Skip to content

Instantly share code, notes, and snippets.

@deoren

deoren/apt_pinning_priorities.md

Forked from JPvRiel/apt_pinning_priorities.md
Created December 13, 2017 17:36
Show Gist options
  • Save deoren/386e65dccf2248408e7515bf0d94c4de to your computer and use it in GitHub Desktop.
Save deoren/386e65dccf2248408e7515bf0d94c4de to your computer and use it in GitHub Desktop.
Download ZIP
Apt package pinning and priorities
Raw
apt_pinning_priorities.md

References:

Overview

Priority values

From man page: man apt_preferences

        P >= 1000
           causes a version to be installed even if this constitutes a downgrade of the
           package

       990 <= P < 1000
           causes a version to be installed even if it does not come from the target
           release, unless the installed version is more recent

       500 <= P < 990
           causes a version to be installed unless there is a version available belonging to
           the target release or the installed version is more recent

       100 <= P < 500
           causes a version to be installed unless there is a version available belonging to
           some other distribution or the installed version is more recent

       0 < P < 100
           causes a version to be installed only if there is no installed version of the
           package

       P < 0
           prevents the version from being installed

       P = 0
           has undefined behaviour, do not use it.

Package source info

Summary

      the Archive: or Suite: line
             Pin: release a=xenial-backports

      the Codename: line
             Pin: release n=xenial

      the Version: line
             Pin: release v=16.04

      the Component: line
             Pin: release c=multiverse

      the Origin: line
               Pin: release o=Ubuntu

      the Label: line
               Pin: release l=Ubuntu

Default target release priorty

Some guides might advise setting the target release version. E.g. in /etc/apt/apt.conf.d/01-ubuntu-release

APT::Default-Release "xenial";

This in effect boosts packages with the codename 'xenial' from priorty 500 to 990.

However

  • The above seems to operate on the codename n=xenial and overwrites/supeceeds other rules specified for priorities. Even 3rd party and PPA packages with the label 'xenial' get set to priorty 990.
  • In Ubuntu 16.04, the default priority is 500 for ubuntu repo packages and the target release is left unspecified.

Therefore, the above is not advise if you prefere more advanced fine-grained priorities based on the archive info.

How to lower the priority of backported packages

Enable using backports in /etc/apt/sources.list

deb http://za.archive.ubuntu.com/ubuntu/ xenial-backports universe multiverse restricted main

By default, xenial-backports would get the same priorty as other archives, e.g. xenial, xenial-updates and xenial-security.

Force a lower priority for backported packaged so that they are not used or upgraded to by default in /etc/apt/preferences.d/priority-ubuntu

Package: *
Pin: release o=Ubuntu,a=xenial,n=xenial
Pin-Priority: 990

Package: *
Pin: release o=Ubuntu,a=xenial-updates,n=xenial
Pin-Priority: 990

Package: *
Pin: release o=Ubuntu,a=xenial-security,n=xenial
Pin-Priority: 990

Package: *
Pin: release o=Ubuntu,a=xenial-backports,n=xenial
Pin-Priority: 900

How to examine priority affect on package selection policy

Inspect policy

$ apt-cache policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://ppa.launchpad.net/webupd8team/java/ubuntu xenial/main amd64 Packages
     release v=16.04,o=LP-PPA-webupd8team-java,a=xenial,n=xenial,l=Oracle Java (JDK) 7 / 8 / 9 
...
 900 http://za.archive.ubuntu.com/ubuntu xenial-backports/main amd64 Packages
     release v=16.04,o=Ubuntu,a=xenial-backports,n=xenial,l=Ubuntu,c=main,b=amd64
     origin za.archive.ubuntu.com
 500 http://archive.canonical.com/ubuntu xenial/partner amd64 Packages
     release v=16.04,o=Canonical,a=xenial,n=xenial,l=Partner archive,c=partner,b=amd64
     origin archive.canonical.com
 990 http://za.archive.ubuntu.com/ubuntu xenial-security/multiverse i386 Packages
     release v=16.04,o=Ubuntu,a=xenial-security,n=xenial,l=Ubuntu,c=multiverse,b=i386
     origin za.archive.ubuntu.com

The above policy

  • Favours packages in the main repo (990)
  • Next favours back-ported packages in the main repo (900)
  • The only allows packages from a PPA or alternate archive at default priorty (500)

The above is safer in that backports and PPA packages must be explicitly installed if they already exist in the offical repos.

Inspect policy for a package, e.g.

$ apt-cache show libarchive13 | grep Version
Version: 3.2.1-2~ubuntu16.04.1
Version: 3.1.2-11ubuntu0.16.04.2
Version: 3.1.2-11build1
$ apt-cache policy libarchive13
libarchive13:
  Installed: 3.1.2-11ubuntu0.16.04.2
  Candidate: 3.1.2-11ubuntu0.16.04.2
  Version table:
     3.2.1-2~ubuntu16.04.1 900
        900 http://za.archive.ubuntu.com/ubuntu xenial-backports/main amd64 Packages
 *** 3.1.2-11ubuntu0.16.04.2 990
        990 http://za.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        990 http://za.archive.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.1.2-11build1 990
        990 http://za.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

Explicitly install package with lower priority

Assume a PPA was installed, but the package also exists in the normal Ubuntu repo. For example, the current conky package in 'xenial' has a dual screen bug. The PPA version is newer with the bug fixed.

$ sudo add-apt-repository ppa:vincent-c/conky
$ sudo apt-get update

The PPA version is more recent, but the above priorities will favour the offical repo instead of the PPA

$ apt-cache policy conky-all
conky-all:
  Installed: 1.10.1-3
  Candidate: 1.10.1-3
  Version table:
     1.10.3-1~ppa1~xenial1 500
        500 http://ppa.launchpad.net/vincent-c/conky/ubuntu xenial/main amd64 Packages
 *** 1.10.1-3 990
        990 http://za.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

Force the higher version

$ sudo apt-get install conky-all=1.10.3-1~ppa1~xenial1

Favour newer versions in PPA

Inspect attributes for the conky PPA repo

$ apt-cache policy | grep -A 2 -E 'ppa.*conky'
 500 http://ppa.launchpad.net/vincent-c/conky/ubuntu xenial/main i386 Packages
     release v=16.04,o=LP-PPA-vincent-c-conky,a=xenial,n=xenial,l=Conky,c=main,b=i386
     origin ppa.launchpad.net
 500 http://ppa.launchpad.net/vincent-c/conky/ubuntu xenial/main amd64 Packages
     release v=16.04,o=LP-PPA-vincent-c-conky,a=xenial,n=xenial,l=Conky,c=main,b=amd64
     origin ppa.launchpad.net

To make this policy exception affective without needing to force the version edit /etc/apt/preferences.d/priority-conky

Package: *
Pin: LP-PPA-vincent-c-conky,a=xenial,n=xenial,l=Conky
Pin-Priority: 990

Take caution, as any extra depency pacakges in that repo will overwite supported packages in the offical repo if they have a newer version

Risky method for getting newer packages from next development release

One can include the next/newer development releases packages, but there are risks:

  • It might have dependanceis on core libs with regressions that will break the current release.
  • Software isn't supported or full tested - unstable.
  • Using a PPA for that specific package is probably a safer bet!

Add extra/alternate binary packages to /etc/sources.d/ubuntu-yakkety.list

deb http://za.archive.ubuntu.com/ubuntu/ yakkety main restricted universe multiverse
deb http://za.archive.ubuntu.com/ubuntu/ yakkety-updates main restricted universe multiverse
deb http://za.archive.ubuntu.com/ubuntu/ yakkety-security main restricted universe multiverse

Set low priority (so that package is only installed if it doesn't exist for normal release) in /etc/apt/preferences.d/priority-ubuntu

Package: *
Pin: o=Ubuntu,n=yakkety
Pin-Priority: 400

N.B.! When searching for packages via apt-cache or using apt-get install, be very cautious about accidentailly pulling in newer core libaries. Even if pinned as a lower priority than the current release, if the package isn't in the current release's repo, then apt-cache and apt-get install will point to the only available package (and it's dependancies) in the unstalbe development release!

Safer alternative method is building from source packages in the development release

For the newer ubuntu release, advoid using binary packages given they might cause and unintentionally force upgrading new versions of core libraries such as libc6. The alternative is to use source packages. A drawback however, is that a lot of source build dependancies might get pulled in!

Add extra/alternate source packages to /etc/apt/sources.list.d

deb-src http://za.archive.ubuntu.com/ubuntu yakkety main restricted universe multiverse
deb-src http://za.archive.ubuntu.com/ubuntu yakkety-updates main restricted universe multiverse
deb-src http://za.archive.ubuntu.com/ubuntu yakkety-security main restricted universe multiverse

Update repo lists, get build dependancies, and install from source

sudo apt-get update
sudo apt-get build-dep conky
sudo apt-get -b source -t yakkety conky
@deoren
Copy link
Author

deoren commented Jan 23, 2018

As of the time this Gist entry was created, GitHub does not support notifications for comments for mentions to Gist entries (see isaacs/github#21 for details). Please contact me via Twitter or file an issue in the deoren/leave-feedback repo (created for that very purpose) if you wish to receive a response for your feedback. Thank you in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment