Introduction to Debian Packages
Learn about Debian packages, package managers, and mirror repositories.
What are Debian packages?
There are several families of Linux distributions. Most of these distributions use packages for installing software. A package contains the files that the software needs, as well as meta information such as a description, a version, dependencies, conflicts, and so on.
The Debian operating system uses the Debian packages. The package
files use the .deb
extension. Other distributions in the same family
use the same package format. These include Ubuntu
, Linux Mint
, Knoppix
,
and several lesser-known distributions.
This course teaches us how to build Debian packages ourselves. First, we will explore the context in which those packages exist.
Package managers and repositories
When we install a piece of software on Debian or Ubuntu, typically, our first step is to see if our package manager already knows about this software. If yes, installing it is just one command.
How does the package manager know about software in the first place? It has a list of repository URLs. Each repository contains metadata and the actual packages.
When we request to install a package, say
Note: Most softwares have dependencies. Dependencies are other programs and libraries that software needs to function properly.
Inkscape needs, among other things, libxml2
for parsing and writing XML files,
libcairo2
for rendering text and images on screen, and the Python
interpreter to support plugins.
The package manager then checks if those dependencies are already installed, and if not, it schedules to install them and their dependencies as well, recursively.
Pull model
The dependency resolution process only works with the pull model that repositories provide. The package manager decides which packages it needs and pulls them out of the repository.
If instead, we pushed packages to an operating system instance where we want them to be installed, we’d have to know from the outset which dependencies to push along with the target package.
Repository mirrors
The Debian project provides official repositories that contain all the software that is packaged by this project. However, most installations do not use these repositories directly but rather use a mirror. A mirror is a web server that provides the same contents as the official repositories.
Mirrors distribute the bandwidth requirements to many organizations. We typically select a mirror close to us for lower latencies and higher throughput. If one mirror becomes unavailable, switching to another mirror is a small matter of changing some of the configuration.
Organizations that run many Linux machines tend to have their own mirrors to save uplink bandwidth, decrease latency, and decouple their infrastructure from systems they have no control over.
Package list signing
When we don’t download a package directly from the source but rather from a mirror, how do we know it hasn’t been tampered with on its way there? Cryptographic signatures are the answer.
A Debian repository
contains a package list that includes links to the package file and a
checksum. This package list is signed by a PGP (or GnuPG) key. Every
machine that installs Debian packages has a man apt-key
for information on how to manage this public key ring.