1SOURCES.LIST(5) APT SOURCES.LIST(5)
2
6 sources.list - List of configured APT data sources
7
9 The source list /etc/apt/sources.list and the files contained in
10 /etc/apt/sources.list.d/ are designed to support any number of active
11 sources and a variety of source media. The files list one source per
12 line (one-line style) or contain multiline stanzas defining one or more
13 sources per stanza (deb822 style), with the most preferred source
14 listed first (in case a single version is available from more than one
15 source). The information available from the configured sources is
16 acquired by apt-get update (or by an equivalent command from another
17 APT front-end).
18
20 The /etc/apt/sources.list.d directory provides a way to add
21 sources.list entries in separate files. Two different file formats are
22 allowed as described in the next two sections. Filenames need to have
23 either the extension .list or .sources depending on the contained
24 format. The filenames may only contain letters (a-z and A-Z), digits
25 (0-9), underscore (_), hyphen (-) and period (.) characters. Otherwise
26 APT will print a notice that it has ignored a file, unless that file
27 matches a pattern in the Dir::Ignore-Files-Silently configuration list
28 - in which case it will be silently ignored.
29
31 Files in this format have the extension .list. Each line specifying a
32 source starts with a type (e.g. deb-src) followed by options and
33 arguments for this type. Individual entries cannot be continued onto a
34 following line. Empty lines are ignored, and a # character anywhere on
35 a line marks the remainder of that line as a comment. Consequently an
36 entry can be disabled by commenting out the entire line. If options
37 should be provided they are separated by spaces and all of them
38 together are enclosed by square brackets ([]) included in the line
39 after the type separated from it with a space. If an option allows
40 multiple values these are separated from each other with a comma (,).
41 An option name is separated from its value(s) by an equals sign (=).
42 Multivalue options also have -= and += as separators, which instead of
43 replacing the default with the given value(s) modify the default
44 value(s) to remove or include the given values.
45 This is the traditional format and supported by all apt versions. Note
47 that not all options as described below are supported by all apt
48 versions. Note also that some older applications parsing this format on
49 their own might not expect to encounter options as they were uncommon
50 before the introduction of multi-architecture support.
51
53 Files in this format have the extension .sources. The format is similar
54 in syntax to other files used by Debian and its derivatives, such as
55 the metadata files that apt will download from the configured sources
56 or the debian/control file in a Debian source package. Individual
57 entries are separated by an empty line; additional empty lines are
58 ignored, and a # character at the start of the line marks the entire
59 line as a comment. An entry can hence be disabled by commenting out
60 each line belonging to the stanza, but it is usually easier to add the
61 field "Enabled: no" to the stanza to disable the entry. Removing the
62 field or setting it to yes re-enables it. Options have the same syntax
63 as every other field: A field name separated by a colon (:) and
64 optionally spaces from its value(s). Note especially that multiple
65 values are separated by whitespaces (like spaces, tabs and newlines),
66 not by commas as in the one-line format. Multivalue fields like
67 Architectures also have Architectures-Add and Architectures-Remove to
68 modify the default value rather than replacing it.
69 This is a new format supported by apt itself since version 1.1.
71 Previous versions ignore such files with a notice message as described
72 earlier. It is intended to make this format gradually the default
73 format, deprecating the previously described one-line-style format, as
74 it is easier to create, extend and modify for humans and machines alike
75 especially if a lot of sources and/or options are involved. Developers
76 who are working with and/or parsing apt sources are highly encouraged
77 to add support for this format and to contact the APT team to
78 coordinate and share this work. Users can freely adopt this format
79 already, but may encounter problems with software not supporting the
80 format yet.
81
83 The deb type references a typical two-level Debian archive,
84 distribution/component. The distribution is generally a suite name like
85 stable or testing or a codename like bookworm or trixie while component
86 is one of main, contrib, non-free or non-free-firmware. The deb-src
87 type references a Debian distribution's source code in the same form as
88 the deb type. A deb-src line is required to fetch source indexes.
89 The format for two one-line-style entries using the deb and deb-src
91 types is:
92 deb [ option1=value1 option2=value2 ] uri suite [component1] [component2] [...]
94 deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [...]
95 Alternatively the equivalent entry in deb822 style looks like this:
97 Types: deb deb-src
99 URIs: uri
100 Suites: suite
101 Components: [component1] [component2] [...]
102 option1: value1
103 option2: value2
104 The URI for the deb type must specify the base of the Debian
107 distribution, from which APT will find the information it needs. suite
108 can specify an exact path, in which case the components must be omitted
109 and suite must end with a slash (/). This is useful for the case when
110 only a particular sub-directory of the archive denoted by the URI is of
111 interest. If suite does not specify an exact path, at least one
112 component must be present.
113 suite may also contain a variable, $(ARCH) which expands to the Debian
115 architecture (such as amd64 or armel) used on the system. This permits
116 architecture-independent sources.list files to be used. In general this
117 is only of interest when specifying an exact path; APT will
118 automatically generate a URI with the current architecture otherwise.
119 Especially in the one-line-style format since only one distribution can
121 be specified per line it may be necessary to have multiple lines for
122 the same URI, if a subset of all available distributions or components
123 at that location is desired. APT will sort the URI list after it has
124 generated a complete set internally, and will collapse multiple
125 references to the same Internet host, for instance, into a single
126 connection, so that it does not inefficiently establish a connection,
127 close it, do something else, and then re-establish a connection to that
128 same host. APT also parallelizes connections to different hosts to more
129 effectively deal with sites with low bandwidth.
130 It is important to list sources in order of preference, with the most
132 preferred source listed first. Typically this will result in sorting by
133 speed from fastest to slowest (CD-ROM followed by hosts on a local
134 network, followed by distant Internet hosts, for example).
135 As an example, the sources for your distribution could look like this
137 in one-line-style format:
138 deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
140 deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
141 deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
142 or like this in deb822 style format:
144 Types: deb
146 URIs: http://deb.debian.org/debian
147 Suites: bookworm bookworm-updates
148 Components: main contrib non-free non-free-firmware
149 Types: deb
151 URIs: http://deb.debian.org/debian-security
152 Suites: bookworm-security
153 Components: main contrib non-free non-free-firmware
154
156 Each source entry can have options specified to modify which source is
157 accessed and how data is acquired from it. Format, syntax and names of
158 the options vary between the one-line-style and deb822-style formats as
159 described, but they both have the same options available. For
160 simplicity we list the deb822 field name and provide the one-line name
161 in brackets. Remember that besides setting multivalue options
162 explicitly, there is also the option to modify them based on the
163 default, but we aren't listing those names explicitly here. Unsupported
164 options are silently ignored by all APT versions.
165 • Architectures (arch) is a multivalue option defining for which
167 architectures information should be downloaded. If this option
168 isn't set the default is all architectures as defined by the
169 APT::Architectures config option.
170 • Languages (lang) is a multivalue option defining for which
172 languages information such as translated package descriptions
173 should be downloaded. If this option isn't set the default is all
174 languages as defined by the Acquire::Languages config option.
175 • Targets (target) is a multivalue option defining which download
177 targets apt will try to acquire from this source. If not specified,
178 the default set is defined by the Acquire::IndexTargets
179 configuration scope (targets are specified by their name in the
180 Created-By field). Additionally, targets can be enabled or disabled
181 by using the Identifier field as an option with a boolean value
182 instead of using this multivalue option.
183 • PDiffs (pdiffs) is a yes/no value which controls if APT should try
185 to use PDiffs to update old indexes instead of downloading the new
186 indexes entirely. The value of this option is ignored if the
187 repository doesn't announce the availability of PDiffs. Defaults to
188 the value of the option with the same name for a specific index
189 file defined in the Acquire::IndexTargets scope, which itself
190 defaults to the value of configuration option Acquire::PDiffs which
191 defaults to yes.
192 • By-Hash (by-hash) can have the value yes, no or force and controls
194 if APT should try to acquire indexes via a URI constructed from a
195 hashsum of the expected file instead of using the well-known stable
196 filename of the index. Using this can avoid hashsum mismatches, but
197 requires a supporting mirror. A yes or no value activates/disables
198 the use of this feature if this source indicates support for it,
199 while force will enable the feature regardless of what the source
200 indicates. Defaults to the value of the option of the same name for
201 a specific index file defined in the Acquire::IndexTargets scope,
202 which itself defaults to the value of configuration option
203 Acquire::By-Hash which defaults to yes.
204 Furthermore, there are options which if set affect all sources with the
206 same URI and Suite, so they have to be set on all such entries and can
207 not be varied between different components. APT will try to detect and
208 error out on such anomalies.
209 • Allow-Insecure (allow-insecure), Allow-Weak (allow-weak) and
211 Allow-Downgrade-To-Insecure (allow-downgrade-to-insecure) are
212 boolean values which all default to no. If set to yes they
213 circumvent parts of apt-secure(8) and should therefore not be used
214 lightly!
215 • Trusted (trusted) is a tri-state value which defaults to APT
217 deciding if a source is considered trusted or if warnings should be
218 raised before e.g. packages are installed from this source. This
219 option can be used to override that decision. The value yes tells
220 APT always to consider this source as trusted, even if it doesn't
221 pass authentication checks. It disables parts of apt-secure(8), and
222 should therefore only be used in a local and trusted context (if at
223 all) as otherwise security is breached. The value no does the
224 opposite, causing the source to be handled as untrusted even if the
225 authentication checks passed successfully. The default value can't
226 be set explicitly.
227 • Signed-By (signed-by) is an option to require a repository to pass
229 apt-secure(8) verification with a certain set of keys rather than
230 all trusted keys apt has configured. It is specified as a list of
231 absolute paths to keyring files (have to be accessible and readable
232 for the _apt system user, so ensure everyone has read-permissions
233 on the file) and fingerprints of keys to select from these
234 keyrings. The recommended locations for keyrings are
235 /usr/share/keyrings for keyrings managed by packages, and
236 /etc/apt/keyrings for keyrings managed by the system operator. If
237 no keyring files are specified the default is the trusted.gpg
238 keyring and all keyrings in the trusted.gpg.d/ directory (see
239 apt-key fingerprint). If no fingerprint is specified all keys in
240 the keyrings are selected. A fingerprint will accept also all
241 signatures by a subkey of this key, if this isn't desired an
242 exclamation mark (!) can be appended to the fingerprint to disable
243 this behaviour. The option defaults to the value of the option with
244 the same name if set in the previously acquired Release file of
245 this repository (only fingerprints can be specified there through).
246 Otherwise all keys in the trusted keyrings are considered valid
247 signers for this repository. The option may also be set directly to
248 an embedded GPG public key block. Special care is needed to encode
249 the empty line with leading spaces and ".":
250 Types: deb
252 URIs: https://deb.debian.org
253 Suites: stable
254 Components: main contrib non-free non-free-firmware
255 Signed-By:
256 -----BEGIN PGP PUBLIC KEY BLOCK-----
257 .
258 mDMEYCQjIxYJKwYBBAHaRw8BAQdAD/P5Nvvnvk66SxBBHDbhRml9ORg1WV5CvzKY
259 CuMfoIS0BmFiY2RlZoiQBBMWCgA4FiEErCIG1VhKWMWo2yfAREZd5NfO31cFAmAk
260 IyMCGyMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQREZd5NfO31fbOwD6ArzS
261 dM0Dkd5h2Ujy1b6KcAaVW9FOa5UNfJ9FFBtjLQEBAJ7UyWD3dZzhvlaAwunsk7DG
262 3bHcln8DMpIJVXht78sL
263 =IE0r
264 -----END PGP PUBLIC KEY BLOCK-----
265 • Check-Valid-Until (check-valid-until) is a yes/no value which
268 controls if APT should try to detect replay attacks. A repository
269 creator can declare a time until which the data provided in the
270 repository should be considered valid, and if this time is reached,
271 but no new data is provided, the data is considered expired and an
272 error is raised. Besides increasing security, as a malicious
273 attacker can't send old data forever to prevent a user from
274 upgrading to a new version, this also helps users identify mirrors
275 which are no longer updated. However, some repositories such as
276 historic archives are not updated any more by design, so this check
277 can be disabled by setting this option to no. Defaults to the value
278 of configuration option Acquire::Check-Valid-Until which itself
279 defaults to yes.
280 • Valid-Until-Min (valid-until-min) and Valid-Until-Max
282 (valid-until-max) can be used to raise or lower the time period in
283 seconds in which the data from this repository is considered valid.
284 -Max can be especially useful if the repository provides no
285 Valid-Until field on its Release file to set your own value, while
286 -Min can be used to increase the valid time on seldom updated
287 (local) mirrors of a more frequently updated but less accessible
288 archive (which is in the sources.list as well) instead of disabling
289 the check entirely. Default to the value of the configuration
290 options Acquire::Min-ValidTime and Acquire::Max-ValidTime which are
291 both unset by default.
