apt-get

APT package handling utility
command-line interface

sudo apt-get [-asqdyfmubV] [-o=config_string] [-c=config_file] [-t=target_release] [-a=architecture]
{update |
 upgrade |dselect-upgrade | dist-upgrade |
 install   pkg [{=version | /target_release}] |
 remove    pkg |  purge pkg |
 build-dep pkg [{=version | /target_release}] |
 source    pkg [{=version | /target_release}] |
 download  pkg [{=version | /target_release}] |
 check | clean | autoclean | autoremove }
{-v | --version} | {-h | --help}}

apt-cache search 'reg exp'

Example: sudo apt-get update;sudo apt-get install aptitude

Command-line tool for handling packages, and may be considered the user's "back-end" to other tools using the APT library.
Interfaces exist, such as dselect, aptitude, synaptic and wajig.

update synchronize with repositories.
sudo apt-get update  should always be performed before an upgrade or dist-upgrade.
sudo apt-get update
Hit:1 http://archive.raspberrypi.org/debian bullseye InRelease
Get:2 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15.0 kB]
Fetched 15.0 kB in 3s (4814 B/s)
Reading package lists... 97%
Reading package lists... Done

old version i.e buster is oldstable
Get:1 http://archive.raspberrypi.org/debian buster InRelease [32.6 kB]
Get:2 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB]                            
Reading package lists... Done
E: Repository 'http://archive.raspberrypi.org/debian buster InRelease' changed its 'Suite' value from 'testing' to 'oldstable'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
E: Repository 'http://raspbian.raspberrypi.org/raspbian buster InRelease' changed its 'Suite' value from 'stable' to 'oldstable'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
upgrade Install the newest versions of all packages installed on the system from the sources in /etc/apt/sources.list .
New versions that cannot be upgraded without changing the install status of another package will be left at their current version.
sudo apt-get update  must be performed first
dist-upgrade In addition to performing upgrade changes dependencies with new versions of packages; upgrades most important packages at the expense of less important ones .
May remove some packages.
/etc/apt/sources.list contains locations from which to retrieve.
See also apt_preferences for overriding the general settings for individual packages.
dselect-upgrade Follows the changes made by dselect to the Status field of available packages, and performs the actions necessary to realize that state (for example, the removal of old and the installation of new packages).
install pkgname
[-|+|
=vvv|
/dist] …;
Additional packages required will also be retrieved and installed.
/etc/apt/sources.list is used to locate the desired packages.
To override decisions made by apt-get's conflict resolution: plus sign :install, minus indicates removal .
equals specificies a version of a package
a slash specifies a specific distribution (stable, testing, unstable).

Both of the version selection mechanisms can downgrade packages and must be used with care.

This is also used if you want to upgrade one or more already-installed packages without upgrading every package you have on your system.
Unlike upgrade , which installs the newest version of all currently installed packages,
install installs newest version of only the package(s) specified.

apt_preferences allows creaiton of an alternative installation policy for individual packages.

If no package matches the given expression and the expression contains one of '.', '?' or '*' then it is assumed to be a POSIX regular expression, and it is applied to all package names in the database. Any matches are then installed (or removed). Note that matching is done by substring so 'lo.*' matches 'how-lo' and 'lowest'. If this is undesired, anchor the regular expression with a '^' or '$' character, or create a more specific regular expression.

remove pkgname[+] …; leaves its configuration files.
+ (plus sign) package will be installed instead of removed.
purge packages are removed and purged (configuration files are deleted too).
source fetch source packages. with the option APT::Default-Release, the -t option or per package with the pkg/release

source packages are tracked separately from binary packages . add a line for each repository to get sources from;


If --compile is specified the package will be compiled to a binary .deb using dpkg-buildpackage for the architecture as defined by the --host-architecture option.
--download-only package will not be unpacked.

