Tools

Tools: Catch Broken Debian Upgrades Before They Land: Practical `apt-listbugs` (2026)

2026-05-09 0 views admin
Tools: Catch Broken Debian Upgrades Before They Land: Practical `apt-listbugs` (2026)

What apt-listbugs actually does

When it is most useful

Install it

Use it for one-off inspection first

Let it run during normal APT upgrades

Tune the severity threshold

Filter by tag when you care about a specific class of breakage

Understand the pinning workflow

Ignore known exceptions carefully

Good defaults for noninteractive environments

Check that the cleanup path exists

What apt-listbugs is not

A simple, sensible workflow

References If you run Debian testing, unstable, or just like upgrading early, there is a familiar kind of pain: APT itself works fine, but the package you just pulled in is already known to be broken. That is exactly the gap apt-listbugs tries to close. Before APT installs or upgrades packages, apt-listbugs can query the Debian Bug Tracking System (BTS) for known bugs affecting the versions you are about to install. If it finds bugs that match your configured severity filters, it warns you before the upgrade goes through. That makes it especially useful on Debian systems where package freshness matters, but so does not breaking the box. According to the Debian manpage, apt-listbugs is intended to be invoked before package installation or upgrade so it can query the Debian BTS for bugs that would be introduced by the pending APT action. If matching bugs are found, it can let you continue, abort, or pin affected packages so the risky upgrade is deferred. A few details matter here: In other words, this is a pre-upgrade safety rail, not a replacement for testing or backups. I would reach for apt-listbugs when: If you mainly run stable and only take normal security updates, it may trigger less often, but it can still be a worthwhile guardrail. You can confirm the package exists in current Debian repositories with: On this host, apt-cache show reports the package description as: tool which lists critical bugs before each APT installation That matches the Debian documentation. Before wiring it into your normal upgrade flow, try a manual query. To inspect known bugs for a package: To inspect a specific version: You can also include an architecture qualifier, although the Debian BTS itself does not distinguish bugs by architecture in the way package metadata does: This is a good low-risk way to understand the output before you let it interrupt real upgrades. The package is designed to be invoked automatically by APT using a Pre-Install-Pkgs hook. After installation, that integration is normally handled for you. Once enabled, a regular upgrade looks the same from your side: If apt-listbugs finds matching bugs, it will stop before package installation and present the bug list. From there, your safest options are usually: That last option is real, but I would treat it like bypassing a smoke alarm. Sometimes you know why it is noisy. Usually, you should investigate first. By default, apt-listbugs shows bugs with these Debian severities: Debian classifies those as release-critical severities. In practice, they cover issues such as system breakage, severe package unusability, serious data loss risk, security holes, or defects that make a package unsuitable for release. If you want broader visibility, you can add important too. Create a small APT config snippet: That keeps the default high-signal behavior, while widening the net a little. If you want to focus on a specific Debian release when evaluating bugs, you can also set AptListbugs::DistroRelease: Other accepted values include real Debian codenames, unstable, stable, oldstable, or ANY. apt-listbugs can also filter by BTS tags. For example, if you only want to inspect bugs that are both confirmed and related to localization in a manual check: That is more niche than severity filtering, but it is useful to know the feature exists. This part is easy to miss. When apt-listbugs offers to pin a risky package, the pin is written for future APT runs, but it does not retroactively change the already running transaction. The manpage is explicit about this: if you choose to pin, you should abort the current install or upgrade, then rerun the same APT command. A practical workflow looks like this: The automatically managed pin file is: You normally should not edit that file by hand. There are two built-in ignore paths documented by the package: If you deliberately