Debian package notes (when apt and Automatic Updater in Ubuntu isn’t good enough)

This post was written by eli on November 19, 2014
Posted Under: Linux

Just a few jots on handling packages in Ubuntu. This post is a true mess.

Pinning

The bottom line seems to be not to use the Software Updater, but instead go

# apt-get upgrade

How to prevent certain packages from being updated, based upon this Pinning Howto page and the Apt Preferences page which cover the internals as well.

There also the manpage:

$ man apt_preferences

Repositories

The repositories known by apt-get are listed in /etc/apt/sources.list.d/ and /etc/apt/sources.list. For example, adding a repository:

# add-apt-repository ppa:vovoid/vsxu-release

Removing a repository e.g.

# add-apt-repository --remove ppa:vovoid/vsxu-release

and always do

# apt-get update

after changing the repository set. Now, you might get something like

E: The repository 'http://ppa.launchpad.net/...' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default

If you want to insist on using such repository (at your own risk), go

# apt update --allow-insecure-repositories

and may the force be with you.

Among others, adding the repository above creates /etc/apt/sources.list.d/vovoid-vsxu-release-trusty.list saying

deb http://ppa.launchpad.net/vovoid/vsxu-release/ubuntu trusty main
# deb-src http://ppa.launchpad.net/vovoid/vsxu-release/ubuntu trusty main

“trusty” refers to Ubuntu 14.04, of course.

Look at this page for more info.

Checking what apt-get would install

# apt-get -s upgrade | less

The packages related to the Linux kernel: linux-generic linux-headers-generic linux-image-generic

It’s worth looking here on  this regrading what packages “kept back means” (but the bottom line is that these packages won’t be installed).

Being open to suggestions

Kodi, for example, has a lot of “side packages” that are good to install along. This is how to tell apt-get to grab them as well:

# apt-get install --install-suggests kodi

Pinning with dpkg

This doesn’t work with apt-get nor Automatic Updater, following this and this web pages:

List all packages

$ dpkg -l

Wildcards can be used to find specific packages. For example, those related to the current kernel:

$ dpkg -l "*$(uname -r)*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                          Version                     Architecture                Description
+++-=============================================-===========================-===========================-===============================================================================================
ii  linux-headers-3.13.0-35-generic               3.13.0-35.62                amd64                       Linux kernel headers for version 3.13.0 on 64 bit x86 SMP
ii  linux-image-3.13.0-35-generic                 3.13.0-35.62                amd64                       Linux kernel image for version 3.13.0 on 64 bit x86 SMP
ii  linux-image-extra-3.13.0-35-generic           3.13.0-35.62                amd64                       Linux kernel extra modules for version 3.13.0 on 64 bit x86 SMP

Or, to get just the package names:

$ dpkg -l | awk '{ print $2; }' | grep "$(uname -r)"

Pinning a package

Aug 2019 update: Maybe with apt-mark? Haven’t tried that yet.

In order to prevent a certain package from being updated, use the “hold” setting for the package. For example, holding the kernel related package automatically (all three packages) as root:

# dpkg -l | awk '{ print $2; }' | grep "$(uname -r)" | while read i ; do echo $i hold ; done | dpkg --set-selections

After this, the listing of these packages is:

$ dpkg -l "*$(uname -r)*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                          Version                     Architecture                Description
+++-=============================================-===========================-===========================-===============================================================================================
hi  linux-headers-3.13.0-35-generic               3.13.0-35.62                amd64                       Linux kernel headers for version 3.13.0 on 64 bit x86 SMP
hi  linux-image-3.13.0-35-generic                 3.13.0-35.62                amd64                       Linux kernel image for version 3.13.0 on 64 bit x86 SMP
hi  linux-image-extra-3.13.0-35-generic           3.13.0-35.62                amd64                       Linux kernel extra modules for version 3.13.0 on 64 bit x86 SMP

Indeed, the “h” notes that the packages are held. To revert this, use “install” instead of “hold” in the input to dpkg –set-selections above.

Which package provides file X?

Following this page, install apt-file (simply with apt-get install apt-file), go “apt-file update” once and then go something like (not necessarily as root):

$ apt-file find libgnome-2.so

Note that the pattern can be a substring (as in the example above).

What files does package X generate?

$ dpkg -L libpulse-dev

Installing a deb file locally

# dpkg -i thepackage.deb

If there are failed dependencies, fix them with apt-get subsequently:

# apt-get -f install

and if it says that it wants to remove the package you tried to install, go

# apt-get install -f --fix-missing

That will probably not help directly, but odds are apt-get will at least explain why it wants to kick out the package.

To make apt ignore a failed post-installation script, consider this post.

Extracting the files from a repository

This can be used for running more than one version of Google Chrome on a computer. See this post for a few more words on this.

Extract the .deb package:

$ ar x google-chrome-stable_current_amd64.deb

Note that the files go into the current directory (yuck).

Extract the package’s files:

$ mkdir files
$ cd files
$ tar -xJf ../data.tar.xz

Extract the installation scripts:

$ mkdir scripts
$ cd scripts/
$ tar -xJf ../control.tar.xz

A word on repositories

Say that we have a line like this in /etc/apt/sources.list:

deb http://archive.ubuntu.com/ubuntu xenial main universe updates restricted security backports

It tells apt-update to go to http://archive.ubuntu.com/ubuntu/dists/ and look into xenial/main for the “main” part, xenial/universe for the “universe” part but e.g. xenial-updates/ for the “updates”. This site help with a better understanding on how a sources.list file is set up.

If we look at e.g. ubuntu/dists/xenial/main/, there’s a binary-amd64/ subdirectory for the amd64 platforms (64-bit Intel/AMD). That’s where the Packages.gz and Packages.xz files are found. These list the packages available in the repositories, but even more important: where to find them.

For example, the entry for the “adduser” package looks like this:

Package: adduser
Priority: required
Section: admin
Installed-Size: 648
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>
Architecture: all
Version: 3.113+nmu3ubuntu4
Replaces: manpages-it (<< 0.3.4-2), manpages-pl (<= 20051117-1)
Depends: perl-base (>= 5.6.0), passwd (>= 1:4.1.5.1-1.1ubuntu6), debconf | debconf-2.0
Suggests: liblocale-gettext-perl, perl-modules, ecryptfs-utils (>= 67-1)
Filename: pool/main/a/adduser/adduser_3.113+nmu3ubuntu4_all.deb
Size: 161698
MD5sum: 36f79d952ced9bde3359b63cf9cf44fb
SHA1: 6a5b8f58e33d5c9a25f79c6da80a64bf104e6268
SHA256: ca6c86cb229082cc22874ed320eac8d128cc91f086fe5687946e7d05758516a3
Description: add and remove users and groups
Multi-Arch: foreign
Homepage: http://alioth.debian.org/projects/adduser/
Description-md5: 7965b5cd83972a254552a570bcd32c93
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 5y
Task: minimal

As is evident, this entry contains dependency information, but most important: It points at where the package can be downloaded from: pool/main/a/adduser/adduser_3.113+nmu3ubuntu4_all.deb in this case, which actually points to http://archive.ubuntu.com/ubuntu/pool/main/a/adduser/adduser_3.113+nmu3ubuntu4_all.deb.

Note that the URL’s base is repository’s root, and not necessarily the root of the domain. Since the Package file contains the SHA1 sum of the .deb file, its own SHA1 sum is listed in http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease, which also contains a PGP signature.

The various “Contents” files (e.g. dists/xenial/Contents-amd64.gz) seem to contain a list of files, and the packages they belong to. Probably for use of apt-file.

Add a Comment

required, use real name
required, will not be published
optional, your blog address