How to update our hold packages using the APT package manager

botond published 2020. 01. 31., P - 20: 22 time



When updating our packages, it may be APT package manager hold back a few pieces. This is usually because a program sometimes undergoes changes that change the package dependency of the underlying software. In such cases, you would need additional packages, sometimes requiring replacement or removal of other packages. This also depends on the type of update, such as a simpler update, or a security update that requires you to remove other packages that are out of date or may pose a security risk to the software or to the system as a whole. In some cases, therefore, the normal mode packet update does not update such software, but APT leaves the user with this issue. In this brief description, we will look at an example of how to update our retained packages in this way.

Just yesterday I upgraded my laptop system when I stumbled upon this unusual thing that APT withheld quite a few packages from the update. Of course, such a case is not uncommon, because it does happen from time to time, but if you have already upgraded such retained packages, you may not have the right solution right away, so you need to look for it. And when it's all at hand, I thought I'd write a few lines about it to see if other people might find this information useful.

Standard update

In this example, I was withholding Firefox packages. I ran the usual apt-get refreshing commands:

sudo apt-get update
sudo apt-get upgrade

Then the output received the following sentence: "The following packages will be withheld:"

apt-get upgrade - Packages withheld

Then I checked the package information to see what versions are available on the system:

sudo apt-cache policy firefox-esr

Query packet information with apt-cache policy

It also shows that the version of Firefox currently installed is 60.8.0, and that it is much more up to date, in this case version 68.4.1 in the Debian security repository.

Updating withheld packages

Use the --with-new-pkgs option

The apt-get command is used to update withheld packages --with-new-pkgs switch. To run the update again:

sudo apt-get --with-new-pkgs upgrade

apt-get - Updates withheld packages

Normally, here you will select previously withheld packages to upgrade, but here's the interesting thing: Some newer packages have been released which were not updated in the previous round, and below we will see that Firefox packages will be withheld again. What's going on here?

A little research, that's it apt-get manual page looking for a description of the --with-new-pkgs option, I quote:

    Allow installing new packages when used in conjunction with upgrade. This is useful if
    the update of a installed package requires new dependencies to be installed. Instead
    of holding the package back upgrade will upgrade the package and install the new
    dependencies. Note that upgrade with this option will never remove packages, only
    allow adding new ones. Configuration Item: APT::Get::Upgrade-Allow-New.

Here's how this command is useful if you need to install new dependencies when updating a package. This switch does not hold packages, but installs the necessary new dependencies as well. It also mentions that an update with this switch will never remove any packages, but only install new ones.

So the current twist here is that the switch does not remove any packages, so it does not perform this security update as (presumably) part of this update is to remove some obsolete packages. In addition, he added 3 packages, which in this case had nothing to do with the packages we wanted to upgrade, and added 13 others, which the first upgrade command did not.

So the switch made the necessary updates and added new dependencies, but our target program, Firefox, was not updated. Then how can we update this too? Another option is the apt-get command.

Use apt-get install option

After you have built up the necessary dependencies in the system using the previous command, run the apt-get install <package> command:

sudo apt-get install firefox-esr

Here should be a list of all packages withheld. In this case, firefox-esr will add all its add-ons for installation as its own dependencies. So here's just one piece here:

Updating withheld packages

Updating withheld packages

The second image shows that 4 items have been removed from the list. So, the previous --with-new-pkgs switch probably did not perform this security update, as it would have had to delete 4 packages that the switch does not execute, according to the manual page, so it skipped the task.

Check for updated packages

Finally, check our updated packages:

sudo apt-cache-policy firefox-esr
sudo dpkg -l | grep firefox | head -10

Here, of course, everyone applies the command to packages appropriate to their own situation ...

Check for updated packages

And here it appears that there is the latest available version of the Firefox packages, which comes from the "debian-security" repository containing debian security updates. As well as looking at the first 10 items in the package list, you can see additional versions of Firefox.


In hindsight, this is a very simple operation, but when you first encounter it, you have to go a little further. So I hope it will be useful to others.

So, normally, it is enough to update withheld packages with the -with-new-pkgs option, but if that update involves removing other packages, apt-get install <list of withheld packages> command. Applying them one after the other will make you more confident that you will perform the upgrade. Of course, there are even more drastic methods, such as apt-get dist-upgrade Run (distribution update) function when rebuilding the entire system dependencies and updating every package, but this really only needs to be used in the last resort if the previous methods fail.