|
|
Subscribe / Log in / New account

What's new in APT 3.0

By Joe Brockmeier
April 16, 2025

Debian's Advanced Package Tool (APT) is the suite of utilities that handle package management on Debian and Debian-derived operating systems. APT recently received a major upgrade to 3.0 just in time for inclusion in Debian 13 ("trixie"), which is planned for release sometime in 2025. The version bump is warranted; the latest APT has user-interface improvements, switches to Sequoia to verify package signatures, and includes solver3—a new solver that is designed to improve how it evaluates and resolves package dependencies.

The APT suite includes the high-level apt command-line tool as well as a number of lower-level utilities for configuring APT, managing packages, or querying its internal database (known as the cache). It also includes the libapt-pkg package-management library that is used by alternative frontends to APT, such as Aptitude and Nala. In turn, APT relies on dpkg to actually work with Debian package files (.debs). The relationship between all of Debian's package-management tools is well-described in the Debian FAQ.

Better interface

The first version of APT, 0.0.1, was released in 1998 by Scott K. Ellis. Current development for APT is primarily driven by Julian Andres Klode. APT 3.0 is the first major release since version 2.0 was released in March 2020. Version 3.0 entered unstable on April 4, and made its way into testing on April 10. Klode has dedicated the 3.0 series to Debian and Ubuntu developer Steve Langasek ("vorlon"), who passed away at the beginning of the year.

Development of the 3.0 series began in April 2024, with version 2.9.0. That update included some apt interface changes that closed a decade-old bug from Joey Hess. The bug was a request for apt to provide a clearer message to users about which packages it would remove when performing an operation like dist-upgrade. He complained that messages about package removals would be "buried in the middle of masses of other data that are liable to be skimmed at best, and scroll right off the terminal at worst".

With 3.0, apt organizes its output into more readable sections, and adds columnar display of packages as well as colorized output. For example, as shown in the screenshot below on the bottom pane, prior versions of apt would clump all of the information together in a block of text that may be hard to read. The output for apt 3.0, shown in the top pane, puts information in logical blocks and highlights package removal last—in red—to help ensure that the user is aware they're about to perform a potentially destructive operation.

[apt remove output]

The 3.0 branch also automatically invokes a pager for commands such as "apt search", "apt show", or "apt policy" that may have longer output to the terminal.

DEB822 and apt modernize-sources

Debian has been, quite slowly, moving to a new format for APT data sources. Most Debian users are familiar with the /etc/apt/sources.list file and its format, which puts all information about a package archive on one line, such as this example:

    deb https://deb.debian.org/debian/ bookworm contrib main non-free non-free-firmware
    deb-src https://deb.debian.org/debian/ bookworm contrib main non-free non-free-firmware

That specifies the archive type (deb for binary packages, deb-src for source packages), the repository URL, the distribution release name (bookworm here), and the components such as contrib, main, non-free, and so on. In 2015, APT 1.1 added support for a new format, DEB822, taken from the RFC 822 standard for internet text messages (mail). (The most recent version of the Internet Message Format is RFC 5322.) In the new format, the same archive information would be in the file /etc/apt/sources.list.d/debian.sources and look like this:

    Types: deb deb-src
    URIs: https://deb.debian.org/debian
    Suites: bookworm
    Components: main contrib non-free non-free-firmware
    Architectures: amd64
    Enabled: yes
    Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

This has the advantage of making the source format much more readable, and adds the ability to have options. In this example there is "Enabled", which allows the user to specify whether a source should be enabled or not without having to comment out each line if it is disabled. "Architectures" is straightforward, it specifies the CPU architecture to download. "Signed-By" stanzas specify the GnuPG key used to sign the Release files in the archive. As the sources.list manpage notes, the intent has been to gradually make DEB822 the default format "as it is easier to create, extend and modify for humans and machines alike" and eventually deprecate the old format.

