1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
|
apt (3.1.10) unstable; urgency=medium
The new solver is now the default.
The new --cli-version option requests a specific CLI version, i.e.
makes apt(8) try to behave like that version of apt. Accordingly,
if specified, apt no longer warns about unstable interfaces.
See the apt(8) manual page for more details.
-- Julian Andres Klode <jak@debian.org> Sat, 25 Oct 2025 17:27:38 +0200
apt (2.9.24) unstable; urgency=medium
/etc/apt/trusted.gpg is no longer trusted. Setting the Dir::Etc::trusted
option manually continues to work for some more time.
sources.list(5) entries without the Signed-By field are deprecated;
migrate any legacy entries to the deb822 .sources format. See the
apt-secure(8) manual page for best practices for signer configuration.
This deprecates the /etc/apt/trusted.gpg.d directory.
-- Julian Andres Klode <jak@debian.org> Tue, 21 Jan 2025 12:17:36 +0100
apt (2.9.19) unstable; urgency=medium
This release switches to OpenSSL for hashing and TLS, replacing the
GnuTLS and gcrypt libraries.
This release switches to Sequoia for OpenPGP verification on supported
Debian platforms. A Sequoia policy override enabling SHA1 self-signatures
until 2026 is included. To override the policy, the following environment
variables and files are considered:
* The APT_SEQUOIA_CRYPTO_POLICY environment variable, and failing that:
- /etc/crypto-policies/back-ends/apt-sequoia.config,
- /var/lib/crypto-config/profiles/current/apt-sequoia.config
* The SEQUOIA_CRYPTO_POLICY environment variable, and failing that:
- /etc/crypto-policies/back-ends/sequoia.config
- /var/lib/crypto-config/profiles/current/sequoia.config
-- Julian Andres Klode <jak@debian.org> Mon, 23 Dec 2024 12:16:22 +0100
apt (2.9.15) unstable; urgency=medium
This release stops using apt-key to verify the signatures.
Final call to stop using it before it's gone next week.
Please note that due to the switch to internal verification, APT now
has the same requirements on files in trusted.gpg.d as for other .d
directories: Only alphanumerical characters, '_', '-', ':' and '.'
are supported, other characters such as '@' cause the file to silently
be ignored.
-- Julian Andres Klode <jak@debian.org> Thu, 28 Nov 2024 19:31:24 +0100
apt (2.9.11) unstable; urgency=medium
The ftp, rsh, and ssh methods have been removed. They have been unsupported
and disabled since 1.8. Please, migrate to http(s) instead, or contribute
an sftp method.
If you need ad hoc access to a remote repository, you can usually run
`python3 -m http.server` on that machine and use SSH port forwarding to
run HTTP over SSH.
-- Julian Andres Klode <jak@debian.org> Thu, 07 Nov 2024 14:02:07 +0100
apt (2.5.2) unstable; urgency=medium
Installing or upgrading a binary package now upgrades other binaries from
the same source package if they have the same candidate version. You can
disable this by setting `APT::Get::Upgrade-By-Source-Package` to `false`.
-- Julian Andres Klode <juliank@ubuntu.com> Sun, 24 Jul 2022 15:45:15 +0200
apt (2.4.0) unstable; urgency=medium
GPG verification now first tries only the trusted.gpg.d keys, before
then falling back to the legacy trusted.gpg keyring and issuing a
warning to migrate keys if verification succeeded in the fallback.
-- Julian Andres Klode <jak@debian.org> Tue, 22 Feb 2022 20:01:00 +0100
apt (2.3.12) unstable; urgency=medium
The solver will no longer try to remove Essential or Protected packages,
any dependency problem that would need such a solution will have to be
resolved manually.
The "Yes, do as I say" prompt for removing essential packages has been
replaced by an error message. The appropriate command-line option needs
to be used instead.
Thank you to Linus Tech Tips and System76 for bringing this issue
to our attention.
-- Julian Andres Klode <jak@debian.org> Wed, 17 Nov 2021 18:26:40 +0100
apt (2.1.16) unstable; urgency=medium
Automatically remove unused kernels on apt {dist,full}-upgrade. To revert
to previous behavior, set APT::Get::AutomaticRemove::Kernels to false or
pass --no-auto-remove to the command. apt-get remains unchanged.
Packages files can now set the Phased-Update-Percentage field to restrict
update rollout to a specified percentage of machines. Previously, this has
only been available to users of Ubuntu's update-manager tool. See
apt_preferences(5) for details and how to configure multiple systems to get
the same updates. Phased updates are disabled in chroots for now to not
break buildd-style setups.
