APT - How Debian and Ubuntu Handle Software Installation

I've been managing servers with APT for over a decade, and here's the thing that separates it from the competition: it fucking works. Unlike some other package managers I won't name (looking at you, RPM-based nightmares), APT actually resolves dependencies without breaking your entire system.

Update: APT 3.0 dropped in April 2025 and it's actually pretty sweet. The new Solver3 dependency resolver is faster and smarter, plus they added colorful output (green for dependencies, red for removals) which makes it easier to see what's happening during installs. They also ditched GnuTLS for OpenSSL and replaced GnuPG with Sequoia, which should improve security and performance.

How APT Actually Works

APT is basically a front-end to dpkg, the low-level package manager that actually installs the .deb files. APT's job is to figure out what the hell you need to install before dpkg takes over. The main tools you'll use are:

• apt - Use this for interactive stuff. It shows progress bars and doesn't hate you
• apt-get - Use this in scripts. It's stable and won't change behavior randomly
• apt-cache - For searching packages and getting info

The whole thing talks to repositories (like Ubuntu's package archives and Debian's repositories) to download packages and metadata. GPG signatures verify that packages aren't tampered with, which is nice when you're not installing sketchy software from random PPAs.

The Dependency Resolver That Doesn't Suck

APT's dependency resolver is genuinely good. I've seen it handle some absolutely fucked dependency chains that would break other package managers. It uses a topological sort to figure out installation order, which is a fancy way of saying "install dependencies first, obviously."

When you run apt install something, it:

• Downloads package metadata (this is what apt update does)
• Figures out what else needs to be installed or upgraded using dependency information
• Downloads everything it needs from configured repositories
• Installs packages in the right order so nothing breaks

The resolver can handle version conflicts, suggests alternatives when packages conflict, and generally tries not to destroy your system. I've had maybe 3-4 genuine dependency hell situations in 10+ years, which is pretty good.

Security That Actually Matters

Since around 2005, APT has required GPG signature verification for packages. This means packages are signed by repository maintainers, and APT won't install something that's been tampered with.

This matters more than you might think. I've seen malware distributed through compromised repositories, and signature verification caught it. The downside is you occasionally get "NO_PUBKEY" errors when repositories update their signing keys, but that's better than installing malicious packages.

Performance: Usually Fine

APT caches package metadata locally in `/var/lib/apt/lists/`, so most operations are fast once you've run apt update. Package downloads happen in parallel when dependencies allow it.

The cache system works well, but occasionally gets corrupted (usually if you interrupt apt update). When that happens, just delete everything in that directory and run apt update again. I've learned this the hard way multiple times.

So APT works well, but is it actually better than the alternatives? After dealing with package managers across different distributions for years, I have some strong opinions about what works and what's complete garbage.

I've managed APT across hundreds of Ubuntu servers for 8+ years, and learned most of this stuff the hard way. Here's what actually works and what'll bite you.

Commands You'll Actually Use

For interactive stuff (when you're SSH'd into a server):

sudo apt update && sudo apt upgrade  # The classic combo
sudo apt install nginx postgresql-14
apt search nginx | head -20          # Pipe to head or you'll hate life
apt show package-name                # Better than man pages sometimes

For scripts and automation (use apt-get, not apt):

sudo apt-get update
sudo apt-get install -y --no-install-recommends nodejs npm
sudo apt-get autoremove --purge      # Clean up afterwards

The `--no-install-recommends` flag is crucial in Docker containers and minimal installs. Without it, installing nginx pulls in 200MB of shit you don't need.

Repository Management: Where Things Get Messy

Your repositories are configured in `/etc/apt/sources.list` and `/etc/apt/sources.list.d/`. This is where things break in production.

The repositories you'll deal with:

• Main: Official Ubuntu packages that actually work
• Universe: Community packages that usually work
• Multiverse: Proprietary shit that might work
• PPAs: Third-party repositories that will eventually break your system

PPAs are convenient until they're not. I've seen Canonical's own Node.js PPA break servers when they changed signing keys without warning. Now I use NodeSource's repository instead.

Maintenance: Set It and (Sometimes) Forget It

The smart move is unattended-upgrades. Configure it to install security updates automatically:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

But here's the thing - it'll reboot your server when kernel updates require it. I learned this when it rebooted our database server during business hours. Now I configure reboot schedules.

Cache cleanup happens automatically mostly, but `/var/cache/apt/archives/` can grow to several GB. Set up a cron job:

0 2 * * 0 /usr/bin/apt-get clean

When APT Breaks (And How to Fix It)

The "broken packages" error is usually from interrupted installs:

sudo dpkg --configure -a
sudo apt --fix-broken install

Repository signature errors happen when maintainers update GPG keys:

## Find the key ID from the error message
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [KEY_ID]

Cache corruption (usually from interrupted apt update):

sudo rm -rf /var/lib/apt/lists/*
sudo apt update

Caching and Performance

In larger deployments, use apt-cacher-ng to cache packages locally. It's saved me thousands of dollars in bandwidth costs.

Set it up once, then point all your servers to it:

echo 'Acquire::http::Proxy \"http://your-cache-server:3142\";' | sudo tee /etc/apt/apt.conf.d/01proxy

Automation Integration

Ansible works great with APT:

- name: Install packages
  apt:
    name: \"{{ item }}\"
    state: present
    update_cache: yes
  loop:
    - nginx
    - postgresql-14

Docker containers need special handling:

RUN apt-get update && apt-get install -y --no-install-recommends \
    package1 package2 \
    && rm -rf /var/lib/apt/lists/*

The last line is crucial - it prevents Docker layers from bloating with cached package lists.

Those are the basics that'll keep your systems running. But let's be real - APT will eventually break on you. When it does (not if, when), you'll need to know how to fix the common problems without going insane.