Klode had lobbied to move to DEB822-type source files in Debian 12, but that change did not take place. Likewise, at least for current Debian testing/trixie installs, it has not taken place for Debian 13, either. However, apt has gained a modernize-sources command that will convert sources.list and other APT data source files to the DEB822 format. Running "apt modernize-sources" as root, if there are unconverted files, will display a message that details any files that will be converted and asks the user whether it should continue. If yes, it will back up the old file or files with a .bak extension and write out a file to /etc/apt/sources.list.d/debian.sources. If not, the command will write to the console what it would write out in the new format rather than replacing the file or files.

Ubuntu users may already be familiar with the DEB822 format, as Ubuntu started using it in the 24.04 "Noble Numbat" release.

In any case, the old format is likely to be with us for quite some time. In the discussion about using DEB822 sources by default in Debian 12, Klode said that the timeline for removing support for the sources.list format would be 2030 at the earliest. That was in 2021 and would have included deprecating the format in trixie first. At this point, the earliest it would even be deprecated is with the Debian 14 ("forky") release and that schedule is not set yet: but it is unlikely to debut sooner than 2027.

New solver

APT handles determining dependencies, conflicts, and interactions between packages behind the scenes, so that users can install software without worrying about that information. If a user wants to install Git, they do not need to know that it requires the GNU C Library, Perl, the zlib compression library, PCRE2, and several other packages. They do not need to know about the dependencies those packages have, nor do they need to know ahead of time if software already installed on their system conflicts with the software they would like to install.

APT uses its solver to sort out the relationships between packages and provides a solution—if one exists in the data sources available to it—to installing all of the packages needed to provide Git or whatever software the user had asked to install. The user does not need to know about the dependencies those packages have, or the dependencies that the dependencies have, and so on.

In 2023, Klode wrote about upgrade approaches for APT and how dependency solving should be done differently between upgrades within a release (e.g., package updates to an installed Debian 12 system), and upgrades from one release to the next (e.g., Debian 12 to Debia 13). Within a release, APT should minimize package changes—but on upgrades to a new release, APT should minimize the divergence between an upgraded system and a fresh install of the release. His proposal was that the APT solver should "forget" which packages were installed automatically and instead aim for normalization.

For example, a user might use apt to install their favorite editor on a system running Debian bookworm. If that operation pulls in automatic dependencies, prior versions of APT would seek to keep those dependencies when the system is upgraded to trixie—even if there are different options that would be installed if the user had installed the editor on a fresh install of trixie. The new solver would opt instead to replace automatically installed dependencies with the preferred options for trixie so that the install does not diverge so much from other trixie installs.

The first version of solver3 appeared in APT 2.9.3. On his blog, Klode described the new solver as a Davis–Putnam–Logemann–Loveland (DPLL) solver without pure-literal elimination.

In practical terms, Klode said that the "most striking difference" to the classic solver is that solver3 always keeps manually installed packages, including those marked as obsolete. In the future, he said, this policy will be relaxed to allow obsolete packages to be replaced if there are packages that can replace them. During his talk at DebConf24 last year, he estimated that the new solver would be about 40% faster than the classic version because it does not evaluate every single package in a repository when coming up with a solution.

APT 3.0 also aims to be more helpful in tidying up users' systems. The apt autoremove command is useful for getting rid of packages that are no longer needed. This includes packages that have been installed as a dependency of another package that has since been removed, or packages that an upgrade has made unnecessary. Solver3's autoremove will be more aggressive about removing unneeded packages because, Klode said, it only knows about the strongest dependency chain for each package—and will no longer keep packages that are only reachable via weaker chains.

Since a system can have multiple APT repositories enabled, and a package may exist in more than one of those repositories, APT uses priorities for repositories and individual packages to decide which to install. The default priority is 500, with higher values representing higher priorities. When packages have the same priority, APT will choose the package with the highest version number. If the packages have different priorities, APT will choose the one with the highest priority. Pinning can be used to change priorities to packages or repositories, and might be used if a user wants to install some packages from third-party repositories or to prefer packages from Debian backports over the ones in Debian stable. The "apt-cache policy" command displays the priority of repositories and any pinned packages.

In 3.0, apt has a new option, --no-strict-pinning. This tells apt to consider all versions of a package and not just the best version ("candidate" version, in APT terminology). Klode gives the example of trying to install package foo version 2.0:

    # apt install foo=2.0 --no-strict-pinning

That would install foo 2.0 and upgrade or downgrade other packages that are needed to satisfy its dependencies, even if the repositories containing the needed dependencies are pinned at a lower level and it means downgrading other packages to satisfy foo 2.0's dependencies. This can be useful, for example, to install one or two packages from Debian's experimental repository without getting all packages from that repository.

sqv by default

Historically, APT has used GnuPG as its OpenPGP implementation to verify the signature on the Release.gpg file included with a repository. In 3.0, APT now uses the Sequoia PGP project's sqv verification tool by default on supported platforms. (LWN covered Sequoia in January.)

Klode explained in November last year that there were several reasons why he had worked to replace GnuPG. He referred to GnuPG's upstream becoming incompatible with other OpenPGP implementations, which LWN covered in 2023. He also said that GnuPG's implementation had quality issues, such as silently ignoring some options, not producing errors on expired signatures, and some unsafe features:

For example, the new --assert-pubkey-algo feature accepts <operator><name><size> as the syntax, so it looks at >=ed448 and accepts ed25519 as being stronger because 25519 >= 448, whereas it is the weaker curve.

He also noted that sqv is written in a memory-safe language (Rust), which could make parsing OpenPGP safer. He did not mention speed as a reason for the transition, but Ian Jackson thanked all the people who had contributed to the change, and said that it had sped up running the dgit test suite "by a factor of nearly 2".

According to a message Klode sent to debian-devel last year, sqv became the default in unstable for all of Debian's release architectures and some of its ports (work-in-progress architectures that have not been promoted to release status). Since APT 3.0 has now migrated into testing, and therefore trixie, sqv will be the default going forward.

apt install 3.0

Users of the Debian unstable and testing releases should already have 3.0 at their fingertips, assuming they've done an upgrade since April 10. It will also be in Ubuntu 25.04, which is scheduled for release on April 17. Per the release notes for 25.04, the new solver will be used automatically "if the classic solver cannot find a solution to either find a solution or add more context to the failure" or to evaluate its performance.

It will be interesting to see how the new APT is received by users when Debian trixie is released and it starts being widely used. In my brief and not entirely rigorous testing, APT 3.0 seems to be an improvement all around—but real-world usage will no doubt shake out some interesting issues.


to post comments

Lockfiles?

Posted Apr 16, 2025 19:22 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (26 responses)

Does it support something like lockfiles for reproducibility?

Lockfiles?

Posted Apr 16, 2025 19:58 UTC (Wed) by rweir (subscriber, #24833) [Link] (2 responses)

isn’t that what ‘dpkg —{get,set}-selections’ is for?

Lockfiles?

Posted Apr 16, 2025 23:48 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

The last time I tried it (~5 years ago), the `--set-selections` was not able to reproduce the package versions.

Lockfiles?

Posted Apr 17, 2025 11:19 UTC (Thu) by rweir (subscriber, #24833) [Link]

ah, you're totally right, sorry - I should have checked.

Lockfiles?

Posted Apr 16, 2025 22:12 UTC (Wed) by amarao (guest, #87073) [Link] (14 responses)

The problem with reproducibility in Debian is that you have disappearing packages in the archive. Even if you pin it, a month later only newer version is available. The second problem is potential double upload, when the same version was replaced by a different binary artifact.

Content addressing (like docker does with layers) would had solved this completely...

Lockfiles?

Posted Apr 16, 2025 22:46 UTC (Wed) by bluca (subscriber, #118303) [Link] (2 responses)

https://snapshot.debian.org

Lockfiles?

Posted Apr 17, 2025 5:23 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

It runs on a single server, and won't scale if people start using it.

Lockfiles?

Posted Apr 17, 2025 9:35 UTC (Thu) by jki (subscriber, #68176) [Link]

This changed, and people are using it at scale now, including via CI. Give it a try.

Lockfiles?

Posted Apr 17, 2025 6:28 UTC (Thu) by pabs (subscriber, #43278) [Link] (6 responses)

https://reproduce.debian.net/

Lockfiles?