-- Julian Andres Klode <jak@debian.org> Fri, 08 Jan 2021 22:01:50 +0100
apt (1.9.11) experimental; urgency=medium
apt(8) now waits for the lock indefinitely if connected to a tty, or
for 120 seconds if not.
-- Julian Andres Klode <jak@debian.org> Wed, 26 Feb 2020 20:30:33 +0100
apt (1.9.6) experimental; urgency=medium
apt(8) no longer treats package names passed as regular expressions or fnmatch
expressions, requiring the use of patterns (apt-patterns(7)) to perform complex
searches. For ease of use, regular expressions starting with ^ or ending with
$ continue to work.
This fixes the problem where e.g. g++ could mean either "the package g++"
or, if there is no g++ package, "all packages containing g". This change
will propagate to apt-* after the release of Debian bullseye.
-- Julian Andres Klode <jak@debian.org> Wed, 15 Jan 2020 21:45:18 +0100
apt (1.9.5) unstable; urgency=medium
Credentials in apt_auth.conf(5) now only apply to https and tor+https
sources to avoid them being leaked over plaintext (Closes: #945911). To
opt-in to http, add http:// before the hostname. Note that this will transmit
credentials in plain text, which you do not want on devices that could be
operating in an untrusted network.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Dec 2019 11:45:52 +0100
apt (1.8.0~alpha3) unstable; urgency=medium
The PATH for running dpkg is now configured by the option DPkg::Path,
and defaults to "/usr/sbin:/usr/bin:/sbin:/bin". Previous behavior of
not changing PATH may be restored by setting the option to an empty string.
Support for /etc/apt/auth.conf.d/ has been added, see apt_auth.conf(5).
-- Julian Andres Klode <jak@debian.org> Tue, 18 Dec 2018 15:02:11 +0100
apt (1.6~rc1) unstable; urgency=medium
Seccomp sandboxing has been turned off by default for now. If it works
for you, you are encouraged to re-enable it by setting APT::Sandbox::Seccomp
to true.
-- Julian Andres Klode <jak@debian.org> Fri, 06 Apr 2018 14:14:29 +0200
apt (1.6~beta1) unstable; urgency=medium
APT now verifies that the date of Release files is not in the future. By
default, it may be 10 seconds in the future to allow for some clock drift.
Two new configuration options can be used to tweak the behavior:
Acquire::Check-Date
Acquire::Max-DateFuture
These can be overridden in sources.list entries using the check-date
and date-future-max options. Note that disabling check-date also
disables checks on valid-until: It is considered to mean that your
machine's time is not reliable.
-- Julian Andres Klode <jak@debian.org> Mon, 26 Feb 2018 13:14:13 +0100
apt (1.6~alpha1) unstable; urgency=medium
All methods provided by apt except for cdrom, gpgv, and rsh now
use seccomp-BPF sandboxing to restrict the list of allowed system
calls, and trap all others with a SIGSYS signal. Three options
can be used to configure this further:
APT::Sandbox::Seccomp is a boolean to turn it on/off
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Also, sandboxing is now enabled for the mirror method.
-- Julian Andres Klode <jak@debian.org> Mon, 23 Oct 2017 01:58:18 +0200
apt (1.5~beta1) unstable; urgency=medium
[ New HTTPS method ]
The default http method now supports HTTPS itself, including encrypted proxies
and connecting to HTTPS sites via HTTPS proxies; and the apt-transport-https
package only provides a "curl+https" method now as a fallback, but will be
removed shortly. If TLS support is unwanted, it can be disabled overall by
setting the option Acquire::AllowTLS to "false".
As for backwards compatibility, the options IssuerCert and SslForceVersion
are not supported anymore, and any specified certificate files must be in the
PEM format (curl might have allowed DER files as well).
[ Changes to unauthenticated repositories ]
The security exception for apt-get to only raise warnings if it encounters
unauthenticated repositories in the "update" command is gone now, so that it
will raise errors just like apt and all other apt-based front-ends do since
at least apt version 1.3.
It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
behaviour of apt-get by setting the option
Binary::apt-get::Acquire::AllowInsecureRepositories "true";
See apt-secure(8) manpage for configuration details.
[ Release Info Changes ]
If values like Origin, Label, and Codename change in a Release file,
update fails, or asks a user (if interactive). Various
--allow-releaseinfo-change are provided for non-interactive use.
-- Julian Andres Klode <jak@debian.org> Mon, 03 Jul 2017 15:09:23 +0200
apt (1.4.2) unstable; urgency=medium
If periodic updates and unattended upgrades are enabled, the start of
periodic updates are now distributed over 24 hour intervals (as in 1.2
to 1.4), whereas starting unattended-upgrade has been restricted to a
time between 6 and 7 am. This only affects systems using systemd, other
systems still use the classical hourly cron job.
