AptConfiguration - Debian Wiki

apt_preferences (APT pinning)

Debian Reference - Debian package management - 2.7.3. Tweaking candidate version
man 5 apt_preferences
man 5 apt.conf
man 8 apt-config

When multiple Apt repositories are enabled , a package can exist in several of them. To know which one should be installed, Apt assigns priorities to packages. The default is 500 .

If the packages have the same priority, the package with a higher version number (most recent) wins.
If packages have different priorities, the one with the higher priority wins.

Pinning allows changing priorities for only some packages/repositories, so that you can:

Prefer a DebianBackports package over a DebianStable one: by default Debian backports repositories have a lower priority than stable ( 100 ). They won't be installed or upgraded unless explicitly configured to (or the package only exists in backports).
Only allow some packages from a third-party repository, and ignore the other even if more recent: you may want to add experimental/unstable/third-party repositories with extra/more recent software, but only allow some of these packages to be installed.
Force a package downgrade (not recommended)

With a few exceptions ( DebianBackports ) it is not recommended to mix repositories/releases unless they were specially prepared . See DontBreakDebian . . Don't enable DebianUnstable repositories on DebianStable . When pinning, you must ensure compatibility of packages by yourself since Debian does not guarantee it.

To view the priority of a specific package, use apt-cache policy mypackage :

$ apt-cache policy claws-mail
claws-mail:
  Installed : (none)
  Candidate : 3.14.1-3+b1
 Version table :
     3.17.1-1~bpo9+1 100
        100 https://deb.debian.org/debian stretch-backports/main amd64 Packages
     3.14.1-3+b1 500
        500 https://deb.debian.org/debian stretch/main amd64 Package

In the example above, the package that would be installed ( Candidate ) would be the older, 3.14 version from stretch/main . stretch-backports/main has a newer version 3.17 , but a lower priority ( 100 vs 500 for stretch)

To view the global priority for each Apt source (repository):

$ apt-cache policy 
Package files: 
 # The default https://wiki.debian.org/DebianStable repository with a priority of 500
 500 https://deb.debian.org/debian stable/main amd64 Packages
     o=Debian,n=stable,l=Debian,c=main,b=amd64
     origin deb.debian.org
 # The repository for Debian https://wiki.debian.org/PointReleases (security and grave bug fixes ~every 2 months)
 500 https://deb.debian.org/debian stable-updates/main amd64 Packages
     release o=Debian,a=oldstable-updates,n=stable-updates,l=Debian,c=main,b=amd64
     origin deb.debian.org
 # The https://wiki.debian.org/DebianSecurity repository with short response time for security fixes
 500 http://security.debian.org stable/updates/main amd64 Packages
     release v=9,o=Debian,a=oldstable,n=stable,l=Debian-Security,c=main,b=amd64
     origin security.debian.org
 # The https://wiki.debian.org/DebianBackports repository, comes with a default priority of 100
 100 https://deb.debian.org/debian stable-backports/main amd64 Packages
     release o=Debian Backports,a=stable-backports,n=stable-backports,l=Debian Backports,c=main,b=amd64
     origin deb.debian.org
 # The priority of locally installed packages
 100 /var/lib/dpkg/status 
     release a=now

Force installation of a package from a repository

To tell Apt to install a package from stretch-backports , even if the package has a low priority:

apt install -t stretch-backports claws-mail

Note that the package will not be automatically upgraded when running an Apt Upgrade.

Always prefer packages from a repository

To always prefer packages from stretch-backports (and hence allow Apt Upgrades), set a higher priority for this package coming from the stretch-backports release. Edit the file /etc/apt/preferences.d/99debian-backports (create it):

Package: claws-mail
Pin: release a=stretch-backports
Pin-Priority: 900

Now installing the claws-mail package will install the version from stretch-backports . Running an Apt Upgrade will automatically pick up newer versions from stable-backports . Running apt-cache policy again you would see:

Pinned packages:
     claws-mail -> 3.17.1-1~bpo9+1 with priority 900

Prevent/selective installation from third-party a repository

To prevent installation of newer packages from a third-party repository ( DontBreakDebian ), even if it has equal priority, edit the file /etc/apt/preferences.d/99my-custom-repository by origin url:

# Never prefer packages from the my-custom-repo repository
Package: *
Pin: origin my.custom.repo.url
Pin-Priority: 1
# Allow upgrading only my-specific-software from my-custom-repo
Package: my-specific-software
Pin: origin my.custom.repo.url
Pin-Priority: 500

or by repository name:

# Never prefer packages from the my-custom-repo repository
Package: *
Pin: release o=my-custom-repo-name
Pin-Priority: 1
# Allow upgrading only my-specific-software from my-custom-repo
Package: my-specific-software
Pin: release o=my-custom-repo-name
Pin-Priority: 500

File naming in /etc/apt/preferences.d/ is free but the last in alphabetical order takes precedence.

The * after Package: is not a wildcard, but a special case that means "everything". Wildcards are NOT supported. However, trailing wildcards are accepted in versions ( 2.6* will match both 2.6 and 2.6.18 ).

Other pinning notes

In addition to origin , you can pin packages based on other variables. apt-cache policy shows other variables that can be used as the Pin: key:

   1 https://deb.debian.org/debian stretch-backports/non-free i386 Packages
     release o=Debian Backports,a=stretch-backports,n=stretch-backports,l=Debian Backports,c=non-free,b=i386
     origin deb.debian.org

release : the DebianRelease full name, codename ( n ) or release number ( v )
a , archive : archive (base directory in the repository)
c , component : main/contrib/non-free
origin : domain name of the repository ( ToDo verify)
l , label : ToDo
b , architecture : processor architecture
version : package version

These variables are provided by Release files in Debian repositories .

apt.conf

Apt accepts configuration files (without extension) in /etc/apt/apt.conf.d/ . These are processed by Apt in numeric/alphabetical order. /etc/apt/apt.conf is also valid but deprecated.

These files contain directives used by all tools in the Apt suite, you can get a list of all current values with apt-config dump

Dpkg::Pre-Install-Pkgs {"mycommand";}; : executes mycommand before package installation/unpacking by Dpkg.
Dpkg::Pre-Invoke {"mycommand";}; : executes mycommand before apt calls dpkg
Dpkg::Post-Invoke {"mycommand";}; : executes mycommand after apt calls dpkg
Acquire::http::Proxy "http://proxy:8080"; : sets the proxy for HTTP downloads
Acquire::https::Proxy "https://proxy:8443"; : sets the proxy for HTTPS downloads
Acquire::http::Timeout "2"; : sets the timeout for HTTP downloads
Acquire::https::Timeout "2"; : sets the timeout for HTTPS downloads
Acquire::ftp::Timeout "2"; : sets the timeout for FTP downloads

If you really have to use FTP, this sets the FTP proxy:

 Acquire::ftp
   Proxy "ftp://proxy:2121/";
   ProxyLogin
      "USER $(SITE_USER)@$(SITE)";
      "PASS $(SITE_PASS)";
 }

CategoryPackageManagement | CategorySoftware | CategorySystemAdministration