How to block package and kernel updates in Debian

How to Block Package and Kernel Updates in Debian

In this guide, you’ll learn how to block package and kernel updates in Debian using different commands. Blocking kernel packages and auto-updates is crucial to learning package management. So let’s get started!

Prerequisites

For this tutorial, you’ll need a Debian or Ubuntu machine. You’ll also need root privilege or sudo access to the machine.

How to Block Package and Kernel Updates in Debian

The Debian-based Linux systems use APT package manager to manage the application updates. To update the APT packages, we use the update and upgrade commands:

sudo apt update 
sudo apt upgrade

Similarly, we can use several commands to block the package and kernel updates.

How to Block Package and Kernel Updates in Debian Using the Apt Mark Command

The apt-mark command marks the software package as marked or unmarked for automatic updates. We usually use this command with two options: hold and withhold. 

The hold option blocks the updates and prevents them from being installed, upgraded, or removed. On the other hand, the unhold option allows the package to be installed, updated, upgraded, and removed.

To use this command, input the following command:

sudo apt-mark hold <package name>

For instance, to hold the zip package, we’d write:

sudo apt-mark hold zip
how to block package and kernel updates in Debian

To unhold the package, use the unhold option. Specifically, write:

sudo apt-mark unhold zip

Block Package Using the Apt Install Command

Similar to the apt-mark command, we can use the apt-install command to block the packages and kernel updates. For instance, to exclude any package from being updated, we’d use the exclude option.

Input:

sudo apt-update -exclude=gcc,php
sudo apt update --exclude=gcc* --exclude=php*

Block Package Using the APT Preference File

An alternative way to block kernel and package updates is to add its entry in a system file. That system file in Debian is located at /etc/apt/preferences. However, if you want to access the specific preferences file, its path is /etc/apt/preferences.d/official-package-repositories.pref

First, open the file using your favorite text editor:

# nano text editor
sudo nano /etc/apt/preferences
#vi text editor
sudo vi /etc/apt/preferences

In this file, you’ll assign priority to each package. Any priority less than 0 will block this package from being updated. The sample code in the file looks something like this:

Package: <package name> (Here, '*' means all packages)
Pin: release *
Pin-Priority: <less than 0>

For instance, if we want to block the gcc package, we’d type the following lines of code:

Package: gcc
Pin: release *
Pin-Priority: 0

Output:

How to block package and kernel updates in Debian

Make sure to replace the <package name> and set a priority. Lastly, press “Ctrl + S” to save the file and “Ctrl + X” to exit the text editor. 

How to Block Package and Kernel Updates in Debian Using the APT Autoremove File

One more method to blocklist the kernel and package updates is to update its entry in the configuration file located at /etc/apt/apt.conf.d/.

Open this file using the text editor as shown below:

# nano text editor
sudo nano /etc/apt/preferences
#vi text editor
sudo vi /etc/apt/preferences

Add the following lines of code to the file:

APT
{
  NeverAutoRemove
  {
        "^firmware-linux.*";
        "^linux-firmware$";
  };
VersionedKernelPackages
  {
        # linux kernels
        "linux-image";
        "linux-headers";
        "linux-image-extra";
        "linux-signed-image";
        # kfreebsd kernels
        "kfreebsd-image";
        "kfreebsd-headers";
        # hurd kernels
        "gnumach-image";
        # (out-of-tree) modules
        ".*-modules";
        ".*-kernel";
        "linux-backports-modules-.*";
        # tools
        "linux-tools";
  };

Never-MarkAuto-Sections
  {
        "metapackages";
        "restricted/metapackages";
        "universe/metapackages";
        "multiverse/metapackages";
        "oldlibs";
        "restricted/oldlibs";
        "universe/oldlibs";
        "multiverse/oldlibs";
        "apache2*";
  };
};

In the end, add the package you want to block. For example:

APT
{
  NeverAutoRemove
  {
        "^firmware-linux.*";
        "^linux-firmware$";
  };
VersionedKernelPackages
  {
        # linux kernels
        "linux-image";
        "linux-headers";
        "linux-image-extra";
        "linux-signed-image";
        # kfreebsd kernels
        "kfreebsd-image";
        "kfreebsd-headers";
        # hurd kernels
        "gnumach-image";
        # (out-of-tree) modules
        ".*-modules";
        ".*-kernel";
        "linux-backports-modules-.*";
        # tools
        "linux-tools";
  };

Never-MarkAuto-Sections
  {
        "metapackages";
        "restricted/metapackages";
        "universe/metapackages";
        "multiverse/metapackages";
        "oldlibs";
        "restricted/oldlibs";
        "universe/oldlibs";
        "multiverse/oldlibs";
        "apache2*";
        “gcc”;
  };
}

Now press “Ctrl + S” and “Ctrl + X” to save and exit the editor. Lastly, reboot the system using the reboot command to implement the changes.

Now, try uploading the package using this command:

sudo apt update gcc

And you’ll get an error.

Block an Entire Repository from Updating

To block the entire repository, use the –disablerepo option. For this method, first, get the repo list using the dnf repolist command. Specifically, type:

dnf reposlist

After that, add the –disablerepo option in the dnf update command. For example:

sudo dnf update --disablerepo=gcc
# or
sudo apt update --disablerepo=gcc

To disable multiple repositories, separate the names with the comma as seen below:

sudo dnf update --disablerepo=gcc, php
# or
sudo apt update --disablerepo=gcc, php

Output:

How to block package and kernel updates in Debian

Block Packages by Selecting Custom Packages in Update

Apart from the previous methods, you can also block package and kernel updates by selectively updating the packages. Since you won’t update all the packages, the ones that you want to block won’t get updated. For this method, first, find the pending package by executing the command given below:

sudo apt-get -u -V upgrade

After that, specify the package you want to update:

sudo apt-get --only-upgrade install <package name>

Output:

How to block package and kernel updates in Debian 11

Make sure to replace the package name with the package you want to update. 

Block Package Updates Using the Repository File

You can also block the kernel and package updates from the repository file located at the /etc/dnf.repos.d path. For this method, first, open the file:

# nano text editor
sudo nano /etc/dnf.repos.d/epel.repo
#vi text editor
sudo vi /etc/dnf.repos.d/epel.repo

After that, add the following lines of code:

[epel]
name=Extra Packages for Enterprise Linux 8 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
…

Output:

How to block package and kernel update in Debian 11

After that, make sure to change the value of enabled to 0. Press “Ctrl + S” to save and “Ctrl + X” to exit the text editor. Now, if you try updating the package, you’ll get the error.

And that’s a wrap! We’ve looked at how you can block packages and kernel updates in Debian and Debian-based Linux machines. So you can try any method to blocklist the packages from being updated. If you have any questions regarding this topic, don’t hesitate to leave a comment below.

If you liked this article, please share it.

Related Posts