Content

 

Introductory

When updating our packages, it may be APT package manager hold back a few pieces. This is mostly because a particular program sometimes goes through changes that change the package dependency of the base software. In this case, you would need additional new packages, sometimes ones that require the replacement of other packages. It also depends on the type of update, such as whether it is a simpler update or whether a security update requires the removal of other packages that are obsolete or may pose a security risk to the software or to the system as a whole. Thus, in some cases, the normal-mode package update does not perform an update to such software, but APT leaves the matter to the user. In this brief description, we will look at an example of how to update our packages retained in this way.

Just yesterday I upgraded my laptop system when I stumbled upon this unusual thing that APT withheld quite a few packages from the update. Of course, such a case is not uncommon, because it does happen from time to time, but if you have already upgraded such retained packages, you may not have the right solution right away, so you need to look for it. And when it's all at hand, I thought I'd write a few lines about it to see if other people might find this information useful.

 

 

Standard update

In this example, I was withholding Firefox packages. I ran the usual apt-get refreshing commands:

sudo apt-get update
sudo apt-get upgrade

Then the output received the following sentence: "The following packages will be withheld:"

Then I checked it out apt-cache command the package information to see which versions are available on the system:

sudo apt-cache policy firefox-esr

It also shows that the version of Firefox currently installed is 60.8.0, and that it is much more up to date, in this case version 68.4.1 in the Debian security repository.

 

Updating withheld packages

Use the --with-new-pkgs option

The apt-get command is used to update withheld packages --with-new-pkgs switch. To run the update again:

sudo apt-get --with-new-pkgs upgrade

Normally, here you will select previously withheld packages to upgrade, but here's the interesting thing: Some newer packages have been released which were not updated in the previous round, and below we will see that Firefox packages will be withheld again. What's going on here?

A little research, that's it apt-get manual page looking up the description of the --with-new-pkgs switch, I quote:

--with-new-pkgs
    Allow installing new packages when used in conjunction with upgrade. This is useful if
    the update of a installed package requires new dependencies to be installed. Instead
    of holding the package back upgrade will upgrade the package and install the new
    dependencies. Note that upgrade with this option will never remove packages, only
    allow adding new ones. Configuration Item: APT::Get::Upgrade-Allow-New.

It describes here that the command is useful if you also need to install new dependencies when updating a package. The switch does not hold packets, but also installs the necessary new dependencies. He also mentions that an update with this switch never removes any packages, but only installs new ones.

So the current screw lies in the fact that the switch does not remove any packages, so it does not perform this security update either, as (presumably) part of this update is that some obsolete packages would have to be removed. He also loaded 3 packages - which in this case have nothing to do with the packages we want to upgrade - and upgraded 13 others, which the first upgrade command did not.

So the switch made the necessary updates and built newer dependencies as well, but our target program, Firefox, wasn’t updated yet. So how do we update this too? Another option in the apt-get command provides a solution.

 

 

Use apt-get install option

After building the new required dependencies on the system using the previous command, run apt-get install command:

sudo apt-get install firefox-esr

Here should be a list of all packages withheld. In this case, firefox-esr will add all its add-ons for installation as its own dependencies. So here's just one piece here:

Here, the second image shows that 4 removed items are also listed. So the previous --with-new-pkgs switch probably did not perform this security update, as it should have deleted 4 packages as part of it, which the switch does not perform, according to its manual page, so it skipped the task.

Check for updated packages

Finally, check our updated packages:

sudo apt-cache-policy firefox-esr
sudo dpkg -l | grep firefox | head -10

Here, of course, everyone applies the command to packages appropriate to their own situation ...

And here it looks nice to have the latest available version of the Firefox packages from the "debian-security" repository, which contains the Debian security updates. Also, by searching for the first 10 items in the package list, you can see the other additional versions of Firefox.

 

 

Conclusion

In hindsight, this is a very simple operation, but when you first encounter it, you have to go a little further. So I hope it will be useful to others.

So, normally, it is enough to update withheld packages with the -with-new-pkgs option, but if that update involves removing other packages, apt-get install command. Applying them one after the other will make you more confident that you will perform the upgrade. Of course, there are even more drastic methods, such as apt-get dist-upgrade Run (distribution update) function when rebuilding the entire system dependencies and updating every package, but this really only needs to be used in the last resort if the previous methods fail.