Posted Apr 17, 2025 6:31 UTC (Thu) by amarao (guest, #87073) [Link] (5 responses)

It work for Debian reproudicability. Now, try to build a reproducible image from them (debootstrap or docker). You would be very surprised how impossible it is.

Last time I tried, I got diffoscope angry on me because of perl security fix landing right in between rebuilds.

Lockfiles?

Posted Apr 17, 2025 6:35 UTC (Thu) by pabs (subscriber, #43278) [Link] (2 responses)

There is work on reproducible installs too, IIRC the live images are now reproducible from binary .deb files.

https://wiki.debian.org/ReproducibleInstalls

Lockfiles?

Posted Apr 17, 2025 9:24 UTC (Thu) by amarao (guest, #87073) [Link] (1 responses)

That's interesting.

Are they 'timeless'? Can I reproduce install made in 2023 in 2025? If so, this is great solution. If not, it's the same as my last attempt to have reproducible image. It works, but only until next fix to the perl (why do I have Perl in python-specific image????)

Lockfiles?

Posted Apr 18, 2025 6:51 UTC (Fri) by pabs (subscriber, #43278) [Link]

You should be able to yes, unless there are reproducibility bugs in the packages you are installing, or if the Debian snapshot ever goes offline or sees corruption.

Lockfiles?

Posted Apr 17, 2025 13:27 UTC (Thu) by fmoessbauer (subscriber, #171204) [Link] (1 responses)

Bit by bit reproducible images and docker containers are possible, but still not trivial to achieve. The biggest remaining problems are reproducible installing as well as metadata (in case of containers). But it is doable, as shown in the https://github.com/siemens/kas project, where we build bit-identical containers for both x86_64 and arm64 in the Github CI. Users can just fork the project and reproduce the same container.

I also worked together with the team behind snapshot.d.o to make that service scalable and usable by CI systems. Now the service is behind a CDN, reasonably fast and also can be cached locally with a squid cache, if needed. Still, a lot of manual plumbing is needed to make (and keep!) things reproducible - and a lot of time spent in the diffoscope tool.

Lockfiles?

Posted Apr 17, 2025 13:34 UTC (Thu) by amarao (guest, #87073) [Link]

Thank you for information.

And a big thank you for your work. And for diffoscope, it's amazing.

I did it without kas, in github runner environment... I almost did it, but I found, that with 12% chance one file in the image get's 666 permissions (including py files, which is kinda dangerous), and only if image is build in CI, not locally. Now it's solved by 'retry' for CI run, but I wonder what is real reason for such dangerous bit flip.

Anyway, I got the taste for reproducibility for images and start to spread the gospel everywhere I could. After having reproducibility, non-reproducible setups looks... unhygienic.

Lockfiles?

Posted Apr 17, 2025 9:09 UTC (Thu) by porridge (subscriber, #15054) [Link] (2 responses)

I don't think double uploads are allowed in Debian proper, but I guess can happen when using unofficial repos by mistake or maliciously.

Lockfiles?

Posted Apr 17, 2025 9:20 UTC (Thu) by amarao (guest, #87073) [Link] (1 responses)

In my lifetime I saw a case or two, but it was many years ago and I can't be 100% sure, it was Debian, or 'some 3rd party deb repo'.

In the topic of better technology, the rules for Debian, whilst very honorable and important, are not the point. dpkg does not allow true (content) pinning, the technology itself have zero protection against reuploads (if apt catch reupload, there will be a warning, if there are two independent runs with different archive content, there will be zero indication of the problem).

As operator I absolutely love dpkg and apt, and it's amazing. But as developer with reproducibility goals, I have trouble to make reproducible images.

My best result is 'time-limited reproducible image' (which is a mockery for reproducibility). Until Debian pushes the next fix for some system package, my build can be reproducible. Even in this limited scope it has enormous benefits (like a developer can submit future image digest written in multiple places, together with proposed changes, and all CI need to do is to verify they match after building that image).

I don't know what proper solution should be. I love both 'security updates painless, automatic and for free', and 'reproducible forever' properties. I don't know if we can have both or not...

Lockfiles sounds like a great idea, but this is a big strain on snapshots (or mirrors, if snapshots become standardized).

Can they be 'merged' into archive in the way, which do not blow up size by x100?

Lockfiles?

Posted Apr 17, 2025 11:57 UTC (Thu) by juliank (guest, #45896) [Link]

For reproducible images, you obviously need to record the timestamp when you built the image and then request the archive snapshot for that timestamp, i.e. just set APT::Snapshot "timestamp"; or use snapshot urls directly. It's up to the archives to support the use of snapshots.

Debian images should be fully reproducible at this point, forever, well as long as the snapshots remain.

Obviously if you point your image build at a moving target instead of a snapshot, you don't get reproducible images. This is a feature.

The ability to request a specific, older version of a package is an anti-feature. We often see people who try to build repositories with

foo (= 1) Depends foo-dep (= 1)
foo (= 2) Depends foo-dep (= 2)

and then try to install foo=1 and have it fail. That's intentional and an important feature to avoid exponential number of combinations, and people from using old unmaintained versions of a package.

Lockfiles?

Posted Apr 17, 2025 11:50 UTC (Thu) by gioele (subscriber, #61675) [Link]

> The problem with reproducibility in Debian is that you have disappearing packages in the archive. Even if you pin it, a month later only newer version is available.

If you want reproducibility you must use the versioned archives provided by https://snapshot.debian.org/ instead of the main archive.

> The second problem is potential double upload, when the same version was replaced by a different binary artifact.

That cannot happen. It has happened only a few times in the past decades due to weird edge-cases (see <https://bugs.debian.org/1072205>), but now there is code in the infra to guard against it.

Lockfiles?

Posted Apr 17, 2025 6:29 UTC (Thu) by pabs (subscriber, #43278) [Link] (3 responses)

That would be the buildinfo files pioneered by the repro builds folks, they are working on reproducing binary packages based on them.

https://reproduce.debian.net/

Lockfiles?

Posted Apr 17, 2025 6:56 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

It's not the same thing. I'm not aware of a way to build bit-for-bit identical _system_. Every time you do "apt-get install", you have a potential to end up with a slightly different system.

Lockfiles?

Posted Apr 17, 2025 11:59 UTC (Thu) by juliank (guest, #45896) [Link]

You can, you must mmdebstrap from a snapshot. All you need for reproducibilty is record the snapshot id.

Lockfiles?

Posted Apr 18, 2025 6:50 UTC (Fri) by pabs (subscriber, #43278) [Link]

See the reproducible installs comment nearby in the thread.

Lockfiles?

Posted Apr 17, 2025 13:02 UTC (Thu) by MrWim (subscriber, #47432) [Link]

We’ve been using lockfiles for building images with apt for the past 7 years. We don’t achieve bit-for-bit, but rather functional reproducibility:

https://github.com/stb-tester/apt2ostree?tab=readme-ov-fi...

Previously discussed here: https://lwn.net/Articles/821367/

I’m a big fan of lockfiles and reproducibility - the lack of which makes things so much harder to manage and reason about. I think it would be great if Debian were to embrace such an approach. Under that model apt would be responsible for creating a lockfile and downloading packages, and then dpkg would then be responsible for transitioning the running system to match the given lockfile.

I don’t have the will to pursue such a change in Debian myself though.

Lockfiles?

Posted Apr 18, 2025 23:35 UTC (Fri) by ras (subscriber, #33059) [Link] (2 responses)

If you want that level of reproducibility, why not just use images, local repositories, or docker files?

To me, apt's main job it to select a set of package versions that work together, and have the latest patches. Even that is damned hard, both in the computation sense (it's NP complete) and writing code that produces the correct result without driving the user made with "this is ambiguous, should I do this?" prompts.

I wrote my own Debian resolver to get a more limited sort of reproducibility. Debian's version ranges, dependency types like conflicts and requires, pins, virtual package names that nominate a collection of possible packages make the problem so difficult it almost did my head in. I wanted a way that took an existing system and moved it to a known state, where "known state" means I give it a list of packages of I wanted installed (and consequently their dependencies), point it to a static upstream repository, and regardless of the state of the existing system always end up with the same result.

