APT-GET – How APT-GET Really Works

aptaptitudedebianpackage-managementrepository

Okay, I understand how I may use apt-get {install|upgrade|remove} mypackages to install, upgrade, or remove binaries as well as their configuration data files and dependencies (actually, remove will only remove the binaries unless additional flags are provided).

I am not looking for how it is used as the man describes this, but high level what it is doing. My end goal is to create a means for me to install and manage some custom software (created by a make file) on multiple remote machines, and I need to learn more about the process. If answers to this question are based on which distribution is used, please tailor to Debian.

In addition to generally how it works, I have the following specific questions:

How does the client that is accessing the apt repository keep track of the files?
Must the repository be hosted on the same operating system (i.e. can apt repository be hosted on redhat)?
How are the locations to install files specified? Is this specified by the .deb file?
How is a remote machine accessing the repository? Is it just ftp(s) or http(s)?
Is the machine that is hosting the repository running special software (like gitlab for a git repository), or is it just some structured file system?

Best Answer

You need to take a look at https://wiki.debian.org/Packaging — the packaging tutorial there will help you a lot, as well as parts of the new maintainer's guide.

As to your questions, in order:

The repository contains "list" files. E.g.., http://http.us.debian.org/debian/dists/stretch/main/binary-amd64/Packages.xz. apt-get update downloads these list files, and stores them in /var/lib/apt/lists. The list files list all the packages including a bunch of metadata and a relative URL to find the .deb at. (They're human-readable plain-text files, so you can just look at it).
OS doesn't matter. You could host it on Windows, if you wanted. (Well, you'd maybe have trouble with file names Windows doesn't like.) (See also #4 and #5).
Yes, it's inside the deb file. A deb file is actually an archive (using ar). Inside are some tar files; one of them is (essentially) extracted to /.
It's just HTTP (or HTTPS, or FTP, or... apt-get supports a lot of protocols). Nothing special, though. Note that there are Release files, signed with gpg, which guarantee integrity even w/o HTTPS. Debian mirrors mostly use HTTP, not HTTPs. (A few support HTTPS as well for confidentiality).
It's just a structured filesystem.

A quick, high-level overview of how apt-get interacts with a package source:

You configure which sources to look at in your sources.list file. Consider a line like:
```
deb http://http.us.debian.org/debian/ stretch main
```
deb says this is a source for gettings .deb (binary) files; then there is the URL-prefix, suite/release ("stretch"), and component ("main").
apt-get has a list of architectures, it gets that from dpkg. Let's say dpkg --print-architecture is amd64. apt-get can now build the URLs its actually going to download from, by combining the URL-prefix, the word "dists", the suite, the component, and the architecture. Then it tacks on a few fixed filenames, like "Packages.xz". That gives the URL above (in #1). There are a few more files with defined names/paths, like the Release file http://http.us.debian.org/debian/dists/stretch/Release and its signature (same, with .gpg appended). These are all (possibly-compressed) plain-text files. The release file contains checksums for other files apt-get is going to download, like Packages.xz.
The Packages.xz file lists all the packages in that suite/codename/architecture. It also gives the path where that file is located; for example pool/main/0/0ad/0ad_0.0.21-2_amd64.deb.
When you ask apt-get to download a package, it uses that location + the base URL to download the package, so that package is at http://http.us.debian.org/debian/pool/main/0/0ad/0ad_0.0.21-2_amd64.deb
The other interesting directory is source instead of binary-amd64. That's used for your deb-src entries; it contains info about source packages (and is otherwise fairly similar).
There are some other things (all of them optional, I believe) that can be part of the repository (i.e., available via HTTP): diffs between different versions of the Packages.xz file; translations of package descriptions, a complete list of every installable file and which package it belongs to (Contents-amd64.gz, used by e.g., apt-file, not by apt-get) etc. These likely aren't relevant to you, but you can see them all by browsing around http://http.us.debian.org/debian/dists/stretch/; most of them are plain-text files.

All these files are plain text. They can, in theory, be created by hand. In practice, everyone uses one of these repository generation tools. Here—and I caution this was a choice made a long time ago, so may be outdated—we use mini-dinstall. The output of those tools are ordinary files or, at worst, symlinks. You can rsync them over to whatever web server you want.

Related Solutions

Ubuntu – Is it safe to manually perform ‘apt-get update’ ‘s operation

This sounds like it may work, but personally, I'd just use apt-offline.

From the manpage:

apt-offline brings offline package management functionality to Debian based system. It can be used to download packages and its dependencies to be installed later on (or required to update) a disconnected machine. Packages can be downloaded from a different connected machine.

Excerpt from Debian Administration:

Using apt-offline:

You generate a signature on your Debian box at home and carry the signature file on a removable medium
Now you take the USB Stick (with the apt-offline.txt signature file) to the office machine which could be running any linux version or even Windows.
There, you could run apt-offline giving it the signature file.
apt-offline would generate you an archive file or a folder with all the data. That data can be copied on a removable media. The removable media can be attached back to the disconnected Debian box at home and installed. (e.g. "apt-offline install /tmp/apt-offline.zip")

Debian Linux – Fix `apt update` Failed Issues

First of all, despite the last line start with E: (which indicates an error), apt didn't fail entirely; it's downloaded most of the updated package lists, it only skipped those for Opera and the Google Talk plugin. So apt upgrade should still offer to upgrade all the other packages.

The warnings give you some indication of what went wrong:

W: gpgv:/var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: gpgv:/var/lib/apt/lists/deb.opera.com_opera_dists_stable_InRelease: The repository is insufficiently signed by key 419D0ACF314E8E993F7F92E563F7D4AFF6D61D45 (weak digest)
W: Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes

The first two mean that the repository descriptors were signed with an old digest algorithm, which apt now complains about. The third is caused by apt's recent switch to SHA-256 or SHA-512 hashes only; the Talk plugin repository only provides MD5 and SHA-1 hashes, which are now ignored by apt.

To fix this, you can either remove the repositories for the time being, or wait for Opera and Google to fix them...

Best Answer

Related Solutions

Ubuntu – Is it safe to manually perform ‘apt-get update’ ‘s operation

Debian Linux – Fix `apt update` Failed Issues

Related Question