A specific source version can be retrieved by postfixing the source name with an equals and then the version to fetch, similar to the mechanism used for the package files. This enables exact matching of the source package name and version, implicitly enabling the APT::Get::Only-Source option.

source packages are not installed and tracked in the dpkg database like binary packages;

build-dep install/remove packages in an attempt to satisfy the build dependencies for a source package. By default the dependencies are satisfied to build the package natively. If desired a host-architecture can be specified with the --host-architecture option instead.
check diagnostic tool; updates the package cache and checks for broken dependencies.
download ddownloads the given binary package into the current directory.
clean clears out the local repository of retrieved package files. It removes everything but the lock file from /var/cache/apt/archives/ and /var/cache/apt/archives/partial/.
When APT is used as a dselect method, clean is run automatically.
Run apt-get clean from time to time to free up disk space.
autoclean Like clean, clears out the local repository of retrieved package files, only removes package files that can no longer be downloaded, and are largely useless. Configuration APT::Clean-Installed off prevents installed packages from being erased
autoremove remove packages that were automatically installed to satisfy dependencies for other packages and are now no longer needed.
changelog downloads a package changelog and displays it through sensible-pager.
The server name and base directory is defined in APT::Changelogs::Server (e.g. packages.debian.org/changelogs[1] for Debian or changelogs.ubuntu.com/changelogs[2] for Ubuntu). By default it displays the changelog for the version that is installed. However, you can specify the same options as for the install command.

OPTIONS

Command line options may be set using the configuration file.
Boolean options can be overriden in the config file using -f-, --no-f, -f=no or several other variations.

--no-install-recommends Do not consider recommended packages as a dependency for installing.
Configuration Item: APT::Install-Recommends.
--install-suggests Consider suggested packages as a dependency for installing.
Configuration Item: APT::Install-Suggests.
-d
--download-only
Download only; package files are only retrieved, not unpacked or installed.
Configuration Item: APT::Get::Download-Only.
-f
--fix-broken
Correct broken dependencies, with install/remove, can omit any packages to permit APT to deduce a likely solution. If packages are specified, these have to completely correct the problem.
Sometimes necessary when running APT for the first time.
together with -m may produce an error in some situations.
Configuration Item: APT::Get::Fix-Broken.
-m
--ignore-missing
--fix-missing
Ignore missing packages; if packages cannot be retrieved or fail the integrity check, hold back those packages and handle the result.
With --fix-broken may produce an error.
If a package is selected for installation and it could not be downloaded it will be silently held back.
Configuration Item: APT::Get::Fix-Missing.
--no-download Disables downloading of packages. with --ignore-missing to force APT to use only the .debs it has already downloaded.
Configuration Item: APT::Get::Download.
-q
--quiet
Quiet; produces output suitable for logging, omitting progress indicators. More q's will produce more quiet up to a maximum of 2. You can also use -q=# to set the quiet level, overriding the configuration file. Note that quiet level 2 implies -y; you should never use -qq without a no-action modifier such as -d
--print-uris or -s as APT may decide to do something you did not expect.
Configuration Item: quiet.
-s
--simulate
--just-print
--dry-run
--recon
--no-act
No action; perform a simulation of events that would occur but do not actually change the system.
Configuration Item: APT::Get::Simulate. Simulated runs performed as a user will automatically deactivate locking (Debug::NoLocking), and if the option APT::Get::Show-User-Simulation-Note is set (as it is by default) a notice will also be displayed indicating that this is only a simulation. Runs performed as root do not trigger either NoLocking or the notice - superusers should know what they are doing without further warnings from apt-get. Simulated runs print out a series of lines, each representing a dpkg operation: configure (Conf), remove (Remv) or unpack (Inst). Square brackets indicate broken packages, and empty square brackets indicate breaks that are of no consequence (rare).
-y
--yes
--assume-yes
Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively. If an undesirable situation, such as changing a held package, trying to install a unauthenticated package or removing an essential package occurs then apt-get will abort.
Configuration Item: APT::Get::Assume-Yes.
--assume-no Automatic "no" to all prompts.
Configuration Item: APT::Get::Assume-No.
-u
--show-upgraded
Show upgraded packages; print out a list of all packages that are to be upgraded.
Configuration Item: APT::Get::Show-Upgraded.
-V
--verbose-versions
Show full versions for upgraded and installed packages.
Configuration Item: APT::Get::Show-Versions.
-a
--host-architecture
This option controls the architecture packages are built for by apt-get source --compile and how cross-builddependencies are satisfied. By default is it not set which means that the host architecture is the same as the build architecture (which is defined by APT::Architecture).
Configuration Item: APT::Get::Host-Architecture
-b
--compile
--build
Compile source packages after downloading them.
Configuration Item: APT::Get::Compile.
--ignore-hold Ignore package holds; this causes apt-get to ignore a hold placed on a package. This may be useful in conjunction with dist-upgrade to override a large number of undesired holds.
Configuration Item: APT::Ignore-Hold.
--no-upgrade Do not upgrade packages; when used in conjunction with install, no-upgrade will prevent packages on the command line from being upgraded if they are already installed.
Configuration Item: APT::Get::Upgrade.
--only-upgrade Do not install new packages; when used in conjunction with install, only-upgrade will install upgrades for already installed packages only and ignore requests to install new packages.
Configuration Item: APT::Get::Only-Upgrade.
--force-yes Force yes; this is a dangerous option that will cause apt to continue without prompting if it is doing something potentially harmful. It should not be used except in very special situations. Using force-yes can potentially destroy your system!
Configuration Item: APT::Get::force-yes.
--print-uris Instead of fetching the files to install their URIs are printed. Each URI will have the path, the destination file name, the size and the expected MD5 hash. Note that the file name to write to will not always match the file name on the remote site! This also works with the source and update commands. When used with the update command the MD5 and size are not included, and it is up to the user to decompress any compressed files.
Configuration Item: APT::Get::Print-URIs.
--purge Use purge instead of remove for anything that would be removed. An asterisk ("*") will be displayed next to packages which are scheduled to be purged. remove --purge is equivalent to the purge command.
Configuration Item: APT::Get::Purge.
--reinstall Re-install packages that are already installed and at the newest version.
Configuration Item: APT::Get::ReInstall.
--list-cleanup This option is on by default; use --no-list-cleanup to turn it off. When it is on, apt-get will automatically manage the contents of /var/lib/apt/lists to ensure that obsolete files are erased. The only reason to turn it off is if you frequently change your sources list.
Configuration Item: APT::Get::List-Cleanup.
-t
--target-release
--default-release
This option controls the default input to the policy engine; it creates a default pin at priority 990 using the specified release string. This overrides the general settings in /etc/apt/preferences. Specifically pinned packages are not affected by the value of this option. In short, this option lets you have simple control over which distribution packages will be retrieved from. Some common examples might be -t '2.1*'
-t unstable or -t sid.
Configuration Item: APT::Default-Release; see also the apt_preferences(5) manual page.
--trivial-only Only perform operations that are 'trivial'. Logically this can be considered related to --assume-yes; where --assume-yes will answer yes to any prompt
--trivial-only will answer no.
Configuration Item: APT::Get::Trivial-Only.
--no-remove If any packages are to be removed apt-get immediately aborts without prompting.
Configuration Item: APT::Get::Remove.
--auto-remove If the command is either install or remove, then this option acts like running the autoremove command, removing unused dependency packages.
Configuration Item: APT::Get::AutomaticRemove.
--only-source Only has meaning for the source and build-dep commands. Indicates that the given source names are not to be mapped through the binary table. This means that if this option is specified, these commands will only accept source package names as arguments, rather than accepting binary package names and looking up the corresponding source package.
Configuration Item: APT::Get::Only-Source.
--diff-only
--dsc-only
--tar-only
Download only the diff, dsc, or tar file of a source archive.
Configuration Item: APT::Get::Diff-Only, APT::Get::Dsc-Only, and APT::Get::Tar-Only.
--arch-only Only process architecture-dependent build-dependencies.
Configuration Item: APT::Get::Arch-Only.
--allow-unauthenticated Ignore if packages can't be authenticated and don't prompt about it.
Useful for tools like pbuilder.
Configuration Item: APT::Get::AllowUnauthenticated.
-h
--help
Show a short usage summary.
-v
--version
Show the program version.
-c filename
--config-file
Reads the default configuration file and then this file. If settings need to be set before the default configuration files are read specify a file with $APT_CONFIG . See apt.conf(5)<./code>
-o option=value
--option
Set a Configuration Option;

