1SOURCES.LIST(5)                       APT                      SOURCES.LIST(5)
2
3
4

NAME

6       sources.list - List of configured APT data sources
7

DESCRIPTION

9       The source list /etc/apt/sources.list and the files contained in
10       /etc/apt/sources.list.d/ are designed to support any number of active
11       sources and a variety of source media. The files list one source per
12       line (one-line style) or contain multiline stanzas defining one or more
13       sources per stanza (deb822 style), with the most preferred source
14       listed first (in case a single version is available from more than one
15       source). The information available from the configured sources is
16       acquired by apt-get update (or by an equivalent command from another
17       APT front-end).
18

SOURCES.LIST.D

20       The /etc/apt/sources.list.d directory provides a way to add
21       sources.list entries in separate files. Two different file formats are
22       allowed as described in the next two sections. Filenames need to have
23       either the extension .list or .sources depending on the contained
24       format. The filenames may only contain letters (a-z and A-Z), digits
25       (0-9), underscore (_), hyphen (-) and period (.) characters. Otherwise
26       APT will print a notice that it has ignored a file, unless that file
27       matches a pattern in the Dir::Ignore-Files-Silently configuration list
28       - in which case it will be silently ignored.
29

ONE-LINE-STYLE FORMAT

31       Files in this format have the extension .list. Each line specifying a
32       source starts with a type (e.g.  deb-src) followed by options and
33       arguments for this type. Individual entries cannot be continued onto a
34       following line. Empty lines are ignored, and a # character anywhere on
35       a line marks the remainder of that line as a comment. Consequently an
36       entry can be disabled by commenting out the entire line. If options
37       should be provided they are separated by spaces and all of them
38       together are enclosed by square brackets ([]) included in the line
39       after the type separated from it with a space. If an option allows
40       multiple values these are separated from each other with a comma (,).
41       An option name is separated from its value(s) by an equals sign (=).
42       Multivalue options also have -= and += as separators, which instead of
43       replacing the default with the given value(s) modify the default
44       value(s) to remove or include the given values.
45
46       This is the traditional format and supported by all apt versions. Note
47       that not all options as described below are supported by all apt
48       versions. Note also that some older applications parsing this format on
49       their own might not expect to encounter options as they were uncommon
50       before the introduction of multi-architecture support.
51

DEB822-STYLE FORMAT

53       Files in this format have the extension .sources. The format is similar
54       in syntax to other files used by Debian and its derivatives, such as
55       the metadata files that apt will download from the configured sources
56       or the debian/control file in a Debian source package. Individual
57       entries are separated by an empty line; additional empty lines are
58       ignored, and a # character at the start of the line marks the entire
59       line as a comment. An entry can hence be disabled by commenting out
60       each line belonging to the stanza, but it is usually easier to add the
61       field "Enabled: no" to the stanza to disable the entry. Removing the
62       field or setting it to yes re-enables it. Options have the same syntax
63       as every other field: A field name separated by a colon (:) and
64       optionally spaces from its value(s). Note especially that multiple
65       values are separated by whitespaces (like spaces, tabs and newlines),
66       not by commas as in the one-line format. Multivalue fields like
67       Architectures also have Architectures-Add and Architectures-Remove to
68       modify the default value rather than replacing it.
69
70       This is a new format supported by apt itself since version 1.1.
71       Previous versions ignore such files with a notice message as described
72       earlier. It is intended to make this format gradually the default
73       format, deprecating the previously described one-line-style format, as
74       it is easier to create, extend and modify for humans and machines alike
75       especially if a lot of sources and/or options are involved. Developers
76       who are working with and/or parsing apt sources are highly encouraged
77       to add support for this format and to contact the APT team to
78       coordinate and share this work. Users can freely adopt this format
79       already, but may encounter problems with software not supporting the
80       format yet.
81

