Making apt Work for You: A Book Excerpt

by Michael Jang

The following excerpt was taken from the book titled Linux Patch Management: Keeping Linux Systems Up to
, authored by Michael Jang, copyright 2006, Pearson
Education, Inc. ISBN 0-13-236675-4. Reproduced by permission of
Pearson Education, Inc. All rights reserved. To learn more about
the book and for the complete table of contents, please visit the book's
Web site

One of the popular Linux patch management systems is based on the
Advanced Package Tool, known as apt. While it was developed for Debian
Linux, it is the standard patch management tool for a number of Debian
and Red Hat-based distributions, including Knoppix, Xandros, and even
the Lineox rebuild of Red Hat Enterprise Linux. But if you prefer apt,
the associated tools can be installed on most Linux distributions.

In this chapter, you'll learn the fundamentals of apt, including some of
its more useful commands. Then you'll see how you can use apt to maintain
a Debian client, beyond the fundamental tools that you learned about in
Chapter 1, "Patch Management Systems". Finally, you'll see how you can
create and maintain a local apt-based repository for your network.
Fundamentals of apt
There are many different commands associated with apt. You reviewed
a couple of these commands in Chapter 1. While you can do a lot with
apt-cache and apt-get, there are more commands and capabilities.

You should know how to find the best mirrors for your distribution,
as well as how to include them in your apt configuration. When you
learn how to use various apt commands, you'll learn to appreciate the
capabilities of related "all-in-one" tools, including aptitude and the
Synaptic Package Manager. If you find apt to your liking, you may need to
install it on your chosen distribution. The same apt tools are available
for both Debian- and RPM-based distributions.

Installing apt on a Debian-Based

There are several packages associated with apt. Not all are installed by
default. If you want to take full advantage of the apt system, you'll
want to install as many apt-related packages as is practical. To find
available apt packages on my Debian system, I ran the following command:

apt-cache search apt

When I ran this command, I got a list of 384 packages. That's too much! As
you search through this list, you might realize that it includes unrelated
packages, such as raptor-utils, because the "apt" string is in its name
or description. So you should use a more discriminating search. Without
getting too fancy, I find available apt-related packages with the
following two commands, where I've added a space before and after the
search term (in quotes):

apt-cache search "apt "

apt-cache search " apt"

Because apt-cache is part of the apt package, this of course assumes that
you have previously installed apt on your Linux system. These searches
reveal a substantial number of packages related to apt. (When you install
these packages, the apt system also installs dependencies.) Some of these
packages may be redundant, because they provide different ways of doing
the same thing. You don't need to install every apt-related package. I've
described some of the apt packages I consider important in Table 4-1.
Table 4-1. Some Important apt-related PackagesPackageDescriptionAptInstalls the basic Advanced Package Tool systemapt-buildAdds a front-end to build and install packagesapt-cacherCreates a caching system for Debian packagesapt-fileSupports searches within uninstalled packagesapt-howtoIncludes a guide to the apt systemapt-listbugsIncorporates a tool to list critical bugsapt-srcConfigures a source package management toolapt-utilsAdds important apt commandsapt-watchIncludes an update monitor similar to the Red Hat Network/SUSE
watcher appletsapt-zipConfigures apt updates for non-networked computersaptconfProvides a front-end for configuring sources.listaptitudeAdds a terminal-based front-end for aptcron-aptAutomates apt updatesmini-dinstallIncludes a daemon for updating local repositoriesnetselect-aptHelps select the fastest available mirrorsynapticProvides a GUI package manager interface
Note: The list shown in Table 4-1 is far from complete. It omits packages that
are installed as dependencies to those listed here. It also leaves out
other packages with tools that you may prefer. This list and chapter
encompass just one formula for patch management.

Installing apt on a RPM-Based Distribution

There are a number of RPM-based distributions that can or do use apt as
the primary patch management tool. We'll discuss this in more detail in
Chapter 5, "Configuring apt for RPM Distributions".

Configuring apt on Your Computer

As discussed in Chapter 1, the key to apt as a patch management tool is
the repositories that you select and include in your apt configuration
file, /etc/apt/sources.list. In that chapter, you used the Debian mirror
list at to add appropriate sites for your
computer and physical location.

Before you configure /etc/apt/sources.list, you should know the different
repository categories for your distribution. Debian and other related
distributions (e.g. Knoppix, Ubuntu) use different names. You can use
the netselect tool to help find the repository mirror best suited to
your location.
Basic Repository Categories
There are repositories associated with the three current Debian
distributions. All three are in use, so you may need to create
repositories for each. The three current Debian distributions known are
listed here:

  • Sarge (Debian 3.1)--The current "stable" release. The associated software
    was released as "stable" in mid-2005. The previous stable distribution
    was known as Debian Woody (3.0).
  • Etch (Debian 3.2)--The current beta release. As of this writing, because it
    was just taken from the unstable release tree, its components may or may
    not be stable. Etch packages are stored in the Debian testing
  • Sid--The developmental release of Debian, with many packages that may
    not be ready for production use. Sid packages are stored in the Debian
    unstable repository. Sid was the code name for the developmental release
    of Debian even before Sarge was released.

Note: While the previous stable version of Debian, known as Woody, is still
commonly used, the version before that, known as Potato, is pretty
much obsolete. Many mirrors no longer include Potato packages in their

As of this writing, I use Debian Sarge on my primary laptop computer. I
used it even while it was "unstable" and have never had a major problem
with associated packages. There are three subcategories associated with
each repository, as described in Table 4-2.
Table 4-2. Debian Repository Subcategoriessources.list subcategoryDescriptionmainPackages released under open source licenses, such as the GPL, are
collected in this categorycontrib Packages that are released under open source licenses and that depend
on non-free software are stored herenon-free Any package that is not released under a qualifying open source license
is collected herenon-US There are a few packages developed in the USA which have limited
distribution due to US government export restrictions; if you have a
repository outside the USA, you should connect to a non-US
repositorymain/debian-installerIncludes packages associated with installing Debian over a
Some sources.list options are distribution-specific. For example, Ubuntu
Linux ( includes universe and multiverse repositories
that correspond loosely to the Debian unstable and contrib / non-free
repositories. Because the actual contents of these repositories vary,
they are far from exact mirrors.

While many Linux users in principle prefer to use free software packages,
this may not always be possible on your network. A lot of important
Linux compatible software is released under fairly restrictive licenses,
such as some versions of Java and RealPlayer.
Repository Selection Tools
There are two basic reasons to select a repository. One is for updates,
while the other is for mirroring onto your network. If you're looking for
update servers for your /etc/apt/sources.list file, it's in your interest
to select more than one repository. If one goes down, you can still get
the updates you need. On the other hand, if you're looking for a mirror,
you may want to find one that supports rsync access. Some searching and
trial and error may be required.

Depending on your situation, you can use the netselect or netselect-apt
commands to find the repository or repositories best suited to your
needs. If you know that there are only a small number of suitable
repositories, try netselect. For example, if you're in the middle of the
U.S. Silicon Valley, you might have noticed that the Debian repositories
at the University of California at Berkeley (
and the University of California at Santa Cruz (
are fairly close. Assuming the bandwidth and demand on both servers is
approximately the same (it is up to you to check), you can find the one
best suited for your system with the following command:

netselect -vv

With the -vv switch, you can get measurable results that can help you
make a judgment. One possible result is shown here: 34 ms 13 hops 100% ok (10/10) [ 87] 38 ms 14 hops 100% ok (10/10) [ 82]

This output lists results in the following order: URL, transmission time,
number of hops, percentage and number of successfully transmitted packets,
and an overall score based on the transmission time and number of hops. In
this case, the scores are close; the results may vary slightly if you
repeat this command.

