Repositories, PPAs, and Backports#

Concepts#

What Is a Repository?#

A repository (or “repo”) is a server that hosts packages. When you run apt update, APT downloads the package index from your configured repositories. When you run apt install, it downloads the package from one of those repositories.

Your system knows which repositories to use from the configuration in:

Ubuntu 24.04: /etc/apt/sources.list.d/ubuntu.sources (new DEB822 format)

Debian 12: /etc/apt/sources.list (traditional one-line format)

Repository Configuration — Debian 12#

Debian uses the traditional format in /etc/apt/sources.list:

deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

Each line breaks down as:

deb  [URL]  [release]  [components...]
│     │       │          │
│     │       │          └─ main, contrib, non-free, non-free-firmware
│     │       └─ bookworm, bookworm-updates, bookworm-security
│     └─ Repository URL
└─ Binary packages (deb-src = source packages)

Components:

  • main — free software, officially supported
  • contrib — free software that depends on non-free packages
  • non-free — proprietary software (e.g., some firmware, drivers)
  • non-free-firmware — proprietary firmware (new in Debian 12)

Repository Configuration — Ubuntu 24.04#

Ubuntu 24.04 uses the newer DEB822 format in /etc/apt/sources.list.d/ubuntu.sources:

Types: deb
URIs: http://archive.ubuntu.com/ubuntu
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Ubuntu components:

  • main — free software, supported by Canonical
  • restricted — proprietary drivers needed for hardware support
  • universe — community-maintained free software (vast — thousands of packages)
  • multiverse — software with usage restrictions (codecs, etc.)

Adding Third-Party Repositories#

Sometimes you need software that is not in the official repositories (newer versions, proprietary software, etc.).

PPAs (Ubuntu Only)#

A PPA (Personal Package Archive) is a repository hosted on Launchpad, usually maintained by a developer or team. PPAs provide packages that are not in the official Ubuntu repos or newer versions of existing packages.

# Add a PPA
sudo add-apt-repository ppa:owner/ppa-name
sudo apt update
sudo apt install package-name

# Example: add the deadsnakes PPA for newer Python versions
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.12

# Remove a PPA
sudo add-apt-repository --remove ppa:owner/ppa-name
sudo apt update

PPAs are Ubuntu-specific — they do not work on Debian.

Warning: PPAs are third-party. The packages are not reviewed by Ubuntu. Only add PPAs from sources you trust.

Manual Third-Party Repositories (Both Distros)#

Software vendors (Docker, Node.js, Visual Studio Code, etc.) provide their own repositories. The process follows a pattern:

  1. Download the vendor’s GPG key (verifies package authenticity)
  2. Add the repository URL
  3. Update and install

Usually instructions on how to do this are provided by the vendor itself in the install page. See this example from Docker

Example: adding Docker’s official repository:

# 1. Install prerequisites
sudo apt install -y ca-certificates curl

# 2. Download and store the GPG key
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
  -o /etc/apt/keyrings/docker.asc

# 3. Add the repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
  https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# 4. Update and install
sudo apt update
sudo apt install docker-ce

Debian: Replace ubuntu with debian in the URL and use the Debian codename (e.g., bookworm).

Backports#

Backports are newer versions of packages recompiled for the current stable release.

Debian backports: Packages from Debian Testing/Unstable rebuilt for Stable. Not installed by default — you must explicitly request them.

Ubuntu backports: The noble-backports suite. Enabled by default but packages are not auto-installed.

# Install a package from Debian backports
sudo apt install -t bookworm-backports package-name

# Install a package from Ubuntu backports
sudo apt install -t noble-backports package-name

To enable Debian backports (if not already):

echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free" | \
  sudo tee /etc/apt/sources.list.d/backports.list
sudo apt update

APT Pinning (Brief Overview)#

When multiple repositories provide the same package, APT uses priorities to decide which version to install. You can control this with pinning in /etc/apt/preferences.d/:

Package: *
Pin: release a=bookworm-backports
Pin-Priority: 200

Lower priority means the package is only installed if explicitly requested (-t). Higher priority (>500) means it is preferred automatically. The default priority is 500.