THE DEB AND DEB-SRC TYPES: GENERAL FORMAT

83       The deb type references a typical two-level Debian archive,
84       distribution/component. The distribution is generally a suite name like
85       stable or testing or a codename like bookworm or trixie while component
86       is one of main, contrib, non-free or non-free-firmware. The deb-src
87       type references a Debian distribution's source code in the same form as
88       the deb type. A deb-src line is required to fetch source indexes.
89
90       The format for two one-line-style entries using the deb and deb-src
91       types is:
92
93           deb [ option1=value1 option2=value2 ] uri suite [component1] [component2] [...]
94           deb-src [ option1=value1 option2=value2 ] uri suite [component1] [component2] [...]
95
96       Alternatively the equivalent entry in deb822 style looks like this:
97
98                Types: deb deb-src
99                URIs: uri
100                Suites: suite
101                Components: [component1] [component2] [...]
102                option1: value1
103                option2: value2
104
105
106       The URI for the deb type must specify the base of the Debian
107       distribution, from which APT will find the information it needs.  suite
108       can specify an exact path, in which case the components must be omitted
109       and suite must end with a slash (/). This is useful for the case when
110       only a particular sub-directory of the archive denoted by the URI is of
111       interest. If suite does not specify an exact path, at least one
112       component must be present.
113
114       suite may also contain a variable, $(ARCH) which expands to the Debian
115       architecture (such as amd64 or armel) used on the system. This permits
116       architecture-independent sources.list files to be used. In general this
117       is only of interest when specifying an exact path; APT will
118       automatically generate a URI with the current architecture otherwise.
119
120       Especially in the one-line-style format since only one distribution can
121       be specified per line it may be necessary to have multiple lines for
122       the same URI, if a subset of all available distributions or components
123       at that location is desired. APT will sort the URI list after it has
124       generated a complete set internally, and will collapse multiple
125       references to the same Internet host, for instance, into a single
126       connection, so that it does not inefficiently establish a connection,
127       close it, do something else, and then re-establish a connection to that
128       same host. APT also parallelizes connections to different hosts to more
129       effectively deal with sites with low bandwidth.
130
131       It is important to list sources in order of preference, with the most
132       preferred source listed first. Typically this will result in sorting by
133       speed from fastest to slowest (CD-ROM followed by hosts on a local
134       network, followed by distant Internet hosts, for example).
135
136       As an example, the sources for your distribution could look like this
137       in one-line-style format:
138
139           deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
140           deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
141           deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
142
143       or like this in deb822 style format:
144
145           Types: deb
146           URIs: http://deb.debian.org/debian
147           Suites: bookworm bookworm-updates
148           Components: main contrib non-free non-free-firmware
149
150           Types: deb
151           URIs: http://deb.debian.org/debian-security
152           Suites: bookworm-security
153           Components: main contrib non-free non-free-firmware
154

