Day 8 - Package Management with apt, dnf, and pacman

2025-09-288 min read

linuxpackagesaptdnfpacmanrpmdebrepos

Day8 pacman

This lesson explains how Linux distributions deliver software through repositories and package managers. It covers searching, installing, removing, updating, verifying, viewing history, cleaning caches, and basic repository configuration for the three major families: Debian or Ubuntu (apt), Fedora or RHEL family (dnf and rpm), and Arch Linux (pacman).

Key ideas

A package is an archive with files and metadata. A repository hosts signed packages and an index. A package manager downloads, verifies signatures, installs files, and tracks their ownership for removal and upgrades.

Prerequisites

  • Day 1 through Day 7 completed
  • Terminal with sudo privileges

Update package indexes and the system

bash
# Debian or Ubuntu
sudo apt update
sudo apt upgrade -y        # safe upgrades
sudo apt full-upgrade -y   # allow dependency changes and removals when needed

# Fedora or RHEL family
sudo dnf upgrade -y

# Arch Linux
sudo pacman -Syu

Notes:

  • Run the index update before searching or installing so results are current.
  • On Ubuntu, full-upgrade handles kernel and metapackage transitions better during major updates.

Search for software

bash
# Debian or Ubuntu
apt search nginx | head -20
apt policy nginx            # show candidate version and repositories
apt show nginx              # detailed metadata

# Fedora or RHEL family
dnf search nginx | head -20
dnf info nginx

dnf provides \*/nginx      # which package ships a given file

# Arch Linux
pacman -Ss nginx | head -20
pacman -Si nginx
Find which package owns a file on the system
  • Debian or Ubuntu: dpkg -S /path/to/file
  • Fedora or RHEL family: rpm -qf /path/to/file
  • Arch Linux: pacman -Qo /path/to/file

Install and remove packages

bash
# Debian or Ubuntu
sudo apt install -y nginx
sudo apt remove -y nginx        # keep configs
sudo apt purge -y nginx         # remove configs
sudo apt autoremove -y          # remove unused dependencies

# Fedora or RHEL family
sudo dnf install -y nginx
sudo dnf remove -y nginx
sudo dnf autoremove -y

# Arch Linux
sudo pacman -S nginx
sudo pacman -R nginx            # remove package, keep dependencies
sudo pacman -Rs nginx           # remove package and unneeded deps
sudo pacman -Rns nginx          # also remove config files stored under /etc

List package contents before installing or after installation.

bash
# Debian or Ubuntu
apt file nginx 2>/dev/null || true          # requires apt-file if not installed
sudo apt install -y apt-file && apt-file update
apt-file list nginx | head

dpkg -L nginx | head

# Fedora or RHEL family
rpm -ql nginx | head

# Arch Linux
pacman -Ql nginx | head
Service effects

Installing a server package may start a service immediately. Check with systemctl status nginx after installation, and adjust the firewall before exposing ports.

Verify signatures and provenance

All three families verify cryptographic signatures when installing from configured repositories.

  • Debian or Ubuntu: repository keys live in keyring files such as /usr/share/keyrings/*.gpg. Prefer signed repositories and per repository keyrings over the old apt-key method.
  • Fedora or RHEL family: GPG public keys are imported to the RPM keyring. Packages are signed and verified by dnf and rpm.
  • Arch Linux: pacman uses package signatures and a system keyring. Initialize and refresh if needed with pacman-key --init and pacman-key --populate.

Manual verification examples:

bash
# RPM: verify a downloaded .rpm file
rpm -K --checksig package.rpm

# DEB: show metadata of a .deb (signature is verified at install time)
dpkg-deb --info package.deb
Avoid curl | bash installers

Prefer official repositories or signed packages. Pipe installers are hard to audit and bypass package databases, which breaks clean removal and updates.

Manage repositories

Debian or Ubuntu

  • Sources live in /etc/apt/sources.list and /etc/apt/sources.list.d/*.list.
  • To add a repository with its own keyring:
bash
# example pattern for a third party repo
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://example.com/repo.gpg | sudo tee /etc/apt/keyrings/example.gpg >/dev/null
printf 'deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/apt stable main\n' | \
  sudo tee /etc/apt/sources.list.d/example.list >/dev/null
sudo apt update
  • Remove a repository by deleting the .list file and the keyring, then run sudo apt update.

