Ubuntu apt Package Management Rules

Beginner

Enforce safe apt practices — always update before install, pin critical packages, use official repositories, clean up unused dependencies, and verify package authenticity.

File Patterns

**/*.sh**/apt/****/sources.list*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Ubuntu apt Package Management Rules

## Rule
All package operations MUST follow safe practices: update before install, verify sources, pin critical versions, and clean up unused packages.

## Format
```bash
sudo apt update && sudo apt install <package>
```

## Requirements

### 1. Always Update Package Lists First
```bash
# GOOD: Update then install
sudo apt update
sudo apt install nginx

# BAD: Install without update (may get old version or fail)
sudo apt install nginx
```

### 2. Pin Critical Package Versions
```bash
# Hold packages that should not auto-upgrade
sudo apt-mark hold postgresql-16
sudo apt-mark hold nodejs

# View held packages
apt-mark showhold

# Unhold when ready to upgrade
sudo apt-mark unhold postgresql-16
```

### 3. Use Official Sources Only
```bash
# GOOD: Official Ubuntu repository
sudo apt install nginx

# GOOD: Vendor-maintained repository (e.g., NodeSource)
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install nodejs

# CAUTION: Third-party PPAs (verify trust)
sudo add-apt-repository ppa:example/ppa  # Review before adding

# BAD: Random .deb from the internet
wget https://sketchy-site.com/tool.deb && sudo dpkg -i tool.deb
```

### 4. Clean Up Regularly
```bash
# Remove unused dependencies
sudo apt autoremove

# Clean download cache
sudo apt clean

# Remove old config files from removed packages
sudo apt purge $(dpkg -l | grep '^rc' | awk '{print $2}')
```

### 5. Review Before Upgrading
```bash
# Check what will be upgraded
apt list --upgradable

# Simulate upgrade (dry run)
sudo apt upgrade --dry-run

# Upgrade specific package only
sudo apt install --only-upgrade nginx
```

## Anti-Patterns
- Installing without apt update (stale package lists)
- Running apt upgrade blindly on production (review first)
- Adding untrusted PPAs (supply chain risk)
- Not pinning database/runtime versions (unexpected upgrades)
- Leaving unused packages installed (attack surface + disk usage)
- Using dpkg -i without dependency resolution

## Enforcement
Document approved package sources. Pin all critical packages. Include apt autoremove in monthly maintenance.

FAQ

Discussion

Loading comments...

# Ubuntu apt Package Management Rules ## Rule All package operations MUST follow safe practices: update before install, verify sources, pin critical versions, and clean up unused packages. ## Format ```bash sudo apt update && sudo apt install <package> ``` ## Requirements ### 1. Always Update Package Lists First ```bash # GOOD: Update then install sudo apt update sudo apt install nginx # BAD: Install without update (may get old version or fail) sudo apt install nginx ``` ### 2. Pin Critical Package Versions ```bash # Hold packages that should not auto-upgrade sudo apt-mark hold postgresql-16 sudo apt-mark hold nodejs # View held packages apt-mark showhold # Unhold when ready to upgrade sudo apt-mark unhold postgresql-16 ``` ### 3. Use Official Sources Only ```bash # GOOD: Official Ubuntu repository sudo apt install nginx # GOOD: Vendor-maintained repository (e.g., NodeSource) curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt install nodejs # CAUTION: Third-party PPAs (verify trust) sudo add-apt-repository ppa:example/ppa # Review before adding # BAD: Random .deb from the internet wget https://sketchy-site.com/tool.deb && sudo dpkg -i tool.deb ``` ### 4. Clean Up Regularly ```bash # Remove unused dependencies sudo apt autoremove # Clean download cache sudo apt clean # Remove old config files from removed packages sudo apt purge $(dpkg -l | grep '^rc' | awk '{print $2}') ``` ### 5. Review Before Upgrading ```bash # Check what will be upgraded apt list --upgradable # Simulate upgrade (dry run) sudo apt upgrade --dry-run # Upgrade specific package only sudo apt install --only-upgrade nginx ``` ## Anti-Patterns - Installing without apt update (stale package lists) - Running apt upgrade blindly on production (review first) - Adding untrusted PPAs (supply chain risk) - Not pinning database/runtime versions (unexpected upgrades) - Leaving unused packages installed (attack surface + disk usage) - Using dpkg -i without dependency resolution ## Enforcement Document approved package sources. Pin all critical packages. Include apt autoremove in monthly maintenance.