APT & Repositories on Debian/Ubuntu Server.

What is apt?

apt is a powerful command-line tool used to install, update, upgrade, and manage software packages on Debian-based Linux systems.

Common uses:

$ sudo apt update           # Refreshes package index from repos
$ sudo apt upgrade          # Upgrades all installed packages
$ sudo apt install nginx    # Installs nginx
$ sudo apt remove nano      # Removes nano

But where does apt get the packages from?

👉 From repositories!

What Are APT Repositories?

A repository is an online server that stores precompiled .deb packages and metadata. APT downloads packages and checks for updates from these repositories.

Types of repos:

• Official Ubuntu repos (main, universe)
• Security updates
• Third-party repos (e.g. Docker, PostgreSQL)
• Local/private mirrors (for enterprise or air-gapped systems)
  

Where Are APT Repositories Defined?

APT reads the list of repositories from these two locations:

1. /etc/apt/sources.list

This is the main file that contains core repository entries.

Example:

deb http://archive.ubuntu.com/ubuntu focal main universe

Line breakdown:

• deb: binary packages (use deb-src for source)
• URL: location of the repo
• Release: Ubuntu codename (e.g. focal, jammy, noble )
• Components: main, universe, restricted, etc.

2. /etc/apt/sources.list.d/

This is a folder that holds additional .list files — useful for organizing third-party repos.

Example files:

/etc/apt/sources.list.d/docker.list
/etc/apt/sources.list.d/postgresql.list

Inside a file like docker.list, you might see:

deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable

Why use this folder?

• Keeps sources.list clean.
• Makes it easy to remove specific repos by deleting a file.
  
  

How Are Repositories Verified?

Every repo must have a GPG key to verify the authenticity of packages. A GPG key is a cryptographic signature that ensures packages haven't been altered or tampered with.
When adding a repo, you typically import its GPG key manually:

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/docker.gpg

This ensures all downloaded packages are signed and trusted.

Script: What Does This Do?

Example:

$ curl https://gitlab.com/volian/volian-archive/-/raw/main/install-nala.sh | bash

What it does:

1. Downloads and runs a shell script.
2. The script typically:
   • Adds a .list file to /etc/apt/sources.list.d/
   • Adds a GPG key
   • Runs sudo apt update
   • Installs a package (e.g. nala)

⚠️ Always inspect scripts like these before running:

$ curl -fsSL URL | less

Look for:

• echo or tee to write .list files
• gpg or apt-key commands
• apt update or apt install commands

What is a .deb File?

A .deb file is a Debian package — like an .exe or .msi on Windows or .pkg on macOS.

It contains:

• Binary files (compiled programs)
• Metadata: version, dependencies, maintainer
• Pre/post-install scripts

Install it manually with:

$ sudo dpkg -i name.deb        # Does not resolve dependencies
$ sudo apt install ./name.deb  # Better! It installs dependencies too

Create .deb with:

• dpkg-deb
• checkinstall

Metadata (Definition)

Metadata in a .deb file is structured information that describes the package. It helps the package manager know what the package is, how to install it, and what it needs.

It typically includes:

• Package name: e.g., nginx
• Version: e.g., 1.18.0-6ubuntu14.4
• Architecture: e.g., amd64, arm64
• Dependencies: other packages required to run
• Maintainer: name/email of the package maintainer
• Description: a short summary of what the package does

This metadata is read by APT tools to handle installation, upgrades, and compatibility checks.

Hope you found this guide helpful!
Keep checking SNUBmonkey for more practical Linux tricks, system health tips, and storage deep dives.
Stay safe and stay curious!