THE DEB AND DEB-SRC TYPES: OPTIONS

156       Each source entry can have options specified to modify which source is
157       accessed and how data is acquired from it. Format, syntax and names of
158       the options vary between the one-line-style and deb822-style formats as
159       described, but they both have the same options available. For
160       simplicity we list the deb822 field name and provide the one-line name
161       in brackets. Remember that besides setting multivalue options
162       explicitly, there is also the option to modify them based on the
163       default, but we aren't listing those names explicitly here. Unsupported
164       options are silently ignored by all APT versions.
165
166Architectures (arch) is a multivalue option defining for which
167           architectures information should be downloaded. If this option
168           isn't set the default is all architectures as defined by the
169           APT::Architectures config option.
170
171Languages (lang) is a multivalue option defining for which
172           languages information such as translated package descriptions
173           should be downloaded. If this option isn't set the default is all
174           languages as defined by the Acquire::Languages config option.
175
176Targets (target) is a multivalue option defining which download
177           targets apt will try to acquire from this source. If not specified,
178           the default set is defined by the Acquire::IndexTargets
179           configuration scope (targets are specified by their name in the
180           Created-By field). Additionally, targets can be enabled or disabled
181           by using the Identifier field as an option with a boolean value
182           instead of using this multivalue option.
183
184PDiffs (pdiffs) is a yes/no value which controls if APT should try
185           to use PDiffs to update old indexes instead of downloading the new
186           indexes entirely. The value of this option is ignored if the
187           repository doesn't announce the availability of PDiffs. Defaults to
188           the value of the option with the same name for a specific index
189           file defined in the Acquire::IndexTargets scope, which itself
190           defaults to the value of configuration option Acquire::PDiffs which
191           defaults to yes.
192
193By-Hash (by-hash) can have the value yes, no or force and controls
194           if APT should try to acquire indexes via a URI constructed from a
195           hashsum of the expected file instead of using the well-known stable
196           filename of the index. Using this can avoid hashsum mismatches, but
197           requires a supporting mirror. A yes or no value activates/disables
198           the use of this feature if this source indicates support for it,
199           while force will enable the feature regardless of what the source
200           indicates. Defaults to the value of the option of the same name for
201           a specific index file defined in the Acquire::IndexTargets scope,
202           which itself defaults to the value of configuration option
203           Acquire::By-Hash which defaults to yes.
204
205       Furthermore, there are options which if set affect all sources with the
206       same URI and Suite, so they have to be set on all such entries and can
207       not be varied between different components. APT will try to detect and
208       error out on such anomalies.
209
210Allow-Insecure (allow-insecure), Allow-Weak (allow-weak) and
211           Allow-Downgrade-To-Insecure (allow-downgrade-to-insecure) are
212           boolean values which all default to no. If set to yes they
213           circumvent parts of apt-secure(8) and should therefore not be used
214           lightly!
215
216Trusted (trusted) is a tri-state value which defaults to APT
217           deciding if a source is considered trusted or if warnings should be
218           raised before e.g. packages are installed from this source. This
219           option can be used to override that decision. The value yes tells
220           APT always to consider this source as trusted, even if it doesn't
221           pass authentication checks. It disables parts of apt-secure(8), and
222           should therefore only be used in a local and trusted context (if at
223           all) as otherwise security is breached. The value no does the
224           opposite, causing the source to be handled as untrusted even if the
225           authentication checks passed successfully. The default value can't
226           be set explicitly.
227
228Signed-By (signed-by) is an option to require a repository to pass
229           apt-secure(8) verification with a certain set of keys rather than
230           all trusted keys apt has configured. It is specified as a list of
231           absolute paths to keyring files (have to be accessible and readable
232           for the _apt system user, so ensure everyone has read-permissions
233           on the file) and fingerprints of keys to select from these
234           keyrings. The recommended locations for keyrings are
235           /usr/share/keyrings for keyrings managed by packages, and
236           /etc/apt/keyrings for keyrings managed by the system operator. If
237           no keyring files are specified the default is the trusted.gpg
238           keyring and all keyrings in the trusted.gpg.d/ directory (see
239           apt-key fingerprint). If no fingerprint is specified all keys in
240           the keyrings are selected. A fingerprint will accept also all
241           signatures by a subkey of this key, if this isn't desired an
242           exclamation mark (!) can be appended to the fingerprint to disable
243           this behaviour. The option defaults to the value of the option with
244           the same name if set in the previously acquired Release file of
245           this repository (only fingerprints can be specified there through).
246           Otherwise all keys in the trusted keyrings are considered valid
247           signers for this repository. The option may also be set directly to
248           an embedded GPG public key block. Special care is needed to encode
249           the empty line with leading spaces and ".":
250
251               Types: deb
252               URIs: https://deb.debian.org
253               Suites: stable
254               Components: main contrib non-free non-free-firmware
255               Signed-By:
256                -----BEGIN PGP PUBLIC KEY BLOCK-----
257                .
258                mDMEYCQjIxYJKwYBBAHaRw8BAQdAD/P5Nvvnvk66SxBBHDbhRml9ORg1WV5CvzKY
259                CuMfoIS0BmFiY2RlZoiQBBMWCgA4FiEErCIG1VhKWMWo2yfAREZd5NfO31cFAmAk
260                IyMCGyMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQREZd5NfO31fbOwD6ArzS
261                dM0Dkd5h2Ujy1b6KcAaVW9FOa5UNfJ9FFBtjLQEBAJ7UyWD3dZzhvlaAwunsk7DG
262                3bHcln8DMpIJVXht78sL
263                =IE0r
264                -----END PGP PUBLIC KEY BLOCK-----
265
266
267Check-Valid-Until (check-valid-until) is a yes/no value which
268           controls if APT should try to detect replay attacks. A repository
269           creator can declare a time until which the data provided in the
270           repository should be considered valid, and if this time is reached,
271           but no new data is provided, the data is considered expired and an
272           error is raised. Besides increasing security, as a malicious
273           attacker can't send old data forever to prevent a user from
274           upgrading to a new version, this also helps users identify mirrors
275           which are no longer updated. However, some repositories such as
276           historic archives are not updated any more by design, so this check
277           can be disabled by setting this option to no. Defaults to the value
278           of configuration option Acquire::Check-Valid-Until which itself
279           defaults to yes.
280
281Valid-Until-Min (valid-until-min) and Valid-Until-Max
282           (valid-until-max) can be used to raise or lower the time period in
283           seconds in which the data from this repository is considered valid.
284           -Max can be especially useful if the repository provides no
285           Valid-Until field on its Release file to set your own value, while
286           -Min can be used to increase the valid time on seldom updated
287           (local) mirrors of a more frequently updated but less accessible
288           archive (which is in the sources.list as well) instead of disabling
289           the check entirely. Default to the value of the configuration
290           options Acquire::Min-ValidTime and Acquire::Max-ValidTime which are
291           both unset by default.
292
293Check-Date (check-date) is a yes/no value which controls if APT
294           should consider the machine's time correct and hence perform time
295           related checks, such as verifying that a Release file is not from
296           the future. Disabling it also disables the Check-Valid-Until option
297           mentioned above.
298
299Date-Max-Future (date-max-future) controls how far from the future
300           a repository may be. Default to the value of the configuration
301           option Acquire::Max-FutureTime which is 10 seconds by default.
302
303InRelease-Path (inrelease-path) determines the path to the
304           InRelease file, relative to the normal position of an InRelease
305           file. By default, this option is unset and APT will try to fetch an
306           InRelease or, if that fails, a Release file and its associated
307           Release.gpg file. By setting this option, the specified path will
308           be tried instead of the InRelease file, and the fallback to Release
309           files will be disabled.
310
311Snapshot (snapshot) allows selecting an earlier version of the
312           archive from the snapshot service. Supported values are:
313
314           •   enable to allow selecting a snapshot with the --snapshot
315               option, or
316
317           •   a snapshot ID to select a specific snapshot.
318
319           Snapshot IDs are usually timestamps in the form of
320           YYYYMMDDTHHMMSSZ, such as 20220102T030405Z which is the January
321           2nd, 2022 at 03:04:05 UTC, servers may however support additional
322           types of IDs, and APT does not perform any checks so far.
323
324

