I saw the following on Debian 9 "stretch":
# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
linux-image-marvell
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
An update does not install, despite this command being an official way to update Debian according to the "Securing Debian Manual". (Snapshot at time of reading here).
By contrast, both aptitude and the newer apt command are prepared to install it. That said, this particular version is not a security update. I understand that apt and potentially aptitude have different defaults. I would like to ask how deliberate this behaviour on Debian's part…
The Securing Debian Manual lists aptitude first, when describing how to apply updates. And I know apt has some changed defaults that are supposed to be more user-friendly. Looking carefully at the current Debian Installation Guide, it is pointing new users to apt or aptitude. I think all the example commands now reference apt, not apt-get.
My starting assumption is that security updates to the kernel would not be held back by an update method endorsed by the Debian Security Manual. (Let me know if I assume wrongly :-). But I want to make sure I understand how to update my Debian system.
Questions
- If I want to get the defaults that modern Debian is setting up for new users, I'm being recommended to train my fingers to type
aptinstead ofapt-get. Right? - The previous Installation Guide (for Debian 8) references
apt-get, as does the documentation for upgrading from Debian 8 to Debian 9. So very broadly, I guess the safest option is not to useaptbefore the Debian 8 -> Debian 9 transition? - Is there a widely known case or cases that you would like to suggest I watch out for, where the current solution is to use
apt-getfor some task? - Does Debian have a comment somewhere about the choice to make
aptmore eager to apply updates, which specifically confirms there is is distinction of security and non-security updates? - On a slightly different angle, is there any information about Debian's choice to arrange a (non-security) kernel update like this, that avoids them being applied with the normal configuration used by
apt-geton my system?
Details of this update
# apt-cache policy linux-image-marvell
linux-image-marvell:
Installed: 4.9+80+deb9u4
Candidate: 4.9+80+deb9u5
Version table:
4.9+80+deb9u5 500
500 http://ftp.uk.debian.org/debian stretch/main armel Packages
*** 4.9+80+deb9u4 500
500 http://security.debian.org stretch/updates/main armel Packages
100 /var/lib/dpkg/status
Version of "apt-get" used
# apt-cache policy apt
apt:
Installed: 1.4.8
Candidate: 1.4.8
...
Different behaviour with different update methods
# aptitude upgrade
Resolving dependencies...
The following NEW packages will be installed:
linux-image-4.9.0-7-marvell{a}
The following packages will be upgraded:
linux-image-marvell
1 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/21.9 MB of archives. After unpacking 91.2 MB will be used.
Do you want to continue? [Y/n/?] n
Abort.
# apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
linux-image-4.9.0-7-marvell
The following packages will be upgraded:
linux-image-marvell
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/21.9 MB of archives.
After this operation, 91.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
Best Answer
First, I’ll start by explaining the behaviour you’re seeing. By default,
apt-getis very conservative and won’t install new packages when runningupgrade, onlydist-upgrade(this can be changed with the--with-new-pkgsoption).apton the other hand will (it enables theAPT::Get::Upgrade-Allow-Newoption by default), as willaptitude(which has a different resolution algorithm anyway). Since the kernel went through an ABI bump, upgrading it involves installing a new package...Note too that strictly speaking you’re not getting this kernel update as a security fix, but as part of last weekend’s 9.5 point release. That’s neither here nor there though since the priorities are the same. (You’re aware of this already, I mention this for other readers.) Security updates to the kernel can involve ABI bumps, so this situation can arise with security updates as well as point-release updates; the distinction, as far as the kernel packages in Debian are concerned, is mostly one of opportunity and timing, since all kernel updates are security updates anyway.
Now to answer your questions:
aptis now the recommended APT front-end, yes, at least for interactive use; it’s supposed to have user-friendlier defaults (compared withapt-get). Both tools use the same algorithms andapt-getcan be configured to behave likeapt; runapt-config dump | grep Binary::aptto see the specific settingsaptenables. If you preferaptitudeyou can keep on using that too.In Debian 8, as far as I can tell,
aptis exactly equivalent toapt-get, so you can use it too;aptcame to the forefront with Debian 9 following work by its developers to make it more useful as a user-facing tool. The Debian FAQ suggests usingaptinstead ofapt-getandapt-cachestarting with Debian 8 (Jessie). (I see it gets the description ofapt updateslightly wrong.)The current recommendation is to avoid
aptin scripts since its interface may change. Apart from that, there shouldn’t be any scenarios where you’d needapt-getrather thanapt.aptdoesn’t distinguish between security and non-security updates, unless you configure it to do so.I’m not sure it’s a conscious decision... The last update to the Securing Debian Manual is quite a bit older than Debian 9. Note that, when using
apt-get, the Debian FAQ refers toapt-get dist-upgradeto keep a Debian system up-to-date. The FAQ is also older than Debian 9, but was updated more recently.