apt-get hold back packages on Ubuntu / Debian Linux

How do I hold back packages on an Ubuntu / Debian Linux to prevent updating of a specific package? How can I blacklist package updates using the apt command/apt-get command?

We can hold back packages using apt, apt-mark, aptitude, dpkg, and dselect command-line option under Debian or Ubuntu Linux. We have multiple options for holding back packages. Let us see all of them one by one.

ADVERTISEMENTS

Holding back packages when using apt-get/apt (method 1)

The apt-mark method works with both installed and uninstalled packages.

Typically we run the following two commands to update all packages:
$ sudo apt update && sudo apt upgrade
## OR ##
$ sudo apt-get update && sudo apt-get upgrade

Step 1 – List available updates

Run the apt command:
$ sudo apt list --upgradable

Step 2 – Force apt-get to hold back package named mariadb-server using the apt-mark

Pass the hold option to the apt-mark command as follows to mark a package as held back, which will prevent the package from being automatically installed, upgraded or removed:
$ sudo apt-mark hold package-name
$ sudo apt-mark hold mariadb-server

mariadb-server set on hold.

Step 3 – Display a list of packages on hold

Let us print a list of packages on hold:
$ apt-mark showhold

Step 4 – Cancel hold

Want to cancel a previously set hold on a package to allow all actions again? Try:
$ sudo apt-mark unhold pacakgeName
$ sudo apt-mark unhold mariadb-server

Canceled hold on mariadb-server.

How to prevent updating of a specific package using the dpkg command (method 2)

Package must be installed to put on hold when using the dpkg method. Otherwise you will get an error as follows:
dpkg: warning: package not in status nor available database at line 1: PACKAGE_NAME_HERE
dpkg: warning: found unknown packages; this might mean the available database
is outdated, and needs to be updated through a frontend method;
please see the FAQ <https://wiki.debian.org/Teams/Dpkg/FAQ>

We can put a package on hold as follows:
$ echo "{pkgName} hold" | sudo dpkg --set-selections
# Put a bash package on hold #
$ echo "bash hold" | sudo dpkg --set-selections

Get the status of your packages:
$ dpkg --get-selections pkgname
## Use the grep command/egrep command as filter to see the status of a single package named bash ##
$ dpkg --get-selections | grep bash

Want to delete the hold? Try:
$ echo "pkgName install" | sudo dpkg --set-selections
$ echo "bash install" | sudo dpkg --set-selections

Blacklist package updates using the aptitude command

This method works with both installed and uninstalled packages.

Let us hold a package called nginx:
$ sudo aptitude hold pkgNameHere
$ sudo aptitude hold nginx

Let us delete/remove the hold for a package named nginx:
$ sudo aptitude unhold pkgNameHere
$ sudo aptitude unhold nginx

We can also foorbid a package from being upgraded to a particular version, while allowing automatic upgrades to future versions. This is useful for example to avoid a known broken version of a package such as grub:
$ sudo aptitude forbid-version {pkg}={version}
$ sudo aptitude forbid-version bash=5.0-6ubuntu1.1

When you try to upgrade package using the aptitude command you will see message:
$ sudo aptitude upgrade

The following packages will be upgraded: 
  libcomerr2 libx11-data 
2 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
....

Example that shows how to disable or lock/blacklist package

Open the terminal app and then refresh repo:
$ sudo apt update
List upgrades:
$ apt list --upgradable
Hold back base-files, mailutils-common, mailutils, and mariadb-common packages:
$ sudo apt-mark hold base-files mailutils-common mailutils mariadb-common
Try updating systems:
$ sudo apt upgrade
Unhold packages:
$ sudo apt-mark unhold base-files mailutils-common mailutils mariadb-common
Apply pending updates:
$ sudo apt upgrade

apt-get hold back packages on Ubuntu or Debian Linux

Blacklisting or holding back package from the “apt update” command.

Holding back package using Ansible IT automation/DevOps tool

Here is a sample playbook to hold packages:

# Prevent nginx from being upgraded
- dpkg_selections:
    name: python
    selection: hold
 
# Kept multiple packages back (hold packages)
- dpkg_selections: name={{ item }} selection=hold
  with_items:
          - apache2
          - php7-fpm
          - nginx
          - mariadb-server
 
# Removing hold using Ansible
- dpkg_selections:
    name: python
    selection: install

Conclusion

You learned how to hold back packages when using the ‘apt update’ or ‘apt-get update’ command. I strongly suggest that you use an apt-mark command as it is easy to use and act as front-end to set various settings for a package. Please note that the manual ‘apt install pkg’ command will always overwrite all of the above methods. See Debian wiki page for more information.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
1 comment… add one
  • Genelia Aug 5, 2020 @ 21:22

    I had no idea about apt-mark command and I am using Debian for 9 years

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.