Fedora or RHEL family

  • Repository files live in /etc/yum.repos.d/*.repo.
  • Enable or disable a repo:
bash
sudo dnf config-manager --set-enabled updates
sudo dnf config-manager --set-disabled some-repo
  • Import a GPG key only from trusted sources:
bash
sudo rpm --import https://example.com/RPM-GPG-KEY-example

Arch Linux

  • Mirrors live in /etc/pacman.d/mirrorlist. The main repo list lives in /etc/pacman.conf.
  • Enable an extra repo by uncommenting a section in pacman.conf, then run sudo pacman -Syu.
AUR note for Arch users

The Arch User Repository contains community build recipes. It is outside official support and requires building from source. Use helpers like yay with care, review PKGBUILDs, and prefer official repos when possible.

Hold, pin, and version

Sometimes a specific version is required or a package should not upgrade automatically.

  • Debian or Ubuntu: hold a package, or pin versions.
bash
# simple hold
sudo apt-mark hold nginx
sudo apt-mark unhold nginx

# pin a version (example)
printf "Package: nginx\nPin: version 1.24.*\nPin-Priority: 1001\n" | sudo tee /etc/apt/preferences.d/pin-nginx >/dev/null
sudo apt update
  • Fedora or RHEL family: use dnf versionlock plugin.
bash
sudo dnf install -y 'dnf-command(versionlock)'
sudo dnf versionlock add nginx-1.24.*
sudo dnf versionlock list
  • Arch Linux: set IgnorePkg= in /etc/pacman.conf.
ini
# in /etc/pacman.conf
IgnorePkg = nginx
Pinning trade offs

Pinning or holding packages can block security updates. Document any holds and review them regularly.

View history and recent changes

bash
# Debian or Ubuntu
grep -E ' install | upgrade | remove ' /var/log/dpkg.log | tail -50

# Fedora or RHEL family
dnf history

# Arch Linux: explicitly installed packages and orphans
pacman -Qe | sort | head -20
pacman -Qdt    # orphaned dependencies
Roll back with DNF

dnf history undo <ID> can attempt to undo a transaction. Use with care and read the preview.

Clean caches and free space

bash
# Debian or Ubuntu
sudo apt autoremove -y
sudo apt autoclean -y     # remove old .deb files for packages no longer available
sudo apt clean            # remove all cached .deb files

# Fedora or RHEL family
sudo dnf autoremove -y
sudo dnf clean packages   # or `dnf clean all` to remove metadata as well

# Arch Linux
sudo pacman -Sc           # keep one previous version of packages
sudo pacman -Scc          # remove all caches (prompts twice)

Check space usage after cleanup with df -hT and du -sh /var/cache/*.

Practical lab

Complete these tasks on the target distribution. Run the equivalent commands on the others if available.

  1. Update indexes and upgrade.
bash
sudo apt update && sudo apt upgrade -y || sudo dnf upgrade -y || sudo pacman -Syu
  1. Search for a tool, install it, list its files, and verify the owning package of a binary.
bash
# example uses jq
apt search jq 2>/dev/null | head -10 || dnf search jq 2>/dev/null | head -10 || pacman -Ss jq 2>/dev/null | head -10
sudo apt install -y jq || sudo dnf install -y jq || sudo pacman -S jq

# list package contents
dpkg -L jq 2>/dev/null | head || rpm -ql jq 2>/dev/null | head || pacman -Ql jq 2>/dev/null | head

# which package owns the jq binary
dpkg -S $(command -v jq) 2>/dev/null || rpm -qf $(command -v jq) 2>/dev/null || pacman -Qo $(command -v jq) 2>/dev/null
  1. Hold or version lock the package, then remove the lock.
bash
sudo apt-mark hold jq 2>/dev/null || sudo dnf versionlock add jq 2>/dev/null || true
sudo apt-mark unhold jq 2>/dev/null || sudo dnf versionlock delete jq 2>/dev/null || true
  1. Remove the package and clean caches.
bash
sudo apt remove -y jq && sudo apt autoremove -y || \
  sudo dnf remove -y jq && sudo dnf autoremove -y || \
  sudo pacman -Rns jq

sudo apt clean 2>/dev/null || sudo dnf clean packages 2>/dev/null || sudo pacman -Sc --noconfirm

Troubleshooting

  • Package not found after network changes. Run an index update and verify DNS and connectivity.
  • Hash sum mismatch on Ubuntu. Mirror sync likely in progress. Run sudo apt clean && sudo apt update or switch mirrors.
  • GPG key error. Install or refresh the repository key from a trusted source and run the update again.
  • Conflicting packages. Read the message and remove or replace the conflicting package before installing the new one.
  • Locked database. Ensure no other package tool is running. On Debian or Ubuntu, wait for unattended upgrades or remove stale lock files only after checking that no apt or dpkg process is active.

Next steps

Day 9 introduces networking basics. It covers ip addr and ip route, testing connectivity with ping and curl, DNS queries with dig or nslookup, and inspecting sockets with ss.