On Debian systems like Ubuntu, we keep all our packages up to date by using the following commands:
sudo apt update
sudo apt upgrade
The first statement gets the list of all updated packages from the repositories and also compares what you have to what’s available, thereby creating a checklist for things to update and giving you a snapshot of your system and the packages it needs to update. The second command upgrades all your packages.
However, during this process, you might sometimes see a message saying “the following packages have been kept back”. This indicates that not all the packages that should have been upgraded, were upgraded. There are several reasons why this happens, so let’s go through them one by one.
What Causes this Message?
There are at least three reasons why we see “the following packages have been kept back” when upgrading packages in Linux.
1. Package Upgrade Needs to Install or Remove Other Packages
By default, the upgrade command in Debian systems doesn’t install or remove existing packages. Its only job is to upgrade existing ones. Normally, upgrading packages doesn’t require much more. You can easily just replace an older package with the newer one, and you’re done. But sometimes the change is significant enough, that the newer package requires additional packages to function.
Sometimes, the underlying software undergoes a framework change, and the functionality of the new package now depends on a new web of packages, for better or for worse. The upgrade tool won’t do these things for you, so it simply tells you that it’s keeping them back from the upgrade process.
By doing this, Linux allows you to decide for yourself whether or not you want to proceed with the upgrade and accept the new packages or delete the old ones.
2. Held Packages
Linux allows us to specify in advance that we don’t want certain packages to be updated. While this might seem unusual, it’s quite useful because sometimes we have a specific set-up and we don’t want an upgrade to ruin things. You wouldn’t believe the number of Linux installations with older packages that are no longer maintained. When you’re using a package that depends on this older package, an upgrade to the former can cause the entire thing to stop working.
You might even have written code that works only with a newer package and rather than change the code, it’s easier to keep the older version. So to ensure this, we use the inbuilt tool to mark the package as “never update”.
Here’s how it works. If you have a package that you want to keep “as is” without changing it, the Debian command is:
sudo apt-mark hold nginx
The above command will ensure that the “nginx” package doesn’t get upgraded when everything else does. For example, you might rely on some old functionality for your website. In general, it’s dangerous to not update your web server because of security reasons, but there might be some specific circumstances where a specific version is necessary.
If you want a list of all packages that have been marked in this manner, you can use:
apt-mark showhold
This will give you a list of all the packages that Debian is preventing from being upgraded. Now when you issue the “upgrade” command, you’ll get a message with the list of packages, and one of them will be “nginx” if that’s the one you marked.
Let’s say you needed to temporarily mark a package in its current version, but now you’ve updated your systems and code and want to “unmark” it so that the next upgrade command will update the package to the latest version. You can use the command:
sudo apt-mark unhold nginx
And reverse the change. Now the nginx package will be upgraded along with everything else.
3. Conflicts with Existing Packages
Sometimes, a new upgraded package will conflict with what’s already installed on your system. Consider the following scenario:
Package A relies on version 1.1 of package B. Now package A gets an upgrade. However, the new version of A requires an upgrade of package B to 1.5. If that’s all there was to it, then the system would simply upgrade both packages A and B and everything’s fine. However, there might be existing packages on the system that explicitly rely on version 1.1 of package B, and won’t work with version 1.5. In such a scenario, Debian will hold back the upgrade of package A entirely and generate the “following packages have been kept back” error message.
Another problem might occur when the upgraded version of a package tries to install a file in the same location as another package. Yet another problem might be if a particular package upgraded is marked as directly conflicting with another package.
As you can see, there are many ways in which new, upgraded packages can conflict with the ones already on the system.
How the Error Message Can Impact You
If you choose to not do anything about the error message and leave it unresolved for a long time, it can have deleterious effects on your system. Here are some of them.
1. Introduction of Security Vulnerabilities
While new packages might introduce new functionalities and efficiencies, the single biggest reason to upgrade to a new version is to take advantage of any security improvements. Packages in Linux are undergoing a constant process of development in terms of security, as new vulnerabilities are discovered by the community, and patches are sent out.
While it might be okay to delay the upgrade of a package now and then, leaving them un-upgraded for a long time is asking for eventual disaster. It’s a terrible security practice to have outdated packages on your system.
2. Malfunctioning Software
If a bunch of packages work together, and only some of them are upgraded, the interactions between them may malfunction as the ones that have been upgraded might rely on some new functionality present in the packages that are still on an older version.
Generally, developers try and write code in an object-oriented manner, to try and abstract the internal workings of a package, while maintaining the interface, and this is how modern software tries to be robust. But depending on the actual changes, this isn’t always possible.
Using the “full-upgrade” Option
Since Debian doesn’t install or remove packages while using the “upgrade” command, you can force the issue by using the “full-upgrade” command instead. Here’s the syntax:
sudo apt full-upgrade
The above command performs three functions. First, it installs all the new packages that are required for the upgraded packages to function properly. Second, it will remove packages that conflict with the upgraded ones. Finally, it will upgrade all the packages that were previously held back.
You need to use the above command carefully and closely verify the changes before you confirm them. The “full-upgrade” option will provide you with a detailed breakdown of what will change, so check and see if everything’s okay!
Conclusion
As you can see, the “the following packages have been kept back” error message is easy to understand. If you can understand why they’ve been kept back, you can use the “full-upgrade” option once you understand the consequences and are willing to live with them. If you choose to live with the older packages, make sure that you try and upgrade them as soon as possible, to avoid any security problems down the line.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply