On modern Debian/Ubuntu systems, apt is the user‑facing command that wraps
apt-get and apt-cache with better defaults and nicer output.
For scripts, many admins still prefer apt-get because its behavior is more stable
across releases.
Common apt commands
# Update package index
sudo apt update
# Upgrade installed packages
sudo apt upgrade
# Full upgrade (handles dependencies, removals)
sudo apt full-upgrade
# Install a package
sudo apt install nginx
# Remove a package
sudo apt remove nginx
# Remove with config files
sudo apt purge nginx
Equivalent apt-get usage
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get install nginx
Use apt interactively, and apt-get in scripts where you want
behavior that changes less between releases.
Unattended upgrades automatically install security updates (and optionally other updates) on a
schedule. This is critical for internet‑facing servers that can’t rely on manual patching alone.
Install unattended-upgrades
sudo apt update
sudo apt install unattended-upgrades
Enable automatic updates
sudo dpkg-reconfigure unattended-upgrades
This creates or updates configuration in:
/etc/apt/apt.conf.d/20auto-upgrades
/etc/apt/apt.conf.d/50unattended-upgrades
Example: auto-upgrades config
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Start with security updates only. Expanding to all updates is possible but should be tested
carefully on non‑production systems first.
Pinning lets you control which versions or which repositories are preferred for specific
packages. This is useful when you need to hold a package at a known‑good version or prefer a
backports repository for one component.
Hold a package at current version
# Prevent automatic upgrades of a package
sudo apt-mark hold nginx
# Allow upgrades again
sudo apt-mark unhold nginx
Pinning with preferences file
Create or edit:
sudo nano /etc/apt/preferences.d/custom-pinning
Example: prefer a specific version
Package: nginx
Pin: version 1.24.*
Pin-Priority: 1001
Example: prefer a specific release pocket
Package: *
Pin: release a=focal-updates
Pin-Priority: 500
Pinning is powerful and easy to misuse. Document every pin and hold so future you (or someone
else) knows why it exists.
Over time, package caches and unused dependencies consume disk space. Regular cleanup keeps
systems lean and reduces surprises on small disks or VPS instances.
Remove unused dependencies
sudo apt autoremove
Clean downloaded package files
# Remove retrieved package files (.deb) from cache
sudo apt clean
# Remove only obsolete package files
sudo apt autoclean
Inspect cache size
du -sh /var/cache/apt/archives
On production systems, avoid aggressive cleaning right before a maintenance window where you
might need to roll back quickly using cached packages.
Debian and Ubuntu packages are signed with GPG keys. The system verifies these signatures
before installing or upgrading packages. When keys are missing or expired, you’ll see warnings
or errors about unauthenticated packages.
Check repository keys
apt-key list # legacy, being phased out
ls /etc/apt/trusted.gpg.d/
Modern keyring usage
Newer systems use keyrings referenced directly in sources.list entries:
deb [signed-by=/usr/share/keyrings/example.gpg] \
http://repo.example.com/debian stable main
Simulate an install to see signature checks
sudo apt install --simulate nginx
Never bypass signature warnings by using --allow-unauthenticated on production
systems. Fix the key or repository configuration instead.