-- Julian Andres Klode <jak@debian.org> Thu, 04 May 2017 22:54:02 +0200
apt (1.4~beta1) unstable; urgency=medium
Support for GPG signatures using the SHA1 or RIPE-MD/160 hash
algorithms has been disabled. Repositories using Release files
signed in such a way will stop working. This change has been made
due to security considerations, especially with regards to possible
further breakthroughs in SHA1 breaking during the lifetime
of this APT release series.
It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
behaviour by setting the options
APT::Hashes::SHA1::Weak "yes";
APT::Hashes::RIPE-MD/160::Weak "yes";
Note that setting these options only affects the verification of the overall
repository signature.
-- Julian Andres Klode <jak@debian.org> Fri, 25 Nov 2016 13:19:32 +0100
apt (1.2~exp1) experimental; urgency=medium
[ Automatic removal of debs after install ]
After packages are successfully installed by apt(8),
the corresponding .deb package files will be
removed from the /var/cache/apt/archives cache directory.
This can be changed by setting the apt configuration option
"Binary::apt::APT::Keep-Downloaded-Packages" to "true". E.g:
# echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' \
> /etc/apt/apt.conf.d/01keep-debs
Please note that the behavior of apt-get is unchanged. The
downloaded debs will be kept in the cache directory after they
are installed. To enable the behavior for other tools, you can set
"APT::Keep-Downloaded-Packages" to false.
[ Compressed indices ]
If you use Acquire::gzipIndexes, or any other compressed index targets,
those will now be compressed with the fastest supported algorithm,
currently lz4.
-- Michael Vogt <mvo@debian.org> Tue, 05 Jan 2016 19:22:16 +0100
apt (1.1~exp9) experimental; urgency=medium
A new algorithm for pinning has been implemented, it now assigns a
pin priority to a version instead of assigning a pin to a package.
This might break existing corner cases of pinning, if they use multiple
pins involving the same package name or patterns matching the same
package name, but should overall lead to pinning that actually works
as intended and documented.
-- Julian Andres Klode <jak@debian.org> Mon, 17 Aug 2015 14:45:17 +0200
apt (0.8.11) unstable; urgency=low
* apt-get install pkg/experimental will now not only switch the
candidate of package pkg to the version from the release experimental
but also of all dependencies of pkg if the current candidate can't
satisfy a versioned dependency.
-- David Kalnischkies <kalnischkies@gmail.com> Fri, 03 Dec 2010 14:09:12 +0100
apt (0.7.26~exp3) experimental; urgency=low
* apt-ftparchive now reads the standard configuration files in
/etc/apt/apt.conf and /etc/apt/apt.conf.d.
-- Julian Andres Klode <jak@debian.org> Fri, 26 Mar 2010 15:34:16 +0100
apt (0.7.24) unstable; urgency=low
* Already included in the last version but now with better documentation
is the possibility to add/prefer different compression types while
downloading archive information, which can decrease the time needed for
update on slow machines. See apt.conf (5) manpage for details.
* APT manages his manpage translations now with po4a, thanks to Nicolas
François and Kurasawa Nozomu, who also provide the ja translation.
Thanks to Christian Perrier we have already a fr translation and
a few more are hopefully added in the near future.
* This version also introduces some _experimental_ configuration options
to make more aggressive use of dpkg's triggers. If you want to help
testing these _experimental_ options see apt.conf (5) manpage.
-- David Kalnischkies <kalnischkies@gmail.com> Thu, 24 Sep 2009 15:13:16 +0200
apt (0.7.23) unstable; urgency=low
* Code that determines which proxy to use was changed. Now
'Acquire::{http,ftp}::Proxy[::<host>]' options have the highest priority,
and '{http,ftp}_proxy' environment variables are used only if options
mentioned above are not specified.
-- Eugene V. Lyubimkin <jackyf.devel@gmail.com> Thu, 19 Aug 2009 11:26:16 +0200
apt (0.6.44) unstable; urgency=low
* apt-ftparchive --db now uses Berkeley DB_BTREE instead of DB_HASH.
If you use a database created by an older version of apt, delete
it and allow it to be recreated the next time.
-- Michael Vogt <mvo@debian.org> Wed, 26 Apr 2006 12:57:53 +0200
apt (0.5.25) unstable; urgency=low
* apt-ftparchive --db now uses Berkeley DB version 4.2. If used with a
database created by an older version of apt, an attempt will be made
to upgrade the database, but this may not work in all cases. If your
database is not automatically upgraded, delete it and allow it to be
recreated the next time.
-- Matt Zimmerman <mdz@debian.org> Sat, 8 May 2004 12:38:07 -0700
|