Unfortunately, you can't rely on these tools alone. While distance from
a mirror is important, capacity is also an issue. For example, it may be
better to connect to a more distant mirror if it has a higher-capacity
Internet connection. It may be better to connect to a mirror associated
with wealthier sponsors-multi-gigabyte downloads from many thousands
of users can be rather expensive. For that reason, Debian strongly
discourages downloads direct from the repositories that it owns.
sources.list Results
Based on the information so far in this section, you can now customize
your /etc/apt/sources.list file with the mirrors best suited for your
Debian system. In Chapter 1, you read about adding the following mirrors
to this file:

deb stable main

deb-src stable main

As you now know, the stable distribution is associated with Debian
Sarge. The main repository includes only a part of the available packages
for this distribution. If you want all Sarge-associated repositories,
access the contrib and non-free repositories, as follows:

deb stable main contrib non-free

deb-src stable main contrib nonfree

I've selected additional repositories for my Debian computer, just in
case the Oregon State repository goes down. But if you're in the Silicon
Valley, you probably do not want to connect to a repository all the way
in Oregon. Based on the mirrors described earlier, you might add the
following lines to your sources.list file:

deb stable main contrib non-free

deb-src stable main contrib nonfree

deb stable main contrib non-free

deb-src stable main contrib non-free

We'll show you how to use different commands to download a Debian
repository for your network later in this chapter.

You can point your /etc/apt/sources.list to a repository on your
local network. After you create your own repository using one of the
methods described later in this chapter, you can point clients on your
local network to that repository. For example, based on the current
version of Debian's apache2, Web server files can be stored in the
/var/www/apache2-default/ directory. Therefore, if I have a repository
on my local computer's pub/subdirectory, I could add
the following line to my sources.list file:

deb testing main contrib non-free

You can even use locally available sources; for example, if the source
ismounted on a shared /var/debian NFS directory, you could use the
following line in your sources.list file:

deb file:/var/debian/ testing main contrib non-free

In either case, be careful. Before configuring a locally cached
repository on your clients, test it. Back up any clients before testing
that repository.

The Basic apt Commands

Before using apt, you should learn more about the basic commands
than you may have read about in Chapter 1. This section is far from
comprehensive. An excellent place to start is the APT HOWTO, available
online from

One key command is aptitude. While I described apt-get in Chapter
1, aptitude is in many ways an enhanced version of this command. If
you're familiar with apt-get, you can use most of the same options with
aptitude. What you use or prefer depends on you.

apt-get and aptitude

Not all Debian-style distributions include aptitude. But for all commands
in this section, you can substitute aptitude for apt-get. In fact,
you may want to try both versions to see which you prefer.

As described in Chapter 1, the basic command that you can use to install
the package of your choice is

apt-get install packagename

But what you get might not be up to date. To keep your databases up to
date, download the Packages.gz file, which includes the latest package
information from each repository. You don't have to download the file
directly. You can update your databases with the help of this file by
using the following command:

apt-get update

Note: Sometimes you may see an error in the output from apt-get update. Don't
panic. Run the command again. Sometimes the updates that you download
the first time fix problems that allow you to complete the update the
second time you run that command.

As a systems administrator, you might want to remove some packages on
occasion. For example, if you don't want users recompiling their kernels,
you could run the following command:

apt-get remove kernel-source

If you want to keep your system up to date, you'll want to become familiar
with the following command (the -u switch doesn't work with aptitude):

apt-get -u dselect-upgrade

This is an important command. The -u switch forces apt-get to tell you
what is planned for the upgrade. The dselect-upgrade option includes
recommended options for packages that are downloaded and installed. This
switch is not available for aptitude; the aptitude upgrade mode works
just as well.

When you download packages with apt, they're download as .deb packages
to the /var/cache/apt/archives directory. As you install and patch your
system, the space used by this directory can build into the gigabytes. You
should keep this directory clean on a periodic basis. If you just want to
purge packages that are now obsolete, you could run the following command:

apt-get autoclean

If you have obsolete packages in your archives, you'll see a series of
messages listing the files that are now deleted, such as

Del acroread 5.10-0.2 [9171kB]

If you're really pressed for space, and do not want a patch management
repository on this computer, you could run the following command:

apt-get clean

Just remember, this command deletes all files in what you could
potentially use as a local patch management repository. (For that reason,
if you create a mirror, you may want to use a different directory.)


If you've downloaded the CDs associated with your distribution, you can
use those as sources for your updates. For example, if you've inserted
a Debian CD, all you need to do is run the apt-cdrom add command. But
that's not too helpful, as there are more than a dozen CDs associated
with Debian Linux.

However, if you've mounted a CD ISO file on a specific directory, such
as /mnt/inst1, you could use that information; the -d allows you to
specify the mount point:

apt-cdrom -d /mnt/inst1 add

Load Disqus comments