Introduction to Debian Packages

Learn about Debian packages, package managers, and mirror repositories.

We'll cover the following

What are Debian packages?

There are several families of Linux distributions. Most of these distributions use packages for installing software. A package contains the files that the software needs, as well as meta information such as a description, a version, dependencies, conflicts, and so on.

The Debian operating system uses the Debian packages. The package files use the .deb extension. Other distributions in the same family use the same package format. These include Ubuntu, Linux Mint, Knoppix, and several lesser-known distributions.

This course teaches us how to build Debian packages ourselves. First, we will explore the context in which those packages exist.

Package managers and repositories

When we install a piece of software on Debian or Ubuntu, typically, our first step is to see if our package manager already knows about this software. If yes, installing it is just one command.

How does the package manager know about software in the first place? It has a list of repository URLs. Each repository contains metadata and the actual packages.

When we request to install a package, say InkscapeA vector graphic tool., the package manager looks up the metadata for this package.

Note: Most softwares have dependencies. Dependencies are other programs and libraries that software needs to function properly.

Inkscape needs, among other things, libxml2 for parsing and writing XML files, libcairo2 for rendering text and images on screen, and the Python interpreter to support plugins.

The package manager then checks if those dependencies are already installed, and if not, it schedules to install them and their dependencies as well, recursively.

Pull model

The dependency resolution process only works with the pull model that repositories provide. The package manager decides which packages it needs and pulls them out of the repository.

If instead, we pushed packages to an operating system instance where we want them to be installed, we’d have to know from the outset which dependencies to push along with the target package.

Repository mirrors

The Debian project provides official repositories that contain all the software that is packaged by this project. However, most installations do not use these repositories directly but rather use a mirror. A mirror is a web server that provides the same contents as the official repositories.

Mirrors distribute the bandwidth requirements to many organizations. We typically select a mirror close to us for lower latencies and higher throughput. If one mirror becomes unavailable, switching to another mirror is a small matter of changing some of the configuration.

Organizations that run many Linux machines tend to have their own mirrors to save uplink bandwidth, decrease latency, and decouple their infrastructure from systems they have no control over.

Package list signing

When we don’t download a package directly from the source but rather from a mirror, how do we know it hasn’t been tampered with on its way there? Cryptographic signatures are the answer.

A Debian repository contains a package list that includes links to the package file and a checksum. This package list is signed by a PGP (or GnuPG) key. Every machine that installs Debian packages has a listActually, each machine has a list of public keys, and trusts package lists signed by the matching private keys. See man apt-key for information on how to manage this public key ring. of PGP keys it trusts, and verifies the integrity of the package list and the checksum before installation.