FILES

/etc/apt/sources.list Locations to fetch packages from. Configuration Item: Dir::Etc::SourceList.
raspberryPi 7/8/13:
deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi
/etc/apt/sources.list.d/ File fragments for locations to fetch packages from. Configuration Item: Dir::Etc::SourceParts.
/etc/apt/apt.conf APT configuration file. Configuration Item: Dir::Etc::Main.
/etc/apt/apt.conf.d/ APT configuration file fragments. Configuration Item: Dir::Etc::Parts.
/etc/apt/preferences Version preferences file. This is where you would specify "pinning", i.e. a preference to get certain packages from a separate source or from a different version of a distribution. Configuration Item: Dir::Etc::Preferences.
/etc/apt/preferences.d/ File fragments for the version preferences. Configuration Item: Dir::Etc::PreferencesParts.
/var/cache/apt/archives/ Storage area for retrieved package files. Configuration Item: Dir::Cache::Archives.
/var/cache/apt/archives/partial/ Storage area for package files in transit. Configuration Item: Dir::Cache::Archives (partial will be implicitly appended)
/var/lib/apt/lists/ Storage area for state information for each package resource specified in sources.list(5) Configuration Item: Dir::State::Lists.
/var/lib/apt/lists/partial/ Storage area for state information in transit. Configuration Item: Dir::State::Lists (partial will be implicitly appended)

SEE ALSO

apt-cache(8), apt-cdrom(8), dpkg, dselect, sources.list(5), apt.conf(5), apt-config(8), apt-secure(8), The APT User's guide in /usr/share/doc/apt-doc/, apt_preferences(5), the APT Howto.

DIAGNOSTICS

Returns zero on normal operation, decimal 100 on error.
           http://packages.debian.org/changelogs 
           http://changelogs.ubuntu.com/changelogs 
           http://bugs.debian.org/src:apt

apt 0.9.7.7 for armhf compiled on Dec 24 2012 14:39:34
Usage: apt-get [options] command
       apt-get [options] install|remove pkg1 [pkg2 ...]
       apt-get [options] source pkg1 [pkg2 ...]

apt-get is a simple command line interface for downloading and
installing packages. The most frequently used commands are update
and install.

Commands:
   update - Retrieve new lists of packages
   upgrade - Perform an upgrade
   install - Install new packages (pkg is libc6 not libc6.deb)
   remove - Remove packages
   autoremove - Remove automatically all unused packages
   purge - Remove packages and config files
   source - Download source archives
   build-dep - Configure build-dependencies for source packages
   dist-upgrade - Distribution upgrade, see apt-get(8)
   dselect-upgrade - Follow dselect selections
   clean - Erase downloaded archive files
   autoclean - Erase old downloaded archive files
   check - Verify that there are no broken dependencies
   changelog - Download and display the changelog for the given package
   download - Download the binary package into the current directory

Options:
  -h  This help text.
  -q  Loggable output - no progress indicator
  -qq No output except for errors
  -d  Download only - do NOT install or unpack archives
  -s  No-act. Perform ordering simulation
  -y  Assume Yes to all queries and do not prompt
  -f  Attempt to correct a system with broken dependencies in place
  -m  Attempt to continue if archives are unlocatable
  -u  Show a list of upgraded packages as well
  -b  Build the source package after fetching it
  -V  Show verbose version numbers
  -c=? Read this configuration file
  -o=? Set an arbitrary configuration option, eg -o dir::cache=/tmp
See the apt-get(8), sources.list(5) and apt.conf(5) manual
pages for more information and options.
                       This APT has Super Cow Powers.

apt-secure

Archive authentication support for APT

UNSIGNED REPOSITORIES

If an archive has an unsigned Release file or no Release file at all current APT versions will refuse to download data from them by default in update operations and even if forced to download front-ends like apt-get(8) will require explicit confirmation if an installation request includes a package from such an unauthenticated archive.

You can force all APT clients to raise only warnings by setting the configuration option Acquire::AllowInsecureRepositories to true. Individual repositories can also be allowed to be insecure via the sources.list(5) option allow-insecure=yes. Note that insecure repositories are strongly discouraged and all options to force apt to continue supporting them will eventually be removed. Users also have the Trusted option available to disable even the warnings, but be sure to understand the implications as detailed in sources.list(5).

A repository which previously was authenticated but would loose this state in an update operation raises an error in all APT clients irrespective of the option to allow or forbid usage of insecure repositories. The error can be overcome by additionally setting Acquire::AllowDowngradeToInsecureRepositories to true or for Individual repositories with the sources.list(5) option allow-downgrade-to-insecure=yes.

