Caution
The Packaging and Development guide is currently undergoing a major overhaul to bring it up to date. The current state you are seeing now is a preview of this effort.
The current version is unstable (changing URLs can occur at any time) and most content is not in properly reviewed yet. Proceed with caution and be aware of technical inaccuracies.
If you are an experienced packager and would like to contribute, we would love for you to be involved! See our contribution page for details of how to join in.
Ubuntu package archive¶
Linux distributions like Ubuntu use
repositories to hold packages you can
install on target machines. Ubuntu has several repositories that anyone can
access. The Ubuntu package archive hosts Debian
binary packages (.deb files) and
source packages (.dsc files). On Ubuntu
installations, the Ubuntu package archive is configured as the default source
for the APT package manager to download and install packages from.
Note
Some of the following terminologies have only loose or informal definitions. Also, be aware that the terminology surrounding the Ubuntu package archive gets mixed up in day-to-day communications. This can be confusing, but the meaning is usually evident from the surrounding context once you are familiar with the following terminologies.
Repositories¶
In the context of package management, repositories are servers containing sets of packages that a package manager can download and install.
This term can refer to the Ubuntu package archive as a whole or just suites, pockets, or components.
Series¶
A series refers to the packages that target a specific Ubuntu version. A series is usually referred to by its code name.
Examples of series are: mantic, lunar, jammy, focal, bionic, xenial, trusty.
Note
In practice, the terms “Ubuntu series” and “Ubuntu release” are often used
synonymously or are mistaken for each other. There is technically a
difference; for example, an LTS version usually has an initial release
(e.g. 22.04 LTS) and multiple point releases (e.g. 22.04.1 LTS, 22.04.2 LTS),
which are all part of the same series (e.g. jammy).
Pockets¶
Pockets are package sub-repositories within the Ubuntu package archive. Every Ubuntu series has the following pockets:
release¶
This pocket contains the packages that an Ubuntu series was initially released with. After the initial release of an Ubuntu series, the packages in this pocket are not updated (not even for security-related fixes).
security¶
This pocket contains security-related updates to packages in the release pocket.
updates¶
This pocket contains non-security-related updates to packages in the release pocket.
proposed¶
This pocket is a staging environment the Ubuntu community can opt into, to verify the stability of any updates before they get deployed to a broader range of consumers.
Before the initial release of an Ubuntu series, this pocket contains non-security-related updates to packages in the release pocket before they get uploaded to the release pocket.
After the initial release of an Ubuntu series, this pocket contains non-security-related updates to packages in the release pocket before they get uploaded to the updates pocket.
backports¶
This pocket contains packages the Ubuntu series was initially NOT released with.
The backports article provides more information on backporting software.
Important
The backports pocket does not come with any security support guarantee. The Ubuntu Security Team does not update packages in the backports pocket. The Ubuntu community is responsible for maintaining packages in backports with later patches for bug fixes and security updates.
Suite¶
A combination of a series and a pocket. For example:
Suite |
Series |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can see all active suites in the archive.
Note
The devel series always mirrors the series with the code name of the
current release in development.
Components¶
Components are logical subdivisions or namespaces of the packages in a suite. The APT package manager can subscribe to the individual components of a suite.
The packages of an Ubuntu series are categorised according to whether they are Open Source Software or Closed Source Software, and whether or not they are part of the base packages for a given series. On this basis they are sorted into the components “main”, “restricted”, “universe”, or “multiverse”, as shown in the following table:
Open source software |
Closed source software |
|
Ubuntu base packages |
||
Community packages |
Canonical maintains the base packages and provides security updates. See release lifespan for more information about the official support provided by Canonical.
For example, if you look into any of the Pockets of the devel
series (devel-release, devel-updates, devel-security, devel-proposed,
devel-backports) you will see the four components (main, restricted, universe, multiverse)
as directories.
main¶
This component contains open source software packages for a given series that are supported and maintained by Canonical.
restricted¶
This component contains closed source software packages for a given series that are supported and maintained by Canonical. Packages in this component are mostly proprietary drivers for devices and similar.
universe¶
This component contains open source software packages for a given series that are supported and maintained by the Ubuntu community.
multiverse¶
This component contains packages (for a given series) of closed source software, or open source software restricted by copyright or legal issues. These packages are maintained and supported by the Ubuntu community, but because of the restrictions, patching bugs or updates may not be possible.
