Keeping your Ubuntu system up-to-date is important, but sometimes you may want to prevent certain packages from being automatically installed, upgraded, or removed. This could be because:
- You need a specific version for compatibility,
- You want to avoid potential bugs in new updates,
- You've customized a package and don't want changes.
Here are some simple methods to lock packages in Ubuntu and its derivatives like elementary OS, Linux Mint, Pop!_OS, and Zorin OS. These methods will teach you how to stop a package from being:
- Automatically installed (even as a dependency),
- Automatically upgraded,
- Accidentally removed.
Note: Please be mindful that holding back packages from being upgraded is not recommenced in production. The outdated packages might be vulnerable and cause security issues. So, it's always recommended to keep your Ubuntu system up-to-date.
Table of Contents
Method 1: Freeze a Package with apt-mark hold
To lock a package from being automatically installed, updated, or removed, we can use 'apt-mark' command. This command has many options. You can read the man pages for details about each option.
man apt-mark
For the purpose of this guide, we will discuss only two options namely hold and unhold.
- hold - Block any package from being installed, updated, upgraded, or removed.
- unhold - Release the package from hold, and allow us to install, update, remove that package.
Let us mark (hold) a package, for example htop, as shown below.
sudo apt-mark hold htop
Sample output:
htop set on hold.
The locked package will remain as the same version even after you upgraded your system. This trick can be very useful while holding back graphics drivers.
To check which packages are on hold:
apt-mark showhold
To unhold (unfreeze) the package, just run:
sudo apt-mark unhold htop
Sample output:
Canceled hold on htop.
Please note that this method stops a package from being upgraded, but it can still be manually removed or reinstalled. You can still remove the locked packages using "apt-get remove <packagename>" command.
This method only prevents the application from automatically installed, updated, upgraded, or removed during system upgrade.
Holding a package actually means you're telling the package manager to keep the current version no matter what, even if a new version is available. This is useful if the recent version of a currently working program breaks after an update.
When you try to update the system using commands sudo apt update or sudo apt upgrade, the marked packages will still be the same version at the time you hold the package.
Method 2: Lock a Package with dpkg to Prevent Any Changes
This method blocks installing, upgrading, or removing a package by setting its status in the package database.
To freeze a package, run:
echo "firefox hold" | sudo dpkg --set-selections
To confirm it's locked:
dpkg --get-selections | grep firefox
Sample Output:
firefox hold
To remove the lock:
echo "firefox install" | sudo dpkg --set-selections
This method works well if you're managing multiple machines and using custom scripts.
Method 3: Block a Package from Ever Being Installed (APT Pinning)
Use this if you want to completely block a package, even as a dependency.
Open a new preferences file:
sudo nano /etc/apt/preferences.d/block-firefox
Add the following lines:
Package: firefox
Pin: release *
Pin-Priority: -1
Save and exit the file by pressing Ctrl+O, Enter, then Ctrl+X.
To confirm it's blocked, run the following command:
apt-cache policy firefox
You should see:
Package: firefox
Pin: release *
Pin-Priority: -1
Method 4: Prevent Package Updates using Synaptic (GUI method)
If you have Synaptic package manager installed on your system, you can easily lock a package from being installed, updated, upgraded, or removed as described below.
Open Synaptic manager either from Unity dash or Menu. Search the package you want to hold. Then go to Package from the menu bar and click hold.
That's it. Now, the package will not be touched during system upgrade as long as you kept it in hold.
If Synaptic package manager is not installed in your system, you can install it using command:
sudo apt-get install synaptic
Verifying Your Changes
After setting a hold, test it by running:
sudo apt upgrade
Your held package should appear in the list but show "held back" rather than being upgraded.
Important Notes
These methods only prevent automatic updates. You can still manually update held packages. Be careful holding critical system packages as this might cause security issues.
To temporarily bypass holds during an update, use:
sudo apt-get -o DPkg::Options::="--force-overwrite" install package_name
Remember to periodically review your held packages (apt-mark showhold) and remove holds when they're no longer needed to keep your system secure.
- Always test changes on non-critical systems first.
- Don’t block essential packages unless you’re sure.
- These methods are reversible, just follow the steps backward.
Ubuntu Package Lock Cheat Sheet
Here's a concise cheat sheet for quick reference. Download and keep it near your desk.
Conclusion
You know now how to prevent a package from being installed, updated or removed during system update in Ubuntu and its derivatives.
It is a good practice to follow when you find out the recent version of a particular package is not stable or break the system. You can simply hold the packages using apt-mark command, so that the package managers won't touch the package as long as you unhold them back.
2 comments
Just a comment: I believe the command to unhold the package htop is without the hyphen
sudo apt-mark unhold htop
Yeah, you’re right. Corrected now. Thank you.