How to tell from what Ubuntu or Debian repository a package comes?

167

On a Debian-based system, including Ubuntu, how can one tell which repository a package will be downloaded from, without actually beginning the download? aptitude show and apt-cache info will show the section (e.g., metapackage, base, graphics), but not the repository to which a package belongs (e.g., http://ppa.launchpad.net/mactel-support/ppa/ubuntu or http://us.archive.ubuntu.com/ubuntu/).

When installing the package, the actual repository appears during the download (it is printed out in the "downloading from ..." output from apt and similar programs), but how can one obtain information on the repository containing the package (or a specific version of a package) without downloading and installing it first?

Additionally, how can one determine the source repository for a package that is already installed?

gotgenes

Posted 2010-02-09T19:14:23.103

Reputation: 2 246

1i find this one of the deficiencies of Apt; it's just not easy to tell from which repository provides a certain package within the package installer tools. – quack quixote – 2010-02-09T19:52:15.083

Answers

202

I run apt-cache policy <package name>:

$ apt-cache policy wajig
wajig:
  Installed: 2.1
  Candidate: 2.1
  Version table:
 *** 2.1 0
        100 /var/lib/dpkg/status
     2.0.47 0
        500 file:/home/wena/.repo_bin/ squeeze/main i386 Packages
        500 ftp://ftp.is.co.za/debian/ squeeze/main i386 Packages

That means that there are three wajig packages:

One that is installed (/var/lib/dpkg/status)
One that is available from a local repository (file:/home/wena/.repo_bin/)
One that is available from a remote repository (ftp://ftp.is.co.za/debian), which also happens to have the same version (2.0.47) as the one in a local repository

Additionally, apt-cache madison <package name> will display similar information in a tabular format.

 wajig |        2.2 | mirror://mirrors.ubuntu.com/mirrors.txt/ precise/universe amd64 Packages
 wajig |        2.2 | mirror://mirrors.ubuntu.com/mirrors.txt/ precise/universe Sources

tshepang

Posted 2010-02-09T19:14:23.103

Reputation: 3 001

When the package is not installed, apt-cache policy says: Installed: (none). – John McGehee – 2018-07-19T20:16:01.227

But it doesn't show where the installed package came from, does it? – Adobe – 2012-04-27T11:16:50.927

2@Adobe In my case, the 2.1 version isn't available from any repository. It's locally-built. – tshepang – 2012-04-29T09:26:42.640

2What is sign of installed package? *** or /var/lib/dpkg/status ? – SuB – 2013-09-19T17:39:17.320

Maybe both? Not sure. – tshepang – 2013-09-19T20:24:51.357

Aha! Apparently, the proper apt command is not apt-cache info, but instead, apt-cache showpkg.

$ apt-cache showpkg linux-generic
Package: linux-generic
Versions: 
2.6.31.19.32 (/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_karmic-updates_main_binary-amd64_Packages) (/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_karmic-security_main_binary-amd64_Packages) (/var/lib/dpkg/status)
 Description Language: 
                 File: /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_karmic-updates_main_binary-amd64_Packages
                  MD5: 5d722da329763b9342d322f5a140005c

2.6.31.14.27 (/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_karmic_main_binary-amd64_Packages)
 Description Language: 
                 File: /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_karmic_main_binary-amd64_Packages
                  MD5: 5d722da329763b9342d322f5a140005c


Reverse Depends: 
Dependencies: 
2.6.31.19.32 - linux-image-generic (5 2.6.31.19.32) 
2.6.31.14.27 - linux-image-generic (5 2.6.31.14.27) 
Provides: 
2.6.31.19.32 - 
2.6.31.14.27 - 
Reverse Provides:

The File: line provides the repository information after the /var/lib/apt/lists/.

There is a bug report that aptitude cannot display the source repository, but it seems at present the feature is still on the wish list.

gotgenes

Posted 2010-02-09T19:14:23.103

Reputation: 2 246

That aptitude feature is still on whislist 8 years later and I don't know why this answer (apt-cache showpkg) is not marked as the correct one. – Csaba Toth – 2018-03-24T18:20:28.153

This works for me (shows where the 2vcard package is):

$ grep 2vcard /var/lib/apt/lists/* | grep "Filename:"

/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_karmic_universe_binary-i386_Packages:Filename: pool/universe/2/2vcard/2vcard_0.5-3_all.deb

You can apply additional filtering to check versions, etc., if multiple versions are available.

Sunny

Posted 2010-02-09T19:14:23.103

Reputation: 921

Pragmatic. I'm surprised this information is not accessible through any of the front ends to dpkg, though. – gotgenes – 2010-02-10T00:27:48.750

@got It is available: http://superuser.com/questions/106794/how-to-tell-from-what-ubuntu-or-debian-repository-a-package-comes/236605#236605

– tshepang – 2011-01-23T07:41:55.850

I wonder why no one mentioned aptitude. I use it all the time.

Aptitude is:

shipped by default with many Debian-based distributions. Can be installed to other (such as Ubuntu) via sudo apt install aptitude
does not require administrative privileges (at least for the command below)
does have a nice ncurses GUI (but most of time used without it)

provides a really pretty output. To show versions of packages, use aptitude versions command:

me@wheezy:~$ aptitude versions kde-standard
Package kde-standard:                        
i A 5:77+deb7u1     stable              500
p A 5:84            testing,unstable    130

does not have Super Cow Powers

The letter in front of each string indicates the package's status, i is installed and p is purged (or never installed), stable, testing and unstable are repository definitions, the number in the end is a pin priority.

One caveat regarding recent versions of aptitude worth a mentioning here: by default it shows all the packages, which include the name you search, so use a regex magic a little to search by the strict name, for example aptitude versions ^kde-workspace$.

Neurotransmitter

Posted 2010-02-09T19:14:23.103

Reputation: 996

1Nice command but it doesn't list the repository as requested. – bjhend – 2017-03-15T11:56:17.123

Actually it does.

– Neurotransmitter – 2017-03-15T14:23:46.647

You don't understand. Additional PPAs can be installed. It is important to know whether a package is from such a PPA. As a matter of fact, that's what I'm trying to figure out right now - if it is, I can remove the PPA, reducing the risk of problems. – reinierpost – 2017-05-25T17:46:41.920

Yes, you're right, with versions you can simply check the apt pinning values of the given packages, not the associated repos. It is still useful though if you know all your repos and how they are pinned. – Neurotransmitter – 2017-12-04T11:10:17.450

Sadly, this information is not recorded during package installation. You can make a decent guess if the repository is still in the source list and the repository still has the package:

grep -l PKG /var/lib/apt/lists/*

apt-cache showpkg is showing data from the repository database (not what is installed) so it's another form of the same information from the grep.

Even synaptic cannot tell (in the Origin screen) if you disable the repository and update.

kanaka

Posted 2010-02-09T19:14:23.103

Reputation: 251

fwiw (a decade later), in my case, I was trying to tell if a package was installed via a repo or deb file, which this approach would (obviously) not consider; however, the simple command apt-cache policy {package} does work as expected in both these cases to identify the source of the package. https://superuser.com/a/236605/73961

– michael – 2020-02-01T05:27:20.630

Or, inspired by Sunny you can try:

# list installed restricted packages
for i in `dpkg --get-selections | awk '{ print $1 }'`; do egrep -lRI "^Filename: .*/${i}_[^/]+.deb" /var/lib/apt/lists/ | grep -q 'restricted' && echo $i; done

# list installed multiverse packages
for i in `dpkg --get-selections | awk '{ print $1 }'`; do egrep -lRI "^Filename: .*/${i}_[^/]+.deb" /var/lib/apt/lists/ | grep -q 'multiverse' && echo $i; done

ps. not 100% accurate.

Tim

Posted 2010-02-09T19:14:23.103

Reputation: 29