accept a specific bug, the manual file is the cleaner long-term place to document that choice. Do this sparingly. If everything becomes an ignore, the guardrail is gone. The manpage documents behavior for noninteractive use too: For CI or automation, the safest posture is usually to fail closed, not fail open. A one-off explicit example: For unattended package operations, review the package behavior carefully before adding automation flags. In most cases, silently continuing through known bug warnings is the wrong trade. The package documentation says automatically added pins are removed later by a daily cron job or an equivalent systemd timer. On a systemd-based Debian host, you can inspect related installed units with: If you rely on automatic pin cleanup, it is worth verifying that path once instead of assuming it is there. It helps to keep the boundaries clear: It is a very practical preflight check against known Debian bug reports for the versions you are about to pull in. That is narrower than magic, but broader than guessing. If you want a boringly reliable setup, this is a good start: That gives you a fast feedback loop without turning every package upgrade into a research project. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">apt-listbugs -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">apt-listbugs -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">apt-listbugs -weight: 500;">apt-cache policy -weight: 500;">apt-listbugs -weight: 500;">apt-cache show -weight: 500;">apt-listbugs -weight: 500;">apt-cache policy -weight: 500;">apt-listbugs -weight: 500;">apt-cache show -weight: 500;">apt-listbugs -weight: 500;">apt-cache policy -weight: 500;">apt-listbugs -weight: 500;">apt-cache show -weight: 500;">apt-listbugs -weight: 500;">apt-listbugs list openssh-server -weight: 500;">apt-listbugs list openssh-server -weight: 500;">apt-listbugs list openssh-server -weight: 500;">apt-listbugs list openssh-server/1:9.7p1-1 -weight: 500;">apt-listbugs list openssh-server/1:9.7p1-1 -weight: 500;">apt-listbugs list openssh-server/1:9.7p1-1 -weight: 500;">apt-listbugs list openssh-server:amd64/1:9.7p1-1 -weight: 500;">apt-listbugs list openssh-server:amd64/1:9.7p1-1 -weight: 500;">apt-listbugs list openssh-server:amd64/1:9.7p1-1 -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">install -d -m 0755 /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d -weight: 600;">sudo tee /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d/90apt-listbugs-local >/dev/null <<'EOF' AptListbugs::Severities "critical,grave,serious,important"; EOF -weight: 600;">sudo -weight: 500;">install -d -m 0755 /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d -weight: 600;">sudo tee /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d/90apt-listbugs-local >/dev/null <<'EOF' AptListbugs::Severities "critical,grave,serious,important"; EOF -weight: 600;">sudo -weight: 500;">install -d -m 0755 /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d -weight: 600;">sudo tee /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d/90apt-listbugs-local >/dev/null <<'EOF' AptListbugs::Severities "critical,grave,serious,important"; EOF -weight: 600;">sudo tee /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d/90apt-listbugs-release >/dev/null <<'EOF' AptListbugs::DistroRelease "testing"; EOF -weight: 600;">sudo tee /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d/90apt-listbugs-release >/dev/null <<'EOF' AptListbugs::DistroRelease "testing"; EOF -weight: 600;">sudo tee /etc/-weight: 500;">apt/-weight: 500;">apt.conf.d/90apt-listbugs-release >/dev/null <<'EOF' AptListbugs::DistroRelease "testing"; EOF -weight: 500;">apt-listbugs -T confirmed,l10n list some-package -weight: 500;">apt-listbugs -T confirmed,l10n list some-package -weight: 500;">apt-listbugs -T confirmed,l10n list some-package -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade # -weight: 500;">apt-listbugs warns about package foo # choose to pin / defer # abort the current -weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade # -weight: 500;">apt-listbugs warns about package foo # choose to pin / defer # abort the current -weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade # -weight: 500;">apt-listbugs warns about package foo # choose to pin / defer # abort the current -weight: 500;">upgrade -weight: 600;">sudo -weight: 500;">apt full--weight: 500;">upgrade /etc/-weight: 500;">apt/preferences.d/-weight: 500;">apt-listbugs /etc/-weight: 