URI SPECIFICATION

326       The currently recognized URI types are:
327
328       http (apt-transport-http(1))
329           The http scheme specifies an HTTP server for an archive and is the
330           most commonly used method. The URI can directly include login
331           information if the archive requires it, but the use of
332           apt_auth.conf(5) should be preferred. The method also supports
333           SOCKS5 and HTTP(S) proxies either configured via apt-specific
334           configuration or specified by the environment variable http_proxy
335           in the format (assuming an HTTP proxy requiring authentication)
336           http://user:pass@server:port/. The authentication details for
337           proxies can also be supplied via apt_auth.conf(5).
338
339           Note that these forms of authentication are insecure as the whole
340           communication with the remote server (or proxy) is not encrypted so
341           a sufficiently capable attacker can observe and record login as
342           well as all other interactions. The attacker can not modify the
343           communication through as APT's data security model is independent
344           of the chosen transport method. See apt-secure(8) for details.
345
346       https (apt-transport-https(1))
347           The https scheme specifies an HTTPS server for an archive and is
348           very similar in use and available options to the http scheme. The
349           main difference is that the communication between apt and server
350           (or proxy) is encrypted. Note that the encryption does not prevent
351           an attacker from knowing which server (or proxy) apt is
352           communicating with and deeper analysis can potentially still reveal
353           which data was downloaded. If this is a concern the Tor-based
354           schemes mentioned further below might be a suitable alternative.
355
356       mirror, mirror+scheme (apt-transport-mirror(1))
357           The mirror scheme specifies the location of a mirrorlist. By
358           default the scheme used for the location is http, but any other
359           scheme can be used via mirror+scheme. The mirrorlist itself can
360           contain many different URIs for mirrors the APT client can
361           transparently pick, choose and fallback between intended to help
362           both with distributing the load over the available mirrors and
363           ensuring that clients can acquire data even if some configured
364           mirrors are not available.
365
366       file
367           The file scheme allows an arbitrary directory in the file system to
368           be considered an archive. This is useful for NFS mounts and local
369           mirrors or archives.
370
371       cdrom
372           The cdrom scheme allows APT to use a local CD-ROM, DVD or USB drive
373           with media swapping. Use the apt-cdrom(8) program to create cdrom
374           entries in the source list.
375
376       ftp
377           The ftp scheme specifies an FTP server for an archive. Use of FTP
378           is on the decline in favour of http and https and many archives
379           either never offered or are retiring FTP access. If you still need
380           this method many configuration options for it are available in the
381           Acquire::ftp scope and detailed in apt.conf(5).
382
383           Please note that an FTP proxy can be specified by using the
384           ftp_proxy environment variable. It is possible to specify an HTTP
385           proxy (HTTP proxy servers often understand FTP URLs) using this
386           environment variable and only this environment variable. Proxies
387           using HTTP specified in the configuration file will be ignored.
388
389       copy
390           The copy scheme is identical to the file scheme except that
391           packages are copied into the cache directory instead of used
392           directly at their location. This is useful for people using
393           removable media to copy files around with APT.
394
395       rsh, ssh
396           The rsh/ssh method invokes RSH/SSH to connect to a remote host and
397           access the files as a given user. Prior configuration of rhosts or
398           RSA keys is recommended. The standard find and dd commands are used
399           to perform the file transfers from the remote host.
400
401       adding more recognizable URI types
402           APT can be extended with more methods shipped in other optional
403           packages, which should follow the naming scheme
404           apt-transport-method. For instance, the APT team also maintains the
405           package apt-transport-tor, which provides access methods for HTTP
406           and HTTPS URIs routed via the Tor network.
407