It sounds so simple, nonetheless apt can't do it because where you end up depends on the starting state of the system. The (semi-obvious) precondition is to insist the user provide a set of packages the final system that can be resolved unambiguously. From that you end up with a list of packages, and only those packages that must be present on the system. But calculating that list from just the package names is a nightmare, particularly when combined with the requirement you give the user a actionable error message on by their list was ambiguous. I was ironing out corner cases I stumbled across literally years later. Despite that, I was very happy with it in the end. All my systems we guaranteed to be in the same state even though I just nominated package names without versions.

Back to lockfiles - the more I think about it, the less sense it makes. As I said, the whole point of apt is you give it package names, it chooses the versions. The problem that programmers are trying to solve with lockfiles - ensure those versions work together, is what apt is doing for you. If are prepared to do that manually just maintain an image that has exactly the versions you want.

Lockfiles?

Posted Apr 19, 2025 15:23 UTC (Sat) by MrWim (subscriber, #47432) [Link]

I prefer apt lock files because they behave more like source code than docker images. We use them for building docker images, and ostree rootfses.

They’re small, so you can store them in git. They’re descriptive, so git diff is meaningful. This has been really helpful in the past. An adb upgrade in Ubuntu broke something[^1] for our customers after we deployed a new image. We were able to track it down really quickly because the git diff said what the old version was, and what the new one is.

[^1]: can’t remember what now

Why reproducibility

Posted Apr 21, 2025 14:50 UTC (Mon) by SLi (subscriber, #53131) [Link]

Because you want reproducible but changeable. If you change one aspect, you want that aspect, to change, and nothing else to change randomly. You cannot get this with either filesystem images (you cannot get the result of "what if I had instead installed this version at the install time") nor with so called "functional reproducibility".

Automatic pager invocation

Posted Apr 17, 2025 0:44 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (7 responses)

I must be the absolutely last person on earth who *doesn't* want random commands to invoke full-screen TUI pagers when I didn't ask for that. I'm already using a terminal emulator that does output pagination. I don't need an inferior text interface on top. I know I can just set PAGER=cat, but I'm grumpy.

Automatic pager invocation

Posted Apr 17, 2025 0:46 UTC (Thu) by dskoll (subscriber, #1630) [Link] (2 responses)

Yeah, I prefer manual control too, though something like apt ... whatever | cat should work too, because it probably only invokes the pager if standard output is a TTY.

Automatic pager invocation

Posted Apr 17, 2025 6:49 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

There's a missing middle ground between a full tty (where you can use cursor movement commands) and sending output to a file. Another example is Emacs's shell-mode. If it didn't return true to isatty() then gzip might write binary data to stdout, and other programs wouldn't prompt interactively. So it has to claim to be a tty, but then some tools want to run a pager or do cursor movement.

There should be a similar function isinteractive() provided by the C library and kernel somehow. When you create a pty you can specify whether it should be a full terminal (returning true to both isatty() and isinteractive()) or just a kind of interactive thingy (isinteractive=true but isatty=false). I guess if any computer museums are using real printing terminals they could also benefit from this. You don't want to run less(1) on your Teletype, though I guess more(1) could work.

Automatic pager invocation

Posted Apr 17, 2025 7:23 UTC (Thu) by neilbrown (subscriber, #359) [Link]

$TERM goes some way in that direction

Automatic pager invocation

Posted Apr 17, 2025 4:55 UTC (Thu) by interalia (subscriber, #26615) [Link] (2 responses)

Often I don't mind auto-paging but other times it is annoying and I have to pipe to cat as dskoll mentioned in their comment. Maybe it'd be nice if there was another environment variable AUTOPAGER=true or something which programs could consult on whether to use such default paging behaviour. But then we might still hit a problem if we want auto-paging in some programs but not others.

Automatic pager invocation

Posted Apr 17, 2025 8:29 UTC (Thu) by juliank (guest, #45896) [Link] (1 responses)

You can (un)set APT_PAGER, GIT_PAGER, SYSTEMD_PAGER, that all works (and they all respect PAGER if no specific variable is given)

Automatic pager invocation

Posted Apr 18, 2025 4:17 UTC (Fri) by interalia (subscriber, #26615) [Link]

Ah thanks, I did not know about that convention!

