How to hold packages with apt-get in Debian and Ubuntu

Hello! Upgrading packages, sometimes you may have problems if some packages are upgraded. You may want to prevent a certain package from being upgraded, but how to hold packages on a Debian and Ubuntu Linux to prevent a specific package from being upgraded?  We may want to block package updates so that packages are not updated via apt/apt-get.

In Debian or Ubuntu Linux we can withhold or block packages using the apt, apt-mark, aptitude, dpkg and dselect command options. We have multiple options, let’s see, in my opinion, the most useful ones.

Package retention when using apt-get/apt (method 1)

Normally we run the following two commands to update all packages:

root@host# sudo apt update && sudo apt upgrade

Or also:

root@host# sudo apt-get update && sudo apt-get upgrade

Step 1 – List of available updates

Run the apt command:

root@host# sudo apt list --upgradable

Step 2 – Force apt-get to retain the package named php7.4 using apt-mark

Pass the hold option to the apt-mark command as follows to mark a package as held, which will prevent the package from being installed, upgraded or removed automatically:

root@host# apt-mark hold PACKAGE

In this case:

root@host# apt-mark hold php7.4
php7.4 set on hold.

Step 3 – Display a list of waiting packages

Now to print the list of blocked packages:

apt-mark showhold

Step 4 – Cancel withholding

Do you want to cancel a hold you have previously placed on a package? You can do it this way:

root@host# apt-mark unhold PACKAGE

In our case:

root@host# apt-mark unhold php7.4

How to prevent the update of a package with the dpkg command (method 2)

The package must be installed to put it on standby when using the dpkg method. Otherwise, you will get an error like the following:

dpkg: warning: package not in status nor available database at line 1: PACKAGE

Or maybe:

dpkg: warning: found unknown packages; this might mean the available database
is outdated, and needs to be updated through a frontend method;

We can put a package on hold as follows:

echo "PACKAGE_NAME hold" | dpkg --set-selections

Using the same php7.4 package for the example:

root@host#  echo "php7.4 hold" | dpkg --set-selections


Obtain package status

dpkg --set-selections PACKAGE_NAME

Or also:

dpkg --set-selections | grep PACKAGE_NAME

Unblocking a package

To remove the lock on a package:

echo "PACKAGE_NAME install" | dpkg --set-selections

Using the same php7.4 package for the example:

root@host#  echo "php7.4 install" | dpkg --set-selections

Blocking package updates with the aptitude command (method 3)

Unlike the previous one, this method works with both installed and uninstalled packages.

To blacklist a package we must execute the following command:

aptitude hold PACKAGE

Following the previous examples, with the php7.4 package it would be:

root@host# aptitude hold php7.4

We can also prevent a package from being upgraded to a particular version, while allowing automatic upgrades to future versions. This is useful, for example, to prevent an unwanted version of a package from being installed. Imagine we have php=7.4.2 and we don’t want to upgrade to php=7.4.4 because it has a security bug (it’s made up, I haven’t checked if it’s true). We can prevent it from upgrading like this:

aptitude forbid-version PACKAGE=VERSION

In other words (it is an invented version of the package:

aptitude forbid-version php7.4=7.4.4-0ubuntu2.10

After blocking a package in the above ways, if you run the aptitude upgrade command and detect updates for the retained package you will see something similar to this:

30 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded.


Leave a Reply