When you encounter the message “The following packages have been kept back” while updating your Ubuntu system using apt-get update && apt-get upgrade, it indicates that certain packages require manual intervention to update. This typically happens due to dependency issues or significant updates that need careful handling. Here’s how you can address this issue effectively:
Solution 1: Using --with-new-pkgs
A gentle approach to resolve this issue is to use the --with-new-pkgs option with the upgrade command. This method allows you to upgrade the kept-back packages without marking them as manually installed, which could simplify future maintenance. Here’s how you can do it:
sudo apt-get update # Update the package listssudo apt-get upgrade --with-new-pkgs # Upgrade and handle new packagesThis command tries to intelligently handle the upgrade by installing any new dependencies required by the kept-back packages.
Solution 2: Explicit Installation
If the first solution doesn’t fully resolve the issue, you can explicitly install the kept-back packages:
sudo apt-get install <list of packages kept back>Replace “ with the actual names of the packages. This command forces the installation or upgrade of these specific packages, typically resolving any dependency issues.
Using dist-upgrade
For a more comprehensive solution, especially when the cautious approaches don’t work, you can use:
sudo apt-get dist-upgradeThis command is more aggressive as it not only upgrades the existing packages but also intelligently handles changes in dependencies, including installing new ones and removing outdated ones. However, be cautious with this approach as it might remove packages to resolve complex dependency conflicts, which could potentially disrupt your system setup.
Considerations and Best Practices
While dist-upgrade can resolve complex situations, it’s akin to using a heavy tool for a delicate job. It’s advisable to understand the changes it proposes (especially which packages it intends to remove) before proceeding. Think of it like car maintenance: if you have the time and knowledge, manually resolving dependencies (installing and removing packages as needed) can provide more control and peace of mind.
Final Recommendations
Here’s a consolidated approach to handling kept-back packages in Ubuntu:
- Update your package lists:
sudo apt-get update- Try upgrading using the cautious method with new packages:
sudo apt-get upgrade --with-new-pkgs- If some packages are still held back, install them explicitly:
sudo apt-get install <list of packages kept back>- As a last resort, consider using
dist-upgrade:
sudo apt-get dist-upgradeAlways ensure to replace “ with the actual names of the packages. By following these steps, you should be able to safely manage and resolve issues with packages that have been kept back during an upgrade on Ubuntu.
Related Reading
- Update a Single Package Using APT
- Remove all old installed but unused kernels
- Adding Extra Swap to Linux
- Install docker on Ubuntu/Debian
- Optimize Ubuntu Logs: btmp Log Rotation
When Packages Keep Getting Kept Back (aka the “Why Won’t This Just Work” Section)
Sometimes you run through all of the above and a package still refuses to budge. Before you nuke the server and call it a day, here are the actual common culprits.
Pinned packages. APT has a preferences system that lets you pin packages to specific versions or repositories. If someone (you, a sysadmin from three jobs ago, or a package maintainer’s postinst script) pinned a package, it will get held back every single time until you deal with the pin. Check your pins:
apt-cache policy <package-name>Look at the Pinned: and Candidate: lines. If the candidate version is lower than what’s available, you’ve got a pin. Check /etc/apt/preferences and /etc/apt/preferences.d/ for the culprit.
Manually held packages. Separate from pinning, APT has a hold mechanism. A package on hold will never be upgraded by any of the commands above — not even dist-upgrade. Check what’s being held:
apt-mark showholdIf you see your troublesome package there, that’s why. To release the hold:
sudo apt-mark unhold <package-name>And if you want to intentionally hold something (say, a kernel version that actually boots), that’s how you do it too. Useful for those “I finally got this working and I refuse to let apt touch it” moments.
Third-party repos with stale GPG keys or mismatched release files. If you’ve got a PPA or a vendor repo (Docker, Grafana, anything with its own /etc/apt/sources.list.d/ entry), and that repo is lagging behind or has a broken Release file, APT sometimes just quietly keeps everything it can’t verify back. Spot this with:
sudo apt-get update 2>&1 | grep -iE "err|warn|expired|invalid"A bunch of W: Skipping or E: Failed to fetch lines pointing at a specific repo is your answer. Fix the repo before expecting the packages to flow.
The nuclear diagnostic. If you genuinely can’t figure out why a specific package is being kept back, this tells you exactly what’s blocking it:
sudo apt-get install --simulate <package-name>The --simulate flag (same as -s) does a dry run and shows you every dependency decision APT would make, including what it would remove and why. It’s the “explain yourself” flag, and it actually works.