Automatic pager invocation

Posted Apr 17, 2025 13:01 UTC (Thu) by aragilar (subscriber, #122569) [Link]

This is presumably for the more human friendly interface `apt` rather than `apt-get` which apparently won't change so it can be scripted around. You could keep calling `apt-get` and not get the pager.

GnuPG strength comparison ed448 vs ed25519 fixed (since 2024-11-25)

Posted Apr 17, 2025 7:48 UTC (Thu) by ber (subscriber, #2142) [Link] (1 responses)

GnuPG 2.4.7 released on 2024-11-25 fixes the comparison (T7425).

It would be interesting to have more specific reports about the mentioned other "quality issues".

GnuPG strength comparison ed448 vs ed25519 fixed (since 2024-11-25)

Posted Apr 21, 2025 23:12 UTC (Mon) by dkg (subscriber, #55359) [Link]

The article already mentions the concerns that GnuPG is abandoning the OpenPGP standard. To my mind, that's a pretty serious quality issue (no scare quotes needed), because as soon as there's a major repository signed with modern OpenPGP signatures (i.e. using the definitions in RFC 9580), then depending on gpgv means signature validation failure. sqv (and at least two other OpenPGP implementations ready for debian trixie) already support the newer OpenPGP standards.

For the signature verification that apt is doing, gpgv also has a particularly unwieldy interface -- you can't just supply it with a signing keyring and a signed repository manifest (either InRelease on its own, or Release + Release.gpg) and check the return code to see whether the signature is valid. Instead, you have to ask gpgv for the "status file descriptor" (via --status-fd) and build a state machine to parse and reason about its output.

If you (or anyone) is interested in other quality issues that GnuPG upstream is declining to fix, you might also want to look through the fixes proposed in the FreePG project. I also encourage people with a C programming background to look at the codebase, which suffers from a lack of testing compared to the size of the interface it presents, and carries significant unresolved technical debt.

(disclaimer: i'm a co-chair of the OpenPGP working group in the IETF; one of the debian maintainers for GnuPG itself; a contributor to the FreePG project; the author of a wrapper around gpgv to make it conform to standardized signature verification semantics; a long-time contributor to GnuPG; and a sad observer of that project's apparently deliberate slide toward irrelevance for the free software ecosystem)

...but it is not going to be installed

Posted Apr 17, 2025 8:13 UTC (Thu) by taladar (subscriber, #68407) [Link] (6 responses)

Will this new version of APT finally get rid of the annoying "but it is not going to be installed" output when some dependency of a dependency is not satisfied where you have to then manually try installing the named package to figure out the reason it is not going to be installed, potentially dozens of times until you hit the actual problem?

...but it is not going to be installed

Posted Apr 17, 2025 8:31 UTC (Thu) by juliank (guest, #45896) [Link] (5 responses)

The 3.0 solver will print you two conflicting chains from the root each.

So

Unsatisfied dependencies:
exim4 : Depends: exim4-base (< 4.98.1-1ubuntu2.1) but it is not going to be installed
Depends: exim4-base (>= 4.98.1-1ubuntu2) but it is not going to be installed
Depends: exim4-daemon-light (>= 4.98.1-1ubuntu2) but it is not going to be installed or
exim4-daemon-heavy (>= 4.98.1-1ubuntu2) but it is not going to be installed or
exim4-daemon-custom (>= 4.98.1-1ubuntu2) but it is not installable

becomes:

Error: Unable to satisfy dependencies. Reached two conflicting decisions:
1. exim4:amd64=4.98.1-1ubuntu2 is selected for install
2. exim4:amd64=4.98.1-1ubuntu2 Depends exim4-daemon-light (>= 4.98.1-1ubuntu2) | exim4-daemon-heavy (>= 4.98.1-1ubuntu2) | exim4-daemon-custom (>= 4.98.1-1ubuntu2)
but none of the choices are installable:
- exim4-daemon-light:amd64=4.98.1-1ubuntu2 is not selected for install because:
1. postfix:amd64 is selected for install
2. postfix:amd64 Conflicts mail-transport-agent
[selected postfix:amd64]
- exim4-daemon-heavy:amd64=4.98.1-1ubuntu2 is not selected for install because:
1. postfix:amd64 is selected for install as above
2. postfix:amd64 Conflicts mail-transport-agent
[selected postfix:amd64]

...but it is not going to be installed

Posted Apr 17, 2025 8:32 UTC (Thu) by juliank (guest, #45896) [Link] (4 responses)

Sorry this lost formatting and it had no context: 
$ apt install postfix exim4
[...]
Unsatisfied dependencies:
 exim4 : Depends: exim4-base (< 4.98.1-1ubuntu2.1) but it is not going to be installed
         Depends: exim4-base (>= 4.98.1-1ubuntu2) but it is not going to be installed
         Depends: exim4-daemon-light (>= 4.98.1-1ubuntu2) but it is not going to be installed or
                  exim4-daemon-heavy (>= 4.98.1-1ubuntu2) but it is not going to be installed or
                  exim4-daemon-custom (>= 4.98.1-1ubuntu2) but it is not installable
Error: Unable to satisfy dependencies. Reached two conflicting decisions:
   1. exim4:amd64=4.98.1-1ubuntu2 is selected for install
   2. exim4:amd64=4.98.1-1ubuntu2 Depends exim4-daemon-light (>= 4.98.1-1ubuntu2) | exim4-daemon-heavy (>= 4.98.1-1ubuntu2) | exim4-daemon-custom (>= 4.98.1-1ubuntu2)
      but none of the choices are installable:
      - exim4-daemon-light:amd64=4.98.1-1ubuntu2 is not selected for install because:
        1. postfix:amd64 is selected for install
        2. postfix:amd64 Conflicts mail-transport-agent
           [selected postfix:amd64]
      - exim4-daemon-heavy:amd64=4.98.1-1ubuntu2 is not selected for install because:
        1. postfix:amd64 is selected for install as above
        2. postfix:amd64 Conflicts mail-transport-agent
           [selected postfix:amd64]

...but it is not going to be installed

Posted Apr 17, 2025 10:25 UTC (Thu) by IanKelling (subscriber, #89418) [Link]

This is excellent. Thank you for the great work.

...but it is not going to be installed

Posted Apr 18, 2025 18:21 UTC (Fri) by niner (subscriber, #26151) [Link] (2 responses)

Does it not ask the user how to resolve the conflict?

...but it is not going to be installed

Posted Apr 18, 2025 20:23 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (1 responses)

In a simple case like this, "resolving" the conflict is just a matter of deleting one of the command line arguments, so it's minimally useful. In the general case, "resolving" the conflict might be arbitrarily complicated because you started dependency solving under the system's original configuration, the resolution would (presumably) entail adding or removing one or more packages, and then that might invalidate some or all of the solving you've already done, so now you have to backtrack all the way to the selected packages and start over with the new configuration. Then you might encounter another conflict, and need to prompt the user for another resolution. Eventually, you might ask the user a question to which they do not immediately know the correct answer, so now they want to pull up a man page (or examine some config file, or whatever), and have to switch to a different terminal (on pain of losing all their progress so far if apt exits).

At that point, it's worth asking whether interactive resolution would add much value as compared to dumping the user back to the shell and letting them iteratively resolve the conflict one step at a time. The (modern) shell is already designed for executing similar commands repeatedly, so what exactly is the user gaining from an interactive procedure?

...but it is not going to be installed

Posted Apr 19, 2025 9:03 UTC (Sat) by niner (subscriber, #26151) [Link]

You make a compelling case for why it would not make sense, yet interactive conflict solving is exactly what zypper does and what I use quite often on my main machine running openSUSE. It tells you there's a conflict, gives you the list of possible solutions, you press the number and it continues happily.

Dark mode?

Posted Apr 24, 2025 18:57 UTC (Thu) by surinameclubcard (guest, #139470) [Link] (1 responses)

Had to ask it.

Dark mode?

Posted Apr 27, 2025 2:44 UTC (Sun) by cbushey (guest, #142134) [Link]

Nice one. Had to answer.


Copyright © 2025, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds