I saw the following on Debian 9 "stretch":
# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
linux-image-marvell
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
An update does not install, despite this command being an official way to update Debian according to the "Securing Debian Manual". (Snapshot at time of reading here).
By contrast, both aptitude
and the newer apt
command are prepared to install it. That said, this particular version is not a security update. I understand that apt
and potentially aptitude
have different defaults. I would like to ask how deliberate this behaviour on Debian's part…
The Securing Debian Manual lists aptitude
first, when describing how to apply updates. And I know apt
has some changed defaults that are supposed to be more user-friendly. Looking carefully at the current Debian Installation Guide, it is pointing new users to apt
or aptitude
. I think all the example commands now reference apt
, not apt-get
.
My starting assumption is that security updates to the kernel would not be held back by an update method endorsed by the Debian Security Manual. (Let me know if I assume wrongly :-). But I want to make sure I understand how to update my Debian system.
Questions
- If I want to get the defaults that modern Debian is setting up for new users, I'm being recommended to train my fingers to type
apt
instead ofapt-get
. Right? - The previous Installation Guide (for Debian 8) references
apt-get
, as does the documentation for upgrading from Debian 8 to Debian 9. So very broadly, I guess the safest option is not to useapt
before the Debian 8 -> Debian 9 transition? - Is there a widely known case or cases that you would like to suggest I watch out for, where the current solution is to use
apt-get
for some task? - Does Debian have a comment somewhere about the choice to make
apt
more eager to apply updates, which specifically confirms there is is distinction of security and non-security updates? - On a slightly different angle, is there any information about Debian's choice to arrange a (non-security) kernel update like this, that avoids them being applied with the normal configuration used by
apt-get
on my system?
Details of this update
# apt-cache policy linux-image-marvell
linux-image-marvell:
Installed: 4.9+80+deb9u4
Candidate: 4.9+80+deb9u5
Version table:
4.9+80+deb9u5 500
500 http://ftp.uk.debian.org/debian stretch/main armel Packages
*** 4.9+80+deb9u4 500
500 http://security.debian.org stretch/updates/main armel Packages
100 /var/lib/dpkg/status
Version of "apt-get" used
# apt-cache policy apt
apt:
Installed: 1.4.8
Candidate: 1.4.8
...
Different behaviour with different update methods
# aptitude upgrade
Resolving dependencies...
The following NEW packages will be installed:
linux-image-4.9.0-7-marvell{a}
The following packages will be upgraded:
linux-image-marvell
1 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/21.9 MB of archives. After unpacking 91.2 MB will be used.
Do you want to continue? [Y/n/?] n
Abort.
# apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
linux-image-4.9.0-7-marvell
The following packages will be upgraded:
linux-image-marvell
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/21.9 MB of archives.
After this operation, 91.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
Best Answer
First, I’ll start by explaining the behaviour you’re seeing. By default,
apt-get
is very conservative and won’t install new packages when runningupgrade
, onlydist-upgrade
(this can be changed with the--with-new-pkgs
option).apt
on the other hand will (it enables theAPT::Get::Upgrade-Allow-New
option by default), as willaptitude
(which has a different resolution algorithm anyway). Since the kernel went through an ABI bump, upgrading it involves installing a new package...Note too that strictly speaking you’re not getting this kernel update as a security fix, but as part of last weekend’s 9.5 point release. That’s neither here nor there though since the priorities are the same. (You’re aware of this already, I mention this for other readers.) Security updates to the kernel can involve ABI bumps, so this situation can arise with security updates as well as point-release updates; the distinction, as far as the kernel packages in Debian are concerned, is mostly one of opportunity and timing, since all kernel updates are security updates anyway.
Now to answer your questions:
apt
is now the recommended APT front-end, yes, at least for interactive use; it’s supposed to have user-friendlier defaults (compared withapt-get
). Both tools use the same algorithms andapt-get
can be configured to behave likeapt
; runapt-config dump | grep Binary::apt
to see the specific settingsapt
enables. If you preferaptitude
you can keep on using that too.In Debian 8, as far as I can tell,
apt
is exactly equivalent toapt-get
, so you can use it too;apt
came to the forefront with Debian 9 following work by its developers to make it more useful as a user-facing tool. The Debian FAQ suggests usingapt
instead ofapt-get
andapt-cache
starting with Debian 8 (Jessie). (I see it gets the description ofapt update
slightly wrong.)The current recommendation is to avoid
apt
in scripts since its interface may change. Apart from that, there shouldn’t be any scenarios where you’d needapt-get
rather thanapt
.apt
doesn’t distinguish between security and non-security updates, unless you configure it to do so.I’m not sure it’s a conscious decision... The last update to the Securing Debian Manual is quite a bit older than Debian 9. Note that, when using
apt-get
, the Debian FAQ refers toapt-get dist-upgrade
to keep a Debian system up-to-date. The FAQ is also older than Debian 9, but was updated more recently.