Product SiteDocumentation Site

第 6 章 维护和更新:APT 工具

6.1. 写入sources.list文件
6.1.1. 句法
6.1.2. 给Stable 使用者的仓库
6.1.3. 给测试/非稳定 版本用户的仓库
6.1.4. 非官方来源: apt-get.orgmentors.debian.net
6.1.5. Debian 软件包 缓存 代理
6.2. aptitudeapt-get 命令
6.2.1. 开端
6.2.2. 安装和卸载
6.2.3. System Upgrade
6.2.4. Configuration Options
6.2.5. Managing Package Priorities
6.2.6. Working with Several Distributions
6.2.7. Tracking Automatically Installed Packages
6.3. The apt-cache Command
6.4. Frontends: aptitude, synaptic
6.4.1. aptitude
6.4.2. synaptic
6.5. Checking Package Authenticity
6.6. Upgrading from One Stable Distribution to the Next
6.6.1. Recommended Procedure
6.6.2. Handling Problems after an Upgrade
6.7. Keeping a System Up to Date
6.8. Automatic Upgrades
6.8.1. Configuring dpkg
6.8.2. Configuring APT
6.8.3. Configuring debconf
6.8.4. Handling Command Line Interactions
6.8.5. The Miracle Combination
6.9. Searching for Packages
Debian 之所以如此受系统管理员欢迎,是因为项目提供的软件极易安装,整个系统的更新也极为简单。这一独特的优点主要得归功于 APT 程序,其特性在 Falcot 公司得到系统管理员们热情的研究。
是高级软件包管理器 的缩写。它的‘高级’之处在于对软件包的管理方法不同。APT并不是简单地独立评估每个包,而是将包看做一个整体系统,根据现有的和兼容的已有包找到最佳组合(包括依赖于这个软件包的其他包)。
APT需要一个”软件源列表“:文件/etc/apt/sources.list会列出发布 Debian 软件包不同的仓库(或软件源)。接下来APT会从每一个软件源导入所发布的软件包列表。这个过程是通过下载 Packages.{gz,bz2,lzma,xz}这个文件(若是二进制包的仓库)和Sources.{gz,bz2,lzma,xz}文件(若是软件包源的仓库),并分析这两个文件内容完成的。如果文件的旧版本已经存在,APT仅下载更新的部分(参见:sidebar TIP Incremental upgrade)。

6.1. 写入sources.list文件

6.1.1. 句法

/etc/apt/sources.list 文件中每个有效的代码行包括对源的描述,由三个被空格分开的部分组成。
第一个区域指示源的类型:
  • deb” 表示二进制软件包,
  • deb-src” for source packages.
第二个区域表示源的基本 URL (结合文件 Packages.gz 中给出的文件名,必须是有效URL的全称):此区域存在于一个 Debian 镜像或其他任何由第三方所建的软件源文档中。这个 URL 可以用 file:// 起始来表示系统里安装了本地仓库,或以 http:// 表示仓库可通过网络服务器来获取,或用 ftp:// 表示软件源在一个 FTP 服务器上。URL 还可以用 起始表示从 cdrom:// 开始安装。因基于网络的安装愈来愈流行,这个方法已不那么常用了。
最后这一区域的句法取决于仓库的结构。从最简单的例子开始,你可以很简单地描述一个软件源的子目录 (必须用到结尾处的斜线)(通常用 “./” 表示子目录不存在 - 这个软件源就位于给定的 URL上)。 不过一般来讲,仓库的结构类似于一个 Debian 的镜像, 包括很多分支,每一分支有很多组成部分。通常命名选定的分支(由 “codename” 来命名 - 参看附栏中的目录COMMUNITY Bruce Perens, a controversial leader 或是由对应的 “suites” — stable, testing, unstable ),然后命名下面的组成部分(或分区)(从main, contribnon-free中选择) 来激活一个典型的 Debian 镜像。
cdrom 条目描述了你所有的CD/DVD光盘。 与其他条目不同,因为一个CD光盘需要插入光驱中,并且每次只能读一张,所以并不总是可用。因此这种仓库管理起来稍有不同,需要加在apt-cdrom 程序中,经常与add 参数一起执行。后者会要求驱动中插入光盘,并会浏览内容,寻找Packages 文件。这些文件会用于更新可用软件包的数据库(此过程由apt-get update 命令执行)。 自此, 如果某软件包需要光盘,APT 可发出要求插入光驱。