292 • Check-Date (check-date) is a yes/no value which controls if APT
294 should consider the machine's time correct and hence perform time
295 related checks, such as verifying that a Release file is not from
296 the future. Disabling it also disables the Check-Valid-Until option
297 mentioned above.
298 • Date-Max-Future (date-max-future) controls how far from the future
300 a repository may be. Default to the value of the configuration
301 option Acquire::Max-FutureTime which is 10 seconds by default.
302 • InRelease-Path (inrelease-path) determines the path to the
304 InRelease file, relative to the normal position of an InRelease
305 file. By default, this option is unset and APT will try to fetch an
306 InRelease or, if that fails, a Release file and its associated
307 Release.gpg file. By setting this option, the specified path will
308 be tried instead of the InRelease file, and the fallback to Release
309 files will be disabled.
310 • Snapshot (snapshot) allows selecting an earlier version of the
312 archive from the snapshot service. Supported values are:
313 • enable to allow selecting a snapshot with the --snapshot
315 option, or
316 • a snapshot ID to select a specific snapshot.
318 Snapshot IDs are usually timestamps in the form of
320 YYYYMMDDTHHMMSSZ, such as 20220102T030405Z which is the January
321 2nd, 2022 at 03:04:05 UTC, servers may however support additional
322 types of IDs, and APT does not perform any checks so far.
323
326 The currently recognized URI types are:
327 http (apt-transport-http(1))
329 The http scheme specifies an HTTP server for an archive and is the
330 most commonly used method. The URI can directly include login
331 information if the archive requires it, but the use of
332 apt_auth.conf(5) should be preferred. The method also supports
333 SOCKS5 and HTTP(S) proxies either configured via apt-specific
334 configuration or specified by the environment variable http_proxy
335 in the format (assuming an HTTP proxy requiring authentication)
336 http://user:pass@server:port/. The authentication details for
337 proxies can also be supplied via apt_auth.conf(5).
338 Note that these forms of authentication are insecure as the whole
340 communication with the remote server (or proxy) is not encrypted so
341 a sufficiently capable attacker can observe and record login as
342 well as all other interactions. The attacker can not modify the
343 communication through as APT's data security model is independent
344 of the chosen transport method. See apt-secure(8) for details.
345 https (apt-transport-https(1))
347 The https scheme specifies an HTTPS server for an archive and is
348 very similar in use and available options to the http scheme. The
349 main difference is that the communication between apt and server
350 (or proxy) is encrypted. Note that the encryption does not prevent
351 an attacker from knowing which server (or proxy) apt is
352 communicating with and deeper analysis can potentially still reveal
353 which data was downloaded. If this is a concern the Tor-based
354 schemes mentioned further below might be a suitable alternative.
355 mirror, mirror+scheme (apt-transport-mirror(1))
357 The mirror scheme specifies the location of a mirrorlist. By
358 default the scheme used for the location is http, but any other
359 scheme can be used via mirror+scheme. The mirrorlist itself can
360 contain many different URIs for mirrors the APT client can
361 transparently pick, choose and fallback between intended to help
362 both with distributing the load over the available mirrors and
363 ensuring that clients can acquire data even if some configured
364 mirrors are not available.
365 file
367 The file scheme allows an arbitrary directory in the file system to
368 be considered an archive. This is useful for NFS mounts and local
369 mirrors or archives.
370 cdrom
372 The cdrom scheme allows APT to use a local CD-ROM, DVD or USB drive
373 with media swapping. Use the apt-cdrom(8) program to create cdrom
374 entries in the source list.
375 ftp
377 The ftp scheme specifies an FTP server for an archive. Use of FTP
378 is on the decline in favour of http and https and many archives
379 either never offered or are retiring FTP access. If you still need
380 this method many configuration options for it are available in the
381 Acquire::ftp scope and detailed in apt.conf(5).
382 Please note that an FTP proxy can be specified by using the
384 ftp_proxy environment variable. It is possible to specify an HTTP
385 proxy (HTTP proxy servers often understand FTP URLs) using this
386 environment variable and only this environment variable. Proxies
387 using HTTP specified in the configuration file will be ignored.
388 copy
390 The copy scheme is identical to the file scheme except that
391 packages are copied into the cache directory instead of used
392 directly at their location. This is useful for people using
393 removable media to copy files around with APT.
394 rsh, ssh
396 The rsh/ssh method invokes RSH/SSH to connect to a remote host and
397 access the files as a given user. Prior configuration of rhosts or
398 RSA keys is recommended. The standard find and dd commands are used
399 to perform the file transfers from the remote host.
