blog

Some day, when applying upgrades with the apt command line interface, the tool might state that some packages were kept back.

The following packages have been kept back:
  <package-name-01> <package-name-02> …

indicating that same updates are available, but won't be installed. Why?

One possible reason are “phased updates”. That means that an update is assigned a Phased-Update-Percentage value between 0 and 100 which represents the probability that this update is being installed on your machine. This is simply to ensure that, in case of faulty udpates, not all updating machines are affected at once. For any kept-back update, this can be checked using a apt-cache policy command:

root@some-machine:~# apt-cache policy vim
vim:
  Installed: 2:8.2.3995-1ubuntu2.16
  Candidate: 2:8.2.3995-1ubuntu2.17
  Version table:
     2:8.2.3995-1ubuntu2.17 500 (phased 10%)
        500 http://eu-frankfurt-1-ad-1.clouds.ports.ubuntu.com/ubuntu-ports jammy-updates/main arm64 Packages
 *** 2:8.2.3995-1ubuntu2.16 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main arm64 Packages
        100 /var/lib/dpkg/status

Another of the more common causes is that an upgrade for an already installed package requires the installation of an additional package. When using apt-get instead of apt, an upgrade operation by default will not install new or remove existing packages when this are required by a current upgrade. This behavior can be changed by running

apt-get --with-new-pkgs upgrade

It's also possible to run apt-get dist-upgrade instead, this kind of action might however do more than originally expected, since it tried to resolve conflicts and might remove some packages in order to reach it's goal. It is also possible to use apt upgrade, which appears to be the recommended way to install the latest security updates.