Pinning is an advanced topic — for now, just know it exists and is how you prevent a third-party repository from accidentally overriding system packages.

Security — GPG Keys#

Every repository signs its packages with a GPG key. APT verifies these signatures before installing anything. If a package cannot be verified, APT warns you.

# List trusted keys
apt-key list              # deprecated but still shows keys
ls /etc/apt/keyrings/     # modern location for GPG keys
ls /usr/share/keyrings/   # system keyrings

# Never use --allow-unauthenticated in production
# It disables signature verification — packages could be tampered with

Lab#

Exercise 1: Examine Your Repositories# 

# Ubuntu 24.04
cat /etc/apt/sources.list.d/ubuntu.sources 2>/dev/null

# Debian 12
cat /etc/apt/sources.list 2>/dev/null

# List all configured sources
apt policy

Exercise 2: Check Where a Package Comes From# 

# See which repository provides a package
apt policy bash
apt policy firefox

# The output shows:
# - Installed version
# - Candidate (version that would be installed)
# - Version table with repository sources

Exercise 3: Add and Use a PPA (Ubuntu Only)# 

# Check if add-apt-repository is available
which add-apt-repository

# If not installed:
# sudo apt install software-properties-common

# Add the git-core PPA (provides latest git)
sudo add-apt-repository ppa:git-core/ppa
sudo apt update

# Check the new version available
apt policy git

# Install/upgrade git
sudo apt install git

# Clean up — remove the PPA
sudo add-apt-repository --remove ppa:git-core/ppa
sudo apt update

Exercise 4: List Files in a Repository Configuration# 

# See all repository files
ls /etc/apt/sources.list.d/

# See all keyrings
ls /etc/apt/keyrings/ 2>/dev/null
ls /usr/share/keyrings/

Exercise 5: Work with Backports# 

# Check if backports are configured
apt policy | grep backports

# Search for a package in backports
apt list -a package-name 2>/dev/null
# Look for versions marked with backports suite

# On Debian, enable backports if not present:
# echo "deb http://deb.debian.org/debian bookworm-backports main" | \
#   sudo tee /etc/apt/sources.list.d/backports.list
# sudo apt update

Exercise 6: Practice apt policy# 

# See the priority system in action
apt policy

# Check specific packages
apt policy python3
apt policy linux-image-generic 2>/dev/null  # Ubuntu
apt policy linux-image-amd64 2>/dev/null    # Debian

# Notice the priority numbers (500 = default, 100 = backports, etc.)

Review#

1. What is a repository?

A server that hosts .deb packages and their metadata. APT downloads package lists from configured repositories with apt update and downloads packages from them with apt install.

2. What are the Debian repository components and what does each contain?
  • main: Free software, officially supported by the Debian Project
  • contrib: Free software that depends on non-free packages
  • non-free: Proprietary software
  • non-free-firmware: Proprietary firmware (hardware drivers)
3. What is a PPA and which distro supports it?

A PPA (Personal Package Archive) is a third-party repository hosted on Launchpad, typically maintained by a developer or team. PPAs are Ubuntu-specific and do not work on Debian.

4. What are backports?

Newer versions of packages recompiled for the current stable release. They let you get newer software without upgrading your entire system. Packages from backports must be explicitly requested — they are not installed automatically.

5. What is the purpose of GPG keys in APT?

GPG keys verify that packages come from a trusted source and have not been tampered with. APT checks the cryptographic signature of every package before installing it. This prevents man-in-the-middle attacks and compromised mirrors from delivering malicious packages.

6. What is the general process for adding a third-party repository?
  1. Download and store the vendor’s GPG key (to /etc/apt/keyrings/)
  2. Add the repository URL to a file in /etc/apt/sources.list.d/
  3. Run sudo apt update to refresh the package index
  4. Install the package with sudo apt install

Previous: APT and dpkg | Next: Snap, Flatpak, and AppImage