Ultraconservative installs and upgrades: pinning

Pouletic · 2015-10-29 00:11:52

I found a few useful threads on this topic in the #! forum back when i set up that distro so i thought i'd share some tips about apt preferences here. Note i'm not an expert and there may be some inaccuracies, but this isn't complicated stuff and is about the safest way to install packages from sources not in the main repos... This is for those who want to be very cautious about using only the most stable packages and minimize the risk of b0rking their system, while still needing more recent or less common apps.

Even while being cautious, sometimes you want to add new sources ("repositories") to your /etc/apt/sources.list so you can install programs or versions of programs not available in the default repositories. The safest way to do that is to not make those repositories the default.

For example, let's say you want to install avidemux to edit the videos from your cell phone. You can get it from the deb-multimedia repository (and there's even an option in the bl-welcome script that will add the repository and the keyring to your system), but if you add that repo and then do an apt-get upgrade, you will see that a lot of multimedia-related packages will be updated from the "stable" debian versions to the versions provided by the maintainer of deb-multimedia.

If you want to avoid that, one way you can go about it is with pinning (apt_preferences). Note: see comments below; this may become default behavior in bl.

Pinning is a way of telling apt that you want to prioritize certain repositories over others. In this case, we want to tell it to not use the packages in deb-multimedia unless we specifically request them.

To do that, edit or create a file in /etc/apt/preferences.d/:

sudo nano /etc/apt/preferences.d/preferences

Now create the pinning and save the file:

Package: *
Pin: origin "www.deb-multimedia.org"
Pin-Priority: 100

Press ctrl-x to exit and confirm you want to save.

This tells apt that any packages from origin www.deb-multimedia.org should be prioritized low (100).

You can read what the different priority levels mean in the man page

man apt_preferences

:

       100 <= P < 500
           causes a version to be installed unless there is a version
           available belonging to some other distribution or the installed
           version is more recent

Now you can safely do apt-get upgrades without apt grabbing anything from the deb-multimedia repository.

But we still need to install our avidemux!

In this case, we need to tell apt that it's okay to pull in any dependencies from the low-priority repository, and update anything that needs updating for the installation to work:

sudo apt-get -t jessie install avidemux

And that's all there is to it!

Another useful repository that you might want to add to your sources.list but not pull from indiscriminately is the backports repo:

deb http://httpredir.debian.org/debian/ jessie-backports main

These are versions of packages that are adapted from the "testing" repository to work with the stable release. If you use wine, sometimes the newest version is necessary for some program to work, and this is one way to get more "bleeding edge" versions.

Fortunately, the default behavior of apt is to treat backports as if it had a pin priority of 100 (see helpful reply post below), so we don't have to explicitly do anything in preferences, but it's worth noting.

As a final note, you can always check to see what newer versions of packages are available with

apt-cache policy <package-name>

. This way, you can see what is available in your low-pinned repos and decide if it's worth pulling it in.

PS Here's the old text about pinning backports which i have left here just to show another way of specifying a release to pin and the meaning of another pin priority range.

So let's say we don't want to use any of these packages in backports unless we tell apt to do so. We can pin at a priority less than 0:

Package: *
Pin: release a=backports
Pin-Priority: -10

A priority of -10

       P < 0
           prevents the version from being installed

So nothing will be pulled in from backports without our specific permission and intent. You will have to use a command similar to the one above to install a package from backports.

Last edited by Pouletic (2015-10-29 11:46:22)

hhh · 2015-10-29 00:32:52

I appreciate the work you put into this post, Pouletic, especially the part about pinning deb-multimedia.

Just making sure this is correct, you pin deb-multimedia low but targeting jessie (-t jessie) overrides that?

I personally never pin repos, it causes problems. Ask anyone who tried to upgrade CrunchBang to jessie without making some adjustments first. I'd rather cherry-pick packages from testing, sid, Ubuntu, Launchpad and other Debian-ish sources and build them against jessie as I've described here...
https://forums.bunsenlabs.org/viewtopic.php?id=58

If I were to build a package from source, I wouldn't just run sudo make install. I'd "Debianize" it first and install it with apt...
https://wiki.debian.org/IntroDebianPackaging
https://wiki.debian.org/HowToPackageForDebian

johnraff · 2015-10-29 01:58:25

@Pouletic thanks for bringing this up.
I've raised the topic of changing the way bl-welcome handles deb-multimedia here: https://forums.bunsenlabs.org/viewtopic.php?id=429

Head_on_a_Stick · 2015-10-29 08:29:24

Pouletic wrote:

Another useful repository that you might want to add to your sources.list but not pull from indiscriminately is the backports repo:
deb http://httpredir.debian.org/debian/ jessie-backports main
These are versions of packages that are adapted from the "testing" repository to work with the stable release. If you use wine, sometimes the newest version is necessary for some program to work, and this is one way to get more "bleeding edge" versions. So let's say we don't want to use any of these packages in backports unless we tell apt to do so. We can pin at a priority less than 0:
Package: *
Pin: release a=backports
Pin-Priority: -10
A priority of -10
       P < 0
           prevents the version from being installed
So nothing will be pulled in from backports without our specific permission and intent. You will have to use a command similar to the one above to install a package from backports.

This step is unnessesary and will prevent any packages installed from the backports repository from being upgraded.

Backports have a default APT pin value of 100.

From apt_preferences(5):

priority 100
to the version that is already installed (if any) and to the
versions coming from archives which in their Release files are
marked as "NotAutomatic: yes" and "ButAutomaticUpgrades: yes" like
the Debian backports archive since squeeze-backports.

The desired behaiviour (ie, install only specifically targetted packages from backports and keep them upgraded) is the default setting.

Pouletic · 2015-10-29 11:32:43

hhh wrote:

I appreciate the work you put into this post, Pouletic, especially the part about pinning deb-multimedia.
Just making sure this is correct, you pin deb-multimedia low but targeting jessie (-t jessie) overrides that?

Thanks for helpful replies.

That command worked for me yesterday but i always have to look up the command on the infrequent occasion i've installed debs from pinned repos -- one reason i wrote this post -- so i'm not entirely sure about the details.

I personally never pin repos, it causes problems. Ask anyone who tried to upgrade CrunchBang to jessie without making some adjustments first. I'd rather cherry-pick packages from testing, sid, Ubuntu, Launchpad and other Debian-ish sources and build them against jessie as I've described here...
https://forums.bunsenlabs.org/viewtopic.php?id=58
If I were to build a package from source, I wouldn't just run sudo make install. I'd "Debianize" it first and install it with apt...
https://wiki.debian.org/IntroDebianPackaging
https://wiki.debian.org/HowToPackageForDebian

I've run into dependency hell a few times doing single builds but i agree that in many cases that's the better way. I think it might be more daunting, though.

@Head_on_a_Stick: thanks, i didn't know that about backports. It's good default behavior.

@johnraff: The deb-multimedia case is the one i really was concerned about, so with that going into the setup script this thread is much less important. The audio in linux has been traditionally fragile enough without putting a big stick into a working install and stirring.

apprentice · 2015-10-29 13:43:33

thanks Pouletic

so if i've got this correct
this

Package: *
Pin: origin "www.deb-multimedia.org"
Pin-Priority: 100

Package: *
Pin: origin "www.packages.siduction.org"
Pin-Priority: 100

would allow me to not have anything else but nomacs come from my sources.list.d

#nomacs
deb http://packages.siduction.org/lxqt jessie-backports main
deb-src http://packages.siduction.org/lxqt jessie-backports main

and whatever bunsen pulls from deb-multi?

and while were here
a little o/t maybe
but why do i have a sources.list.d
why cant i have all my sources in one sources.list

cheers

damo · 2015-10-29 14:37:25

apprentice wrote:

....
and while were here
a little o/t maybe
but why do i have a sources.list.d
why cant i have all my sources in one sources.list
cheers

You could go to the fount of all Debian info ie Debian Handbook

Debian wrote:

TIP /etc/apt/sources.list.d/*.list files
If many package sources are referenced, it can be useful to split them in multiple files. Each part is then stored in /etc/apt/sources.list.d/filename.list

apprentice · 2015-10-29 14:55:45

thanks damo

i've read that and elsewhere

Debian wrote:

TIP /etc/apt/sources.list.d/*.list files
it can be useful to split them in multiple files

useful
its then a matter of preference?

if i put everything in sources.list(like i prefer), it wont affect or be effected by something else negatively?

cheers

hhh · 2015-10-29 14:58:29

^Preference, yes, negative, no. Copy the sources to sources.list and backup or delete the files in sources.list.d (or even the whole folder).

I keep mine in sources.list as well, I like to see them all at once.

apprentice · 2015-10-29 15:03:08

thanks

hhh wrote:

^Preference, yes, negative, no. Copy the sources to sources.list and backup or delete the files in sources.list.d (or even the whole folder).

done

johnraff · 2015-10-30 04:59:29

Pouletic wrote:

The audio in linux has been traditionally fragile enough without putting a big stick into a working install and stirring.

Ah how true, how true.

Pouletic · 2015-11-01 04:14:16

apprentice wrote:

so if i've got this correct
this
Package: *
Pin: origin "www.deb-multimedia.org"
Pin-Priority: 100

Package: *
Pin: origin "www.packages.siduction.org"
Pin-Priority: 100
would allow me to not have anything else but nomacs come from my sources.list.d
#nomacs
deb http://packages.siduction.org/lxqt jessie-backports main
deb-src http://packages.siduction.org/lxqt jessie-backports main
and whatever bunsen pulls from deb-multi?

Well that's the idea. Even with pinning i always check the list for changes with apt-get install and make sure nothing weird is happening.

If you never ever want anything (including updates) to be pulled from a repo with explicitly requesting, you use negative priority. 100 is probably fine for anything from the same release. I think i used -5 for an ubuntu PPA (so not fully debian) or something.

Last edited by Pouletic (2015-11-01 04:15:12)

Head_on_a_Stick · 2015-11-01 11:40:58

Pouletic wrote:

If you never ever want anything (including updates) to be pulled from a repo with explicitly requesting, you use negative priority.

A negative pin value will prevent any updates.

Using a pin value of "1" will ensure that only explicitly targeted packages are installed but will also prevent updates (just like the experimental repository).

To keep the "foreign" packages updated, use a stanza in /etc/apt/preferences, like this:

Package: $PACKAGE
Pin: release a=<name of repository>
Pin-Priority=700

Replace "$PACKAGE" with the name of the package and replace "<name of repository>" with the name of the repository (if the nickname is used, prefix with "n=" rather than "a=").

I would urge all users to *read* apt_preferences(5) if they intend to make use of APT-pinning.

From the man page:

Preferences are a strong power in the hands of a system administrator
but they can become also their biggest nightmare if used without care!
APT will not question the preferences, so wrong settings can lead to
uninstallable packages or wrong decisions while upgrading packages.
Even more problems will arise if multiple distribution releases are
mixed without a good understanding of the following paragraphs.
Packages included in a specific release aren't tested in (and therefore
don't always work as expected in) older or newer releases, or together
with other packages from different releases. You have been warned.

Just to note, adding Ubuntu PPAs and pinning them low (or even with a negative pin value) will not stop your system getting wrecked if a package from there pulls in incompatible library versions.

To use Ubuntu PPA packages in BunsenLabs, follow this guide:
https://forums.bunsenlabs.org/viewtopic.php?id=58

For the true ultra-conservative, add deb-src (source code) lines only then use this to compile the packages locally, just like Gentoo and the BSDs:

sudo apt-get build-dep $PACKAGE && apt-get --build source $PACKAGE && sudo dpkg -i $PACKAGE_$VERSION_$ARCH.deb

johnraff · 2015-11-02 05:12:12

^googling 'apt-get --build' led me to discover apt-build.
The Wiki suggests it might build a faster package?

Head_on_a_Stick · 2015-11-02 08:53:05

johnraff wrote:

^googling 'apt-get --build' led me to discover apt-build.
The Wiki suggests it might build a faster package?

Nice find!

Yes, the build can be optimised for the local architecture à la Gentoo -- lovely!

For the truly committed, use:

sudo apt-build world

Pouletic · 2015-12-05 16:20:40

Good comments here since i last reviewed it. Thanks for sharing. It's pretty cool that debian supports gentoo-like custom compiling so simply!

Kino · 2016-07-21 13:31:34

Hi,

I was hoping to install avidemux so followed the instructions in the first post.
The results was:

sudo apt-get -t jessie install avidemux
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package avidemux

What's changed??

Head_on_a_Stick · 2016-07-21 17:16:14

Kino wrote:

E: Unable to locate package avidemux

Did you add the deb-multimedia repositories?

http://crunchbang.org/forums/viewtopic.php?id=13457

https://deb-multimedia.org/

I do not recommend adding the deb-multimedia repositories, the packaging can cause conflicts with Debian jessie-based systems such as BunsenLabs.

Kino · 2016-07-22 09:17:35

Did that, now have the error:

Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://pkg.bunsenlabs.org bunsen-hydrogen InRelease: The following signatures were invalid: KEYEXPIRED 1468162041 KEYEXPIRED 1468162041 KEYEXPIRED 1468162041

W: GPG error: http://www.deb-multimedia.org stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
W: Failed to fetch http://pkg.bunsenlabs.org/debian/dists/bunsen-hydrogen/InRelease  

W: Some index files failed to download. They have been ignored, or old ones used instead.
E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

Head_on_a_Stick · 2016-07-23 09:26:43

@Kino: Try this fix:
https://forums.bunsenlabs.org/viewtopic … 989#p31989

#1 2015-10-29 00:11:52

Ultraconservative installs and upgrades: pinning

#2 2015-10-29 00:32:52

Re: Ultraconservative installs and upgrades: pinning

#3 2015-10-29 01:58:25

Re: Ultraconservative installs and upgrades: pinning

#4 2015-10-29 08:29:24

Re: Ultraconservative installs and upgrades: pinning

#5 2015-10-29 11:32:43

Re: Ultraconservative installs and upgrades: pinning

#6 2015-10-29 13:43:33

Re: Ultraconservative installs and upgrades: pinning

#7 2015-10-29 14:37:25

Re: Ultraconservative installs and upgrades: pinning

#8 2015-10-29 14:55:45

Re: Ultraconservative installs and upgrades: pinning

#9 2015-10-29 14:58:29

Re: Ultraconservative installs and upgrades: pinning

#10 2015-10-29 15:03:08

Re: Ultraconservative installs and upgrades: pinning

#11 2015-10-30 04:59:29

Re: Ultraconservative installs and upgrades: pinning

#12 2015-11-01 04:14:16

Re: Ultraconservative installs and upgrades: pinning

#13 2015-11-01 11:40:58

Re: Ultraconservative installs and upgrades: pinning

#14 2015-11-02 05:12:12

Re: Ultraconservative installs and upgrades: pinning

#15 2015-11-02 08:53:05

Re: Ultraconservative installs and upgrades: pinning

#16 2015-12-05 16:20:40

Re: Ultraconservative installs and upgrades: pinning

#17 2016-07-21 13:31:34

Re: Ultraconservative installs and upgrades: pinning

#18 2016-07-21 17:16:14

Re: Ultraconservative installs and upgrades: pinning

#19 2016-07-22 09:17:35

Re: Ultraconservative installs and upgrades: pinning

#20 2016-07-23 09:26:43

Re: Ultraconservative installs and upgrades: pinning

Board footer