ?config-files
After inspection of the list, this command will remove them
$ sudo aptitude purge ?config-files
