There are plenty of guides about apt pinning, but no one really explains the motivation to do so. It took me some time to understand that, so I thought I’d write it down.
The mainstream method of downloading and installing packages from a
repository is via APT (Advanced Packaging
Tool). When using
apt, the administrator usually says which package he wants installed,
but apt needs a bit more information:
The same package may be available from multiple sources. For example, my development server is set up to have 3 repositories, all containing some version of python:
- The Debian
stablerepository, guaranteeing compatibility with other packages
- The Debian
backportsrepository, including more features but still pretty stable
- The Debian
unstablerepository, offering many new features but risking weird behaviour and undiscovered bugs
Unless told manually which repository to install from, apt has to choose
one by itself.
When maintaining a server farm, it’s important to remember two things:
- The software packages should be updated regularly, to protect the server from bugs and security vulnerabilities that were discovered (and fixed in newer versions).
In short, apt should choose a version that is new, but not too new.
The Solution - Priorities
To solve this issue, apt assigns each package option
source) a priority number. When installing a package, the
command usually looks something like:
sudo apt-get install puppet
Apt-get then collects all of the possible options, sorts them by
descending priority (highest priority to lowest) and then by descending
version. It chooses the top option and installs that. The administrator
can manipulate the options’ priorities, causing apt to prefer the
For example, I pinned my puppet agent package to a specific version.
apt-cache policy puppet
We can see the pinning:
For Debian / Ubuntu, all of the sources have the same priority - 500. Usually, apt only encounters one option available of every package, so there is no collision. When installing / upgrading packages, apt chooses the latest version released by the official repository - the best package to install.
Dangers of Pinning
Pinning causes apt to change its default behaviour, so if you’re doing it - you better have a reason. Incorrect pinning can cause:
- Not upgrading old packages, meaning you’re exposed to security, performance and reliability issues
- Upgrading to unstable versions, meaning you’re exposed to (you guessed it) security, performance and reliability issues
- Installing nonfunctional packages - some sources may upload packages that are incorrectly built, or contain wrong metadata, causing them to misbehave and even break other packages
See my other post about pinning for guidelines about what to pin and how.