400 adding more recognizable URI types
402 APT can be extended with more methods shipped in other optional
403 packages, which should follow the naming scheme
404 apt-transport-method. For instance, the APT team also maintains the
405 package apt-transport-tor, which provides access methods for HTTP
406 and HTTPS URIs routed via the Tor network.
407
409 Uses the archive stored locally (or NFS mounted) at /home/apt/debian
410 for stable/main, stable/contrib, stable/non-free and
411 stable/non-free-firmware.
412 deb file:/home/apt/debian stable main contrib non-free non-free-firmware
414 Types: deb
416 URIs: file:/home/apt/debian
417 Suites: stable
418 Components: main contrib non-free non-free-firmware
419 As above, except this uses the unstable (development) distribution.
421 deb file:/home/apt/debian unstable main contrib non-free non-free-firmware
423 Types: deb
425 URIs: file:/home/apt/debian
426 Suites: unstable
427 Components: main contrib non-free non-free-firmware
428 Sources specification for the above.
430 deb-src file:/home/apt/debian unstable main contrib non-free non-free-firmware
432 Types: deb-src
434 URIs: file:/home/apt/debian
435 Suites: unstable
436 Components: main contrib non-free non-free-firmware
437 The first line gets package information for the architectures in
439 APT::Architectures while the second always retrieves amd64 and armel.
440 deb http://deb.debian.org/debian bookworm main
442 deb [ arch=amd64,armel ] http://deb.debian.org/debian bookworm main
443 Types: deb
445 URIs: http://deb.debian.org/debian
446 Suites: bookworm
447 Components: main
448 Types: deb
450 URIs: http://deb.debian.org/debian
451 Suites: bookworm
452 Components: main
453 Architectures: amd64 armel
454 Uses HTTP to access the archive at archive.debian.org, and uses only
456 the hamm/main area.
457 deb http://archive.debian.org/debian-archive hamm main
459 Types: deb
461 URIs: http://archive.debian.org/debian-archive
462 Suites: hamm
463 Components: main
464 Uses FTP to access the archive at ftp.debian.org, under the debian
466 directory, and uses only the bookworm/contrib area.
467 deb ftp://ftp.debian.org/debian bookworm contrib
469 Types: deb
471 URIs: ftp://ftp.debian.org/debian
472 Suites: bookworm
473 Components: contrib
474 Uses FTP to access the archive at ftp.debian.org, under the debian
476 directory, and uses only the unstable/contrib area. If this line
477 appears as well as the one in the previous example in sources.list a
478 single FTP session will be used for both resource lines.
479 deb ftp://ftp.debian.org/debian unstable contrib
481 Types: deb
483 URIs: ftp://ftp.debian.org/debian
484 Suites: unstable
485 Components: contrib
486 Uses HTTP to access the archive at ftp.tlh.debian.org, under the
488 universe directory, and uses only files found under
489 unstable/binary-i386 on i386 machines, unstable/binary-amd64 on amd64,
490 and so forth for other supported architectures. [Note this example only
491 illustrates how to use the substitution variable; official debian
492 archives are not structured like this]
493 deb http://ftp.tlh.debian.org/universe unstable/binary-$(ARCH)/
495 Types: deb
499 URIs: http://ftp.tlh.debian.org/universe
500 Suites: unstable/binary-$(ARCH)/
501 Uses HTTP to get binary packages as well as sources from the stable,
503 testing and unstable suites and the components main and contrib.
504 deb http://deb.debian.org/debian stable main contrib
506 deb-src http://deb.debian.org/debian stable main contrib
507 deb http://deb.debian.org/debian testing main contrib
508 deb-src http://deb.debian.org/debian testing main contrib
509 deb http://deb.debian.org/debian unstable main contrib
510 deb-src http://deb.debian.org/debian unstable main contrib
511 Types: deb deb-src
513 URIs: http://deb.debian.org/debian
514 Suites: stable testing unstable
515 Components: main contrib
516
518 apt-get(8), apt.conf(5),
519 /usr/share/doc/apt/acquire-additional-files.md.gz
520
522 APT bug page[1]. If you wish to report a bug in APT, please see
523 /usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command.
524
526 Jason Gunthorpe
527 APT team
529
531 1. APT bug page
532 http://bugs.debian.org/src:apt
533APT 2.7.6 29 January 2023 SOURCES.LIST(5)