6.1.2. 给Stable 使用者的仓库

下面是一个用来运行 Stable 版本Debian系统的标准 sources.list 文件:

例 6.1. /etc/apt/sources.list 给 Debian Stable 使用者的文件

# Security updates
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

## Debian mirror

# Base repository
deb http://ftp.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.debian.org/debian wheezy main contrib non-free

# Stable updates
deb http://ftp.debian.org/debian wheezy-updates main contrib non-free
deb-src http://ftp.debian.org/debian wheezy-updates main contrib non-free

# Stable backports
deb http://ftp.debian.org/debian wheezy-backports main contrib non-free
deb-src http://ftp.debian.org/debian wheezy-backports main contrib non-free
此文件列出了 与Debian Wheezy 版本相关软件包的所有来源(此手册写作当前稳定版本)。我们不希望当下一个稳定版本发布时,所有基于它的分支在我们控制范围外被改变,因此决定用“wheezy” 而不是用相对应的 “stable““ 稳定” 的别名(stable, stable-updates, stable-backports)来命名。
大多数软件包来源于“基础仓库”,它拥有所有的软件包,但极少更新(大概每两个月根据“点发布”更新)。其他仓库不完全(不包括所有软件包),不过可以支持更新(软件包是较新版本)。接下来的几章将会介绍这些仓库管理的目的和规则。
请注意,当你所需要的软件包版本存在于几个仓库中时,在文件sources.list中所列出的第一个会被使用。因此,非官方来源的包一般在此文件末尾处。
本节提到的稳定Stable 对于Oldstable 一样适用。后者只是同时维护的较旧Stable 版本。

6.1.2.1. 安全更新

安全更新一般不在 Debian 镜像通常所在的网络上,而是在security.debian.org(位于 Debian 系统管理员Debian System Administrators维护的小范围网络)。其上的文档包括为那些稳定版本准备的安全更新(由 Debian 安全团队和/或软件包维护者预备)。
服务器上也有针对测试版的安全更新。这类更新经常通过从非稳定版流入测试版,因此单独存在于服务器上的更新不常见。

6.1.2.2. 稳定更新

稳定更新对安全性不敏感,在下一个稳定版本点发布前,它还是很重要,需要推送给使用者。
这个仓库的典型例子包括修复在发布前无法修复的严重漏洞和后续更新引入的漏洞。根据紧急性,它还包含长期的软件包更新,比如spamassassin 的广告监测规则,clamav病毒库,或是各个市区的日光节约时间规则(tzdata)。
实际上,这个仓库是 计划-更新proposed-updates 的子库,是由稳定更新管理员小心选定的。

6.1.2.3. 计划更新

一旦发布,稳定分布只每两个月更新一次。接下来的更新在计划更新仓库里准备(由稳定发布管理员监督)。
这个仓库中通常有安全更新和稳定更新的文档,还有更多:软件包维护者可能在这里修复一些不需要马上发布的重要的漏洞。
任何人都可以使用这个仓库在正式发布前来检测更新。下面的摘录使用wheezy-proposed-updates别名。因为squeeze-proposed-updates 也存在,别名的使用更清楚更一致(对于Oldstable更新来讲):
deb http://ftp.debian.org/debian wheezy-proposed-updates main contrib non-free

6.1.2.4. Stable Backports

The stable-backports repository hosts “package backports”. The term refers to a package of some recent software which has been recompiled for an older distribution, generally for Stable.
When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current Stable (which is only modified to address the most critical problems, such as security problems). Since the Testing and Unstable distributions can be more risky, package maintainers sometimes offer recompilations of recent software applications for Stable, which has the advantage to limit potential instability to a small number of chosen packages.
The stable-backports repository is now available on the usual Debian mirrors. But backports for Squeeze are still hosted on a dedicated server (backports.debian.org), and requires the following sources.list entry:
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
Backports from stable-backports are always created from packages available in Testing. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
Even though this repository provides newer versions of packages, APT will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
$ sudo apt-get install package/wheezy-backports
$ sudo apt-get install -t wheezy-backports package

6.1.3. 给测试/非稳定 版本用户的仓库

下面是一个标准 sources.list文件,用于系统运行 Debian 测试非稳定 版本:

例 6.2. /etc/apt/sources.list file for users of Debian Testing/Unstable

# Unstable
deb http://ftp.debian.org/debian unstable main contrib non-free
deb-src http://ftp.debian.org/debian unstable main contrib non-free

# Testing
deb http://ftp.debian.org/debian testing main contrib non-free
deb-src http://ftp.debian.org/debian testing main contrib non-free

# Stable
deb http://ftp.debian.org/debian stable main contrib non-free
deb-src http://ftp.debian.org/debian stable main contrib non-free

# Security updates
deb http://security.debian.org/ stable/updates main contrib non-free
deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free
APT 通过sources.list 文件来从非稳定安装软件包。如果这不是你所需要的,用APT::Default-Release 设置(参见 第 6.2.3 节 “System Upgrade”)来指示 APT 从另一分布获取软件包(一般用 测试)。
There are good reasons to include all those repositories, even though a single one should be enough. Testing users will appreciate the possibility to cherry-pick a fixed package from Unstable when the version in Testing is affected by an annoying bug. On the opposite, Unstable users bitten by unexpected regressions have the possibility to downgrade packages to their (supposedly working) Testing version.
The inclusion of Stable is more debatable but it often gives access to some packages which have been removed from the development versions. It also ensures that you get the latest updates for packages which have not been modified since the last stable release.

6.1.3.1. 实验 仓库

The archive of Experimental packages is present on all Debian mirrors, and contains packages which are not in the Unstable version yet because of their substandard quality — they are often software development versions or pre-versions (alpha, beta, release candidate…). A package can also be sent there after undergoing subsequent changes which can generate problems. The maintainer then tries to uncover them thanks to advanced users who can manage important issues. After this first stage, the package is moved into Unstable, where it reaches a much larger audience and where it will be tested in much more detail.
Experimental is generally used by users who do not mind breaking their system and then repairing it. This distribution gives the possibility to import a package which a user wants to try or use as the need arises. That is exactly how Debian approaches it, since adding it in APT's sources.list file does not lead to the systematic use of its packages. The line to be added is:
deb http://ftp.debian.org/debian experimental main contrib non-free

6.1.4. 非官方来源: apt-get.orgmentors.debian.net

There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software, by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online. A web site was set up to find these alternative sources more easily. It contains an impressive amount of Debian package sources which can immediately be integrated into sources.list files. However, be careful not to add random packages. Each source is designed for a particular version of Debian (the one used to compile the packages in question); each user should maintain a certain coherence in what they choose to install.
The mentors.debian.net site is also interesting, since it gathers source packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
Installing a package means giving root rights to its creator, because they decide on the contents of the initialization scripts which are run under that identity. Official Debian packages are created by volunteers who have been co-opted and reviewed and who can seal their packages so that their origin and integrity can be checked.
In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package.

6.1.5. Debian 软件包 缓存 代理

When an entire network of machines is configured to use the same remote server to download the same updated packages, any administrator knows that it would be beneficial to have an intermediate proxy acting as a network-local cache (see sidebar VOCABULARY Cache).
You can configure APT to use a "standard" proxy (see 第 6.2.4 节 “Configuration Options” for the APT side, and 第 11.6 节 “HTTP/FTP Proxy” for the proxy side), but the Debian ecosystem offers better options to solve this problem. The dedicated software presented in this section are smarter than a plain proxy cache because they can rely on the specific structure of APT repositories (for instance they know when individual files are obsolete or not, and thus adjust the time during which they are kept).
apt-cacher and apt-cacher-ng work like usual proxy cache servers. APT's sources.list is left unchanged, but APT is configured to use them as proxy for outgoing requests.
approx, on the other hand, acts like an HTTP server that “mirrors” any number of remote repositories in its top-level URLs. The mapping between those top-level directories and the remote URLs of the repositories is stored in /etc/approx/approx.conf:
# <name> <repository-base-url>
debian   http://ftp.debian.org/debian
security http://security.debian.org
approx 通过inetd (参见第 9.6 节 “ inetd 超级服务”)默认在9999端口运行,并需要用户调整sources.list 文件来指向 approx 服务器:
# 指向本地 approx 服务器的sources.list 范例 ↵
deb http://apt.falcot.com:9999/security wheezy/updates main contrib non-free↵
deb http://apt.falcot.com:9999/debian wheezy main contrib non-free↵