EXAMPLES

409       Uses the archive stored locally (or NFS mounted) at /home/apt/debian
410       for stable/main, stable/contrib, stable/non-free and
411       stable/non-free-firmware.
412
413           deb file:/home/apt/debian stable main contrib non-free non-free-firmware
414
415           Types: deb
416           URIs: file:/home/apt/debian
417           Suites: stable
418           Components: main contrib non-free non-free-firmware
419
420       As above, except this uses the unstable (development) distribution.
421
422           deb file:/home/apt/debian unstable main contrib non-free non-free-firmware
423
424           Types: deb
425           URIs: file:/home/apt/debian
426           Suites: unstable
427           Components: main contrib non-free non-free-firmware
428
429       Sources specification for the above.
430
431           deb-src file:/home/apt/debian unstable main contrib non-free non-free-firmware
432
433           Types: deb-src
434           URIs: file:/home/apt/debian
435           Suites: unstable
436           Components: main contrib non-free non-free-firmware
437
438       The first line gets package information for the architectures in
439       APT::Architectures while the second always retrieves amd64 and armel.
440
441           deb http://deb.debian.org/debian bookworm main
442           deb [ arch=amd64,armel ] http://deb.debian.org/debian bookworm main
443
444           Types: deb
445           URIs: http://deb.debian.org/debian
446           Suites: bookworm
447           Components: main
448
449           Types: deb
450           URIs: http://deb.debian.org/debian
451           Suites: bookworm
452           Components: main
453           Architectures: amd64 armel
454
455       Uses HTTP to access the archive at archive.debian.org, and uses only
456       the hamm/main area.
457
458           deb http://archive.debian.org/debian-archive hamm main
459
460           Types: deb
461           URIs: http://archive.debian.org/debian-archive
462           Suites: hamm
463           Components: main
464
465       Uses FTP to access the archive at ftp.debian.org, under the debian
466       directory, and uses only the bookworm/contrib area.
467
468           deb ftp://ftp.debian.org/debian bookworm contrib
469
470           Types: deb
471           URIs: ftp://ftp.debian.org/debian
472           Suites: bookworm
473           Components: contrib
474
475       Uses FTP to access the archive at ftp.debian.org, under the debian
476       directory, and uses only the unstable/contrib area. If this line
477       appears as well as the one in the previous example in sources.list a
478       single FTP session will be used for both resource lines.
479
480           deb ftp://ftp.debian.org/debian unstable contrib
481
482           Types: deb
483           URIs: ftp://ftp.debian.org/debian
484           Suites: unstable
485           Components: contrib
486
487       Uses HTTP to access the archive at ftp.tlh.debian.org, under the
488       universe directory, and uses only files found under
489       unstable/binary-i386 on i386 machines, unstable/binary-amd64 on amd64,
490       and so forth for other supported architectures. [Note this example only
491       illustrates how to use the substitution variable; official debian
492       archives are not structured like this]
493
494           deb http://ftp.tlh.debian.org/universe unstable/binary-$(ARCH)/
495
496
497
498           Types: deb
499           URIs: http://ftp.tlh.debian.org/universe
500           Suites: unstable/binary-$(ARCH)/
501
502       Uses HTTP to get binary packages as well as sources from the stable,
503       testing and unstable suites and the components main and contrib.
504
505           deb http://deb.debian.org/debian stable main contrib
506           deb-src http://deb.debian.org/debian stable main contrib
507           deb http://deb.debian.org/debian testing main contrib
508           deb-src http://deb.debian.org/debian testing main contrib
509           deb http://deb.debian.org/debian unstable main contrib
510           deb-src http://deb.debian.org/debian unstable main contrib
511
512           Types: deb deb-src
513           URIs: http://deb.debian.org/debian
514           Suites: stable testing unstable
515           Components: main contrib
516

SEE ALSO

518       apt-get(8), apt.conf(5),
519       /usr/share/doc/apt/acquire-additional-files.md.gz
520

BUGS

522       APT bug page[1]. If you wish to report a bug in APT, please see
523       /usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command.
524

AUTHORS

526       Jason Gunthorpe
527
528       APT team
529

NOTES

531        1. APT bug page
532           http://bugs.debian.org/src:apt
533
534
535
536APT 2.7.6                       29 January 2023                SOURCES.LIST(5)
Impressum