Mirrors¶
Every day, hundreds of thousands of people want to download and install packages
from the Ubuntu package archive. To provide a good
user experience, the content of
http://archive.ubuntu.com/ubuntu gets mirrored (replicated and kept in sync)
by other servers to distribute network traffic, reduce latency, and provide redundancy,
which ensures high availability and fault tolerance.
Here is a complete list of officially recognised Ubuntu package archive mirrors.
Note
There are also mirrors for the Ubuntu ISO images (also called “CD images”, because ISO images can be downloaded and burned to a CD to make installation disks.)
You can find a complete list of officially recognised Ubuntu CD mirrors.
Country mirrors¶
Ubuntu package archive mirrors that provide a very reliable service in a country can request to be the official country mirror for that country. Ubuntu installations are configured by default to use the country mirror for their selected country.
Country mirrors are accessible via the domain name format:
<country-code>.archive.ubuntu.com
You can see which mirror is the country mirror by doing a simple DNS lookup. For example:
dig fi.archive.ubuntu.com +noall +answer
fi.archive.ubuntu.com. 332 IN CNAME mirrors.nic.funet.fi.
mirrors.nic.funet.fi. 332 IN A 193.166.3.5
Therefore, mirrors.nic.funet.fi is Finland’s country mirror.
Tunisia does not have any third-party mirrors in its country. Therefore the
Tunisia country mirror is just the primary Ubuntu package archive server
(archive.ubuntu.com).
dig tn.archive.ubuntu.com +noall +answer
tn.archive.ubuntu.com. 60 IN A 185.125.190.36
tn.archive.ubuntu.com. 60 IN A 91.189.91.83
tn.archive.ubuntu.com. 60 IN A 91.189.91.82
tn.archive.ubuntu.com. 60 IN A 185.125.190.39
tn.archive.ubuntu.com. 60 IN A 91.189.91.81
which are just the archive.ubuntu.com IP addresses:
dig archive.ubuntu.com +noall +answer
archive.ubuntu.com. 1 IN A 185.125.190.39
archive.ubuntu.com. 1 IN A 185.125.190.36
archive.ubuntu.com. 1 IN A 91.189.91.83
archive.ubuntu.com. 1 IN A 91.189.91.81
archive.ubuntu.com. 1 IN A 91.189.91.82
Package uploads¶
Ubuntu encourages contributions from any person in the wider community. However, direct uploading to the Ubuntu package archive is restricted. These general contributions need to be reviewed and uploaded by a sponsor.
See our article on sponsoring that explains this process in more detail.
Security update propagation¶
This section is a niche technical explanation. You can skip it if you don’t feel that this is currently relevant for you.
Because security updates contain fixes for Common Vulnerabilities and Exposures (CVE), it is mission critical to distribute them as fast as possible to end users. Mirrors are a technical burden in this case, because there is a delay between the synchronisation of a mirror and the primary Ubuntu package archive server.
In the worst case a bad actor gets informed about a CVE and can use it, before the update reaches a target machine.
Therefore the APT package manager is configured by default (on Ubuntu) to also check
for updates from security.ubuntu.com. Security updates will get uploaded here
first. If a mirror does not provide the update yet a client will download it from
security.ubuntu.com instead from the mirror.
You can see this yourself if you look what the sources.list(5) file contains on your Ubuntu machine:
cat /etc/apt/sources.list
At the end of the file you will find something similar to this:
deb http://security.ubuntu.com/ubuntu SERIES-security main restricted
# deb-src http://security.ubuntu.com/ubuntu SERIES-security main restricted
deb http://security.ubuntu.com/ubuntu SERIES-security universe
# deb-src http://security.ubuntu.com/ubuntu SERIES-security universe
deb http://security.ubuntu.com/ubuntu SERIES-security multiverse
# deb-src http://security.ubuntu.com/ubuntu SERIES-security multiverse
Because the sources.list(5) file is read from top to bottom, the APT
package manager will download updates from the mirror first and only download it
from security.ubuntu.com if the mirror has an older version,
because the mirror has not synchronised with the primary Ubuntu package archive
server yet.
security.ubuntu.com points to the same servers as archive.ubuntu.com if
you do a DNS lookup. It is used in the sources.list(5) file for the
security pocket to prevent a user/script from accidentally changing it to a mirror.
Resources¶
Landscape repositories¶
Landscape is a management and administration tool for Ubuntu. Landscape allows you to mirror APT repositories like the Ubuntu package archive. Although it is not directly related to the Ubuntu package archive it can be educational to understand how APT repositories work in general.