Debian_Packages.mw

{{Header}}
{{#seo:
|description=Which {{project_name_long}} Debian packages are safe to remove? What is a meta package? What other packages do {{project_name_long}} meta packages install? Which packages should never be removed?
|image=Box-158523640.png
}}
[[File:Box-158523640.png|thumb]]
{{intro|
Which {{project_name_short}} Debian packages are safe to remove? What is a meta package? What other packages do {{project_name_short}} meta packages install? Which packages should never be removed?
}}
= Introduction =
It is safe to run <code>sudo apt autoremove</code> so long as the specific {{project_name_short}} machine <code>meta package</code> is kept for the {{non_q_project_name_short}} or {{q_project_name_short}} platform. In other words, these packages should <u>not</u> be in the list of autoremoved packages.

[[About|{{project_name_short}}]]:

* {{project_name_workstation_long}} Xfce: <code>kicksecure-xfce</code>
* {{project_name_workstation_short}} CLI: <code>kicksecure-cli</code>

[[Qubes|{{q_project_name_long}}]]:

* {{q_project_name_short}} GUI: <code>kicksecure-qubes-gui</code>
* {{q_project_name_short}} CLI <code>kicksecure-qubes-cli</code>

Derivatives such as [https://www.whonix.org {{Whonix}}] which are based on {{Kicksecure}}:

* See [https://www.whonix.org/wiki/Debian_Packages derivative ({{Whonix}}) specific documentation] instead of this wiki page. <ref>
Because derivatives of {{project_name_short}} install additional meta packages.
</ref>

It is actually a good idea to safely run <code>sudo apt autoremove</code> according to the following instructions on this wiki page to make sure extraneous packages which might no longer be recommended for default installation are removed.

= Re-install Meta Packages and Safely Run Autoremove =

{{Box|text=
'''1.''' [[Update]] the package lists.

{{CodeSelect|code=
sudo apt update
}}

'''2.''' Ensure a proper meta package is installed.

Select your platform.

* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]] Xfce: {{CodeSelect|code=
sudo apt install kicksecure-xfce
}}
* [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]] CLI: {{CodeSelect|code=
sudo apt install kicksecure-cli
}}
* [[{{Q project name short}}]]: {{CodeSelect|code=
sudo apt install kicksecure-qubes-gui
}}

'''3.''' Auto remove packages.

{{CodeSelect|code=
sudo apt autoremove
}}

'''4.''' Reconfirm a proper meta package is still installed.

Repeat step two.

'''5.''' Done.

The procedure of safely running <code>sudo apt autoremove</code> is complete.

Related: [[Factory Reset|{{project_name_short}} Factory Reset]]
}}

= Changed Configuration Files =

Be careful if a message like this appears.

<pre>
Configuration file '/etc/apparmor.d/usr.bin.sdwdate'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** usr.bin.sdwdate (Y/I/N/O/D/Z) [default=N] ?
</pre>

For general advice, see: [[Operating_System_Software_and_Updates#Changed_Configuration_Files|Changed Configuration Files]].

= Package Version Check =
If you need to check your package version, use <code>dpkg -l package-name</code> where package-name is the package you wish to check.

{{CodeSelect|code=
dpkg -l package-name
}}

Your output should look like this:

<pre>
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-===================================
ii  grep           3.8-5        amd64        GNU grep, egrep and fgrep
ii  package-name   0.1          amd64        package-description
</pre>

If you wish to independently verify the version, you can either access the github of a package and check its changelog.

See list of github repositories.

* https://github.com/{{project_name_short}}
* https://github.com/{{whonix}}

Go to a github repository. Example github repository:

https://github.com/{{project_name_short}}/sdwdate

Click on the <code>debian</code> sub folder.

Click on the <code>changelog</code> file. Example <code>/debian/changelog</code> file:

https://github.com/{{project_name_short}}/sdwdate/blob/master/debian/changelog

On the very top of the changelog is the latest version number.

TODO: document how to view the version number using deb.kicksecure.com / deb.whonix.org

related: [[Reporting_Bugs#Package_Upgrade_Policy|Package Upgrade Policy]]

= Advanced Topics =
{{Anchor|Disadvantage}}

== Packages FAQ ==

'''Table:''' ''Meta-packages Frequently Asked Questionss''

{| class="wikitable"
|-

! scope="col"| '''Question'''
! scope="col"| '''Answer'''
|-

! scope="row"| What is the disadvantage of removing a meta package?
| The disadvantage is any changes in package dependencies will not be automatically processed by the system when it is [[Security_Guide#Updates|upgraded]].

For example the <code>kicksecure-packages-recommended-gui</code> meta package depends <ref>
<code>Depends:</code> field in <code>debian/control</code>
</ref> on package <code>[https://github.com/{{project_name_short}}/tb-updater tb-updater]</code>. If the <code>kicksecure-packages-recommended-gui</code> package is not installed, you would not notice if <code>tb-updater</code> was [https://phabricator.whonix.org/T18 replaced] with package [https://packages.debian.org/torbrowser-launcher <code>torbrowser-launcher</code>]. <code>tb-updater</code> might become unmaintained, broken or even have unfixed security issues. {{project_name_short}} tries to [[Stay Tuned|keep users up-to-date]] if/when (security relevant) packages are deprecated. If that occurs, you could simply run <code>sudo apt purge tb-updater</code> and consider installing what the {{project_name_short}} meta package recommends as a replacement.

See also: [[#Technical_Information|Technical Information]].
{{Anchor|Which ones are safe to remove?}}
|-

! scope="row"| Which meta packages are safe to remove?
| Use apt-cache to see the package description.

* Replace <code>package-name</code> with the package you intend to install.

{{CodeSelect|code=
apt-cache package-name
}}

It will include either:

* <code>Safe to remove, if you know what you are doing.</code>; or
* <code>Do not remove.</code>

Note the [[#Removal Instructions|Removal Instructions]] below! When that entry is understood, feel free to remove any [[#Non-Issues|desktop specific meta packages]].
|-

! scope="row"| Which packages do {{project_name_short}} meta packages install?
| Refer to the following files:

* [https://github.com/{{project_name_short}}/kicksecure-meta-packages/blob/master/debian/control <code>debian/control</code>] in {{project_name_short}} [https://github.com/{{project_name_short}}/kicksecure-meta-packages <code>kicksecure-meta-packages</code>] source code folder; and
* [https://github.com/{{project_name_short}}/kicksecure-meta-packages/blob/master/debian/control <code>debian/control</code>] in {{project_name_short}} [https://github.com/{{project_name_short}}/kicksecure-meta-packages <code>kicksecure-