500;">apt/preferences.d/-weight: 500;">apt-listbugs /etc/-weight: 500;">apt/preferences.d/-weight: 500;">apt-listbugs -weight: 600;">sudo -weight: 500;">install -d -m 0755 /etc/-weight: 500;">apt/listbugs -weight: 600;">sudo tee -a /etc/-weight: 500;">apt/listbugs/ignore_bugs >/dev/null <<'EOF' # Ignore bug 123456 for this host until upstream fix lands 123456 EOF -weight: 600;">sudo -weight: 500;">install -d -m 0755 /etc/-weight: 500;">apt/listbugs -weight: 600;">sudo tee -a /etc/-weight: 500;">apt/listbugs/ignore_bugs >/dev/null <<'EOF' # Ignore bug 123456 for this host until upstream fix lands 123456 EOF -weight: 600;">sudo -weight: 500;">install -d -m 0755 /etc/-weight: 500;">apt/listbugs -weight: 600;">sudo tee -a /etc/-weight: 500;">apt/listbugs/ignore_bugs >/dev/null <<'EOF' # Ignore bug 123456 for this host until upstream fix lands 123456 EOF -weight: 500;">apt-listbugs -n list openssh-server -weight: 500;">apt-listbugs -n list openssh-server -weight: 500;">apt-listbugs -n list openssh-server -weight: 500;">systemctl list-unit-files | grep -weight: 500;">apt-listbugs -weight: 500;">systemctl list-timers --all | grep -weight: 500;">apt-listbugs -weight: 500;">systemctl list-unit-files | grep -weight: 500;">apt-listbugs -weight: 500;">systemctl list-timers --all | grep -weight: 500;">apt-listbugs -weight: 500;">systemctl list-unit-files | grep -weight: 500;">apt-listbugs -weight: 500;">systemctl list-timers --all | grep -weight: 500;">apt-listbugs - The default severity filter is critical,grave,serious - Pinning is not immediate inside the current APT transaction. If you choose to pin, you should abort and then rerun the same APT command. - Automatically added pins are cleaned up later by the package's daily cron job or systemd timer, once the BTS data shows the issue is fixed or no longer affects the installable version. - you run Debian testing or unstable - you track fast-moving packages on a workstation or homelab node - you want APT to -weight: 500;">stop and show known release-critical issues before changing the system - you prefer a quick BTS sanity check over reading bug trackers by hand - abort the -weight: 500;">upgrade - pin the affected package and then rerun the command - continue only if you understand the impact and accept the risk - automatic ignore list: /var/lib/-weight: 500;">apt-listbugs/ignore_bugs - manual ignore list: /etc/-weight: 500;">apt/listbugs/ignore_bugs - -F can force pinning without prompt - -N disables automatic pinning - -y assumes yes to all questions, including continuing when bugs or errors appear - -n assumes no and aborts when bugs or errors appear - It is not a vulnerability scanner. - It is not a package integrity checker. - It is not a substitute for snapshots or backups. - It is not a guarantee that an -weight: 500;">upgrade is safe. - Install -weight: 500;">apt-listbugs - Keep the default critical,grave,serious filter, or add important - Run upgrades manually on important systems - Abort and investigate when it flags a package you care about - Let temporary pins defer known-bad upgrades instead of brute-forcing through them - Debian manpage, -weight: 500;">apt-listbugs(1): https://manpages.debian.org/testing/-weight: 500;">apt-listbugs/-weight: 500;">apt-listbugs.1.en.html - Debian BTS severity definitions: https://www.debian.org/Bugs/Developer - Debian package metadata for -weight: 500;">apt-listbugs: https://packages.debian.org/-weight: 500;">apt-listbugs - Project homepage on Salsa: https://salsa.debian.org/frx-guest/-weight: 500;">apt-listbugs

🏷️ Tags

toolsutilitiessecurity toolscatchbrokendebianupgradesbeforepracticallistbugs

More from Tools

Tools: Best 8 Platforms to Buy Aged GitHub Accounts With (Update 2)

Tools: Best 8 Platforms to Buy Aged GitHub Accounts With (Update 2)

2026-05-09 0
Tools: Why Your App Shouldn't Run on Port 8080 in Production (2026)

Tools: Why Your App Shouldn't Run on Port 8080 in Production (2026)

2026-05-09 0
Tools: to Deploy Llama 3.2 405B with vLLM on a $48/Month DigitalOcean GPU Droplet: Frontier-Grade Reasoning at 1/120th Claude Opus Cost How

Tools: to Deploy Llama 3.2 405B with vLLM on a $48/Month DigitalOcean GPU Droplet: Frontier-Grade Reasoning at 1/120th Claude Opus Cost How

2026-05-09 0
Tools: Fly.io vs Railway vs Render (2026): Best Modern PaaS for Developers? - 2025 Update

Tools: Fly.io vs Railway vs Render (2026): Best Modern PaaS for Developers? - 2025 Update

2026-05-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views