SIGNED REPOSITORIES

The chain of trust from an APT archive to the end user is made up of several steps. apt-secure is the last step in this chain; trusting an archive does not mean that you trust its packages not to contain malicious code, but means that you trust the archive maintainer. It's the archive maintainer's responsibility to ensure that the archive's integrity is preserved.

apt-secure does not review signatures at a package level. If you require tools to do this you should look at debsig-verify and debsign (provided in the debsig-verify and devscripts packages respectively).

The chain of trust in Debian starts (e.g.) when a maintainer uploads a new package or a new version of a package to the Debian archive. In order to become effective, this upload needs to be signed by a key contained in one of the Debian package maintainer keyrings (available in the debian-keyring package). Maintainers' keys are signed by other maintainers following pre-established procedures to ensure the identity of the key holder. Similar procedures exist in all Debian-based distributions.

Once the uploaded package is verified and included in the archive, the maintainer signature is stripped off, and checksums of the package are computed and put in the Packages file. The checksums of all of the Packages files are then computed and put into the Release file. The Release file is then signed by the archive key for this Raspbian release, and distributed alongside the packages and the Packages files on Raspbian mirrors. The keys are in the Raspbian archive keyring available in the raspbian-archive-keyring package.

End users can check the signature of the Release file, extract a checksum of a package from it and compare it with the checksum of the package they downloaded by hand - or rely on APT doing this automatically.

This is distinct from checking signatures on a per package basis. It is designed to prevent two possible attacks: o Network "man in the middle" attacks. Without signature checking, malicious agents can introduce themselves into the package download process and provide malicious software either by controlling a network element (router, switch, etc.) or by redirecting traffic to a rogue server (through ARP or DNS spoofing attacks). o Mirror network compromise. Without signature checking, a malicious agent can compromise a mirror host and modify the files in it to propagate malicious software to all users downloading packages from that host. However, it does not defend against a compromise of the master server itself (which signs the packages) or against a compromise of the key used to sign the Release files. In any case, this mechanism can complement a per-package signature.

INFORMATION CHANGES

A Release file contains beside the checksums for the files in the repository also general information about the repository like the origin, codename or version number of the release. This information is shown in various places so a repository owner should always ensure correctness. Further more user configuration like apt_preferences(5) can depend and make use of this information. Since version 1.5 the user must therefore explicitly confirm changes to signal that the user is sufficiently prepared e.g. for the new major release of the distribution shipped in the repository (as e.g. indicated by the codename).

USER CONFIGURATION

apt-key is the program that manages the list of keys used by APT to trust repositories. It can be used to add or remove keys as well as list the trusted keys. Limiting which key(s) are able to sign which archive is possible via the Signed-By in sources.list(5). Note that a default installation already contains all keys to securely acquire packages from the default repositories, so fiddling with apt-key is only needed if third-party repositories are added. In order to add a new key you need to first download it (you should make sure you are using a trusted communication channel when retrieving it), add it with apt-key and then run apt-get update so that apt can download and verify the InRelease or Release.gpg files from the archives you have configured.

REPOSITORY CONFIGURATION

To provide archive signatures in an archive under your maintenance :
  1. Create a toplevel Release file by running apt-ftparchive release (in apt-utils).
  2. Sign it by running gpg --clearsign -o InRelease Release and gpg -abs -o Release.gpg Release.
  3. Publish the key fingerprint, so that users will know what key they need to import in order to authenticate the files in the archive. Ship your key in its own keyring package like Raspbian does with raspbian-archive-keyring to be able to distribute updates and key transitions automatically.
  4. Provide instructions on how to add your archive and key. Have your keyring package included in another archive users have configured (like the default repositories of their distribution) to leveraging the web of trust.
When the archive changes (new packages are added or removed) the archive maintainer has to follow the first two steps outlined above.

See Also:

apt.conf(5), apt-get(8), sources.list(5), apt-key(8), apt-ftparchive, debsign, debsig-verify, gpg

Review the Debian Security Infrastructure[1] chapter of the Securing Debian Manual CyberCiti.biz

aptitude NCurses version