apt-get hold back packages on Ubuntu / Debian Linux

How do I hold back packages on an Ubuntu / Debian Linux to prevent updating of a specific package? How can I blacklist package updates using the apt command/apt-get command?

We can hold back packages using apt, apt-mark, aptitude, dpkg, and dselect command-line option under Debian or Ubuntu Linux. We have multiple options for holding back packages. Let us see all of them one by one.

Holding back packages when using apt-get/apt (method 1)

The apt-mark method works with both installed and uninstalled packages.

Typically we run the following two commands to update all packages:
$ sudo apt update && sudo apt upgrade
## OR ##
$ sudo apt-get update && sudo apt-get upgrade

Step 1 – List available updates

Run the apt command:
$ sudo apt list --upgradable

Step 2 – Force apt-get to hold back package named mariadb-server using the apt-mark

Pass the hold option to the apt-mark command as follows to mark a package as held back, which will prevent the package from being automatically installed, upgraded or removed:
$ sudo apt-mark hold package-name
$ sudo apt-mark hold mariadb-server

mariadb-server set on hold.

Step 3 – Display a list of packages on hold

Let us print a list of packages on hold:
$ apt-mark showhold

Step 4 – Cancel hold

Want to cancel a previously set hold on a package to allow all actions again? Try:
$ sudo apt-mark unhold pacakgeName
$ sudo apt-mark unhold mariadb-server

Canceled hold on mariadb-server.

How to prevent updating of a specific package using the dpkg command (method 2)

Package must be installed to put on hold when using the dpkg method. Otherwise you will get an error as follows:
dpkg: warning: package not in status nor available database at line 1: PACKAGE_NAME_HERE
dpkg: warning: found unknown packages; this might mean the available database
is outdated, and needs to be updated through a frontend method;
please see the FAQ <https://wiki.debian.org/Teams/Dpkg/FAQ>

We can put a package on hold as follows:
$ echo "{pkgName} hold" | sudo dpkg --set-selections
# Put a bash package on hold #
$ echo "bash hold" | sudo dpkg --set-selections

Get the status of your packages:
$ dpkg --get-selections pkgname
## Use the grep command/egrep command as filter to see the status of a single package named bash ##
$ dpkg --get-selections | grep bash

Want to delete the hold? Try:
$ echo "pkgName install" | sudo dpkg --set-selections
$ echo "bash install" | sudo dpkg --set-selections

Blacklist package updates using the aptitude command

This method works with both installed and uninstalled packages.

Let us hold a package called nginx:
$ sudo aptitude hold pkgNameHere
$ sudo aptitude hold nginx

Let us delete/remove the hold for a package named nginx:
$ sudo aptitude unhold pkgNameHere
$ sudo aptitude unhold nginx

We can also foorbid a package from being upgraded to a particular version, while allowing automatic upgrades to future versions. This is useful for example to avoid a known broken version of a package such as grub:
$ sudo aptitude forbid-version {pkg}={version}
$ sudo aptitude forbid-version bash=5.0-6ubuntu1.1

When you try to upgrade package using the aptitude command you will see message:
$ sudo aptitude upgrade

The following packages will be upgraded: 
  libcomerr2 libx11-data 
2 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

Example that shows how to disable or lock/blacklist package

Open the terminal app and then refresh repo:
$ sudo apt update
List upgrades:
$ apt list --upgradable
Hold back base-files, mailutils-common, mailutils, and mariadb-common packages:
$ sudo apt-mark hold base-files mailutils-common mailutils mariadb-common
Try updating systems:
$ sudo apt upgrade
Unhold packages:
$ sudo apt-mark unhold base-files mailutils-common mailutils mariadb-common
Apply pending updates:
$ sudo apt upgrade

apt-get hold back packages on Ubuntu or Debian Linux

Blacklisting or holding back package from the “apt update” command.

Holding back package using Ansible IT automation/DevOps tool

Here is a sample playbook to hold packages:

# Prevent nginx from being upgraded
- dpkg_selections:
    name: python
    selection: hold
# Kept multiple packages back (hold packages)
- dpkg_selections: name={{ item }} selection=hold
          - apache2
          - php7-fpm
          - nginx
          - mariadb-server
# Removing hold using Ansible
- dpkg_selections:
    name: python
    selection: install


You learned how to hold back packages when using the ‘apt update’ or ‘apt-get update’ command. I strongly suggest that you use an apt-mark command as it is easy to use and act as front-end to set various settings for a package. Please note that the manual ‘apt install pkg’ command will always overwrite all of the above methods. See Debian wiki page for more information.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Genelia Aug 5, 2020 @ 21:22

    I had no idea about apt-mark command and I am using Debian for 9 years

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum