{{Header}}
{{title|title=
Debian Packages
}}
{{#seo:
|description=Which {{project_name_long}} Debian packages are safe to remove? What is a meta package? What other packages do {{project_name_long}} meta packages install? Which packages should never be removed?
|image=Box-158523640.png
}}
[[File:Box-158523640.png|thumb]]
{{intro|
Which {{project_name_short}} Debian packages are safe to remove? What is a meta package? What other packages do {{project_name_short}} meta packages install? Which packages should never be removed?
}}
= Introduction =
It is safe to run <code>sudo apt autoremove</code> so long as the specific {{project_name_short}} machine <code>meta package</code> is kept for the {{non_q_project_name_short}} or {{q_project_name_short}} platform. In other words, these packages should <u>not</u> be in the list of autoremoved packages.

[[About|{{project_name_short}}]]:

* {{project_name_workstation_long}} Xfce: <code>kicksecure-xfce</code>
* {{project_name_workstation_short}} CLI: <code>kicksecure-cli</code>

[[Qubes|{{q_project_name_long}}]]:

* {{q_project_name_short}} GUI: <code>kicksecure-qubes-gui</code>
* {{q_project_name_short}} CLI <code>kicksecure-qubes-cli</code>

Derivatives such as [https://www.whonix.org {{Whonix}}] which are based on {{Kicksecure}}:

* See [https://www.whonix.org/wiki/Debian_Packages derivative ({{Whonix}}) specific documentation] instead of this wiki page. <ref>
Because derivatives of {{project_name_short}} install additional meta packages.
</ref>

It is actually a good idea to safely run <code>sudo apt autoremove</code> according to the following instructions on this wiki page to make sure extraneous packages which might no longer be recommended for default installation are removed.

= Re-install Meta Packages and Safely Run Autoremove =

{{Box|text=
'''1.''' [[Update]] the package lists.

{{CodeSelect|code=
sudo apt update
}}

'''2.''' Ensure a proper meta package is installed.

Platform specific. Select your platform.

* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]] Xfce: {{CodeSelect|code=
sudo apt install kicksecure-xfce
}}
* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]] CLI: {{CodeSelect|code=
sudo apt install kicksecure-cli
}}
* [[{{Q project name short}}]]: {{CodeSelect|code=
sudo apt install kicksecure-qubes-gui
}}

'''3.''' Auto remove packages.

{{CodeSelect|code=
sudo apt autoremove
}}

'''4.''' Reconfirm a proper meta package is still installed.

Repeat step two.

'''5.''' Done.

The procedure of safely running <code>sudo apt autoremove</code> is complete.

Related: [[Factory Reset|{{project_name_short}} Factory Reset]]
}}

= Changed Configuration Files =
Be careful if a message like this appears.

<pre>
Configuration file '/etc/apparmor.d/usr.bin.sdwdate'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
  What would you like to do about it ?  Your options are:
   Y or I  : install the package maintainer's version
   N or O  : keep your currently-installed version
     D     : show the differences between the versions
     Z     : start a shell to examine the situation
The default action is to keep your current version.
*** usr.bin.sdwdate (Y/I/N/O/D/Z) [default=N] ?
</pre>

For general advice, see: [[Operating_System_Software_and_Updates#Changed_Configuration_Files|Changed Configuration Files]].

Related:

* <code>ucf</code> ([https://packages.debian.org/ucf package]) ([https://manpages.debian.org/ucf man page])

= Package Version Check =
If you need to check your package version, use <code>dpkg -l package-name</code> where package-name is the package you wish to check.

{{CodeSelect|code=
dpkg -l package-name
}}

Your output should look like this:

<pre>
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-===================================
ii  grep           3.8-5        amd64        GNU grep, egrep and fgrep
ii  package-name   0.1          amd64        package-description
</pre>

If you wish to independently verify the version, you can either access the github of a package and check its changelog.

See list of github repositories.

* https://github.com/{{project_name_short}}
* https://github.com/{{whonix}}

Go to a github repository. Example github repository:

https://github.com/{{project_name_short}}/sdwdate

Click on the <code>debian</code> sub folder.

Click on the <code>changelog</code> file. Example <code>/debian/changelog</code> file:

https://github.com/{{project_name_short}}/sdwdate/blob/master/debian/changelog

On the very top of the changelog is the latest version number.

TODO: document how to view the version number using deb.kicksecure.com / deb.whonix.org

related: [[Reporting_Bugs#Package_Upgrade_Policy|Package Upgrade Policy]]

= Advanced Topics =
{{Anchor|Disadvantage}}

== Packages FAQ ==

'''Table:''' ''Meta-packages Frequently Asked Questionss''

{| class="wikitable"
|-

! scope="col"| '''Question'''
! scope="col"| '''Answer'''
|-

! scope="row"| What is the disadvantage of removing a meta package?
| The disadvantage is any changes in package dependencies will not be automatically processed by the system when it is [[update|update]].

For example the <code>kicksecure-packages-recommended-gui</code> meta package depends <ref>
<code>Depends:</code> field in <code>debian/control</code>
</ref> on package <code>[https://github.com/{{project_name_short}}/tb-updater tb-updater]</code>. If the <code>kicksecure-packages-recommended-gui</code> package is not installed, you would not notice if <code>tb-updater</code> was [https://phabricator.whonix.org/T18 replaced] with package [https://packages.debian.org/torbrowser-launcher <code>torbrowser-launcher</code>]. <code>tb-updater</code> might become unmaintained, broken or even have unfixed security issues. {{project_name_short}} tries to [[Stay Tuned|keep users up-to-date]] if/when (security relevant) packages are deprecated. If that occurs, you could simply run <code>sudo apt purge tb-updater</code> and consider installing what the {{project_name_short}} meta package recommends as a replacement.

See also: [[#Technical_Information|Technical Information]].
{{Anchor|Which ones are safe to remove?}}
|-

! scope="row"| Which meta packages are safe to remove?
| Use apt-cache to see the package description.

* Replace <code>package-name</code> with the package you intend to install.

{{CodeSelect|code=
apt-cache package-name
}}

It will include either:

* <code>Safe to remove, if you know what you are doing.</code>; or
* <code>Do not remove.</code>

Note the [[#Removal Instructions|Removal Instructions]] below! When that entry is understood, feel free to remove any [[#Non-Issues|desktop specific meta packages]].
|-

! scope="row"| Which packages do {{project_name_short}} meta packages install?
| Refer to the following files:

* [https://github.com/{{project_name_short}}/kicksecure-meta-packages/blob/master/debian/control <code>debian/control</code>] in {{project_name_short}} [https://github.com/{{project_name_short}}/kicksecure-meta-packages <code>kicksecure-meta-packages</code>] source code folder; and
* [https://github.com/{{project_name_short}}/kicksecure-meta-packages/blob/master/debian/control <code>debian/control</code>] in {{project_name_short}} [https://github.com/{{project_name_short}}/kicksecure-meta-packages <code>kicksecure-meta-packages</code>] source code folder.

Or use for example.

{{CodeSelect|code=
apt-cache show kicksecure-packages-recommended-gui
}}
{{Anchor|Which packages should never be removed?}}
|-

! scope="row"| Which meta packages should never be removed?
| Do not remove any packages which include the name <code>dependencies</code>, unless the implications are fully understood.

TODO: document
|-

! scope="row"| How to uninstall <code>qubes-core-agent-passwordless-root</code> without also uninstalling <code>kicksecure-qubes-gui</code> or <code>kicksecure-qubes-cli</code>?
|
{{CodeSelect|code=
dummy-dependency --purge qubes-core-agent-passwordless-root
}}
|-

|}

== dummy-dependency ==
<code>dummy-dependency</code> <ref>
https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/dummy-dependency
</ref> ([https://github.com/Kicksecure/helper-scripts/blob/master/man/dummy-dependency.8.ronn man page]) can be used to install a dummy dependency package in place of a real dependency package. This allows:

* A) the uninstallation of packages that are normally not uninstallable, without removing a (meta) package that depends on the original package. And/or;
* B) avoiding the installation of dependency packages that are considered problematic, such as [https://packages.debian.org/{{Stable_project_version_based_on_Debian codename}}/geoclue-2.0 GeoClue] (due to [https://gitlab.freedesktop.org/geoclue/geoclue/-/issues/177 privacy concerns associated with GeoClue]), which might be pulled as a dependency.

== Removal Instructions ==

'''Syntax.'''

<u>Notes:</u>

* Optional: <code>--purge</code>. Same as <code>apt-get purge</code>.
* Optional: <code>--yes</code>. Does not ask for confirmation.

{{CodeSelect|code=
sudo dummy-dependency --yes --purge package-name
}}

'''Example.'''

<u>Note:</u> Replace <code>user-sysmaint-split</code> with the actual package you want to remove.

* Replace <code>user-sysmaint-split</code> with the actual package you want to remove.
* Optional: <code>--purge</code>. Same as <code>apt-get purge</code>.
* Optional: <code>--yes</code>. Does not ask for confirmation.

{{CodeSelect|code=
sudo dummy-dependency --yes --purge user-sysmaint-split
}}

forum topic: [https://forums.whonix.org/t/issues-with-removal-of-specific-packages-by-users-builders/653/9 Issues with removal of specific packages by users / builders].

== Technical Information ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This section provides technical information for interested readers and can be skipped.
}}

The underlying technical issues with meta packages are not caused by {{project_name_short}}, but instead have been inherited from Debian. Those are also described here:

* [https://administratosphere.wordpress.com/2011/11/29/the-metapackage-problem-and-apt-get-autoremove/ The Metapackage Problem and apt autoremove]
* [https://tanguy.ortolo.eu/blog/article8/uninstall-meta-package Uninstalling a single component of a meta-package]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942303 Debian bug report: Weak-Depends - something in the middle between 'Recommends:' and 'Depends:']
* [https://lists.debian.org/debian-devel/2024/11/msg00018.html RFC: "Recommended bloat", and how to possibly fix it]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086801 apt: autoremove fails to remove garbage packages with unrelated Suggests links]

The Debian manual also provides further information about meta packages:

* [https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.html#bpp-meta Best practices for meta-packages]

The {{project_name_short}} build script installs all packages using <code>apt --no-install-recommends</code>. <ref>
Function <code>pkg-install-maybe</code> in https://github.com/{{project_name_short}}/derivative-maker/blob/master/build-steps.d/3500_install-packages#L96C17.
</ref> The <code>--no-install-recommends</code> option is being used to prevent installation of many additional packages that are unwanted. For example:
* <code>kicksecure-packages-recommended-gui</code> (used to) <code>Depends: gwenview</code>.
* gwenview <code>Recommends: kamera</code>.
* Without using <code>--no-install-recommends</code>, <code>kamera</code> would also be installed and then pull its own <code>Depends:</code> as well.
* <code>kamera</code> [+ dependencies] would not be useful to have installed by default on {{project_name_workstation_short}} as it would cost unnecessary disk space. There are many more examples which could end up installing packages by default that are unrecommended for privacy reasons.

Since the <code>--no-install-recommends</code> option is used, meta packages like <code>kicksecure-packages-recommended-gui</code> must use the <code>Depends:</code> field and cannot use the <code>Recommends:</code> field. (Since no packages would be installed then.)

Even if {{project_name_short}} could and did use the <code>Recommends:</code> field, new packages added to the <code>Recommends:</code> field would not be installed when the meta package that <code>Recommends:</code> them gets upgraded. This is because packages listed after the <code>Recommends:</code> field only get installed during their initial <code>sudo apt install package-name</code> installation.

Some readers might notice that despite this explanation, <code>kicksecure-meta-packages</code>'s <code>debian/control</code> file uses the <code>Recommends:</code> field anyway. This is not a contradiction because it may be useful for a later [[Debian|{{project_name_short}} distribution morphing installation method]] use case.

Forum discussion:<br />
[https://forums.whonix.org/t/issues-with-removal-of-specific-packages-by-users-builders Issues with removal of specific packages by users / builders]

= See Also =
* [[Configuration_Files#Configuration_Drop-In_Folders|Configuration Drop-In Folders]]
* [[Configuration_Files#Reset_Configuration_Files_to_Vendor_Default|Reset Configuration Files to Vendor Default]]
* [[Factory Reset|{{project_name_short}} Factory Reset]]
* [[Packages for Debian Hosts]]
* [[Project-APT-Repository|{{project_name_short}} APT Repository]]
* [[Dev/Build Documentation‏‎|Building and Update {{project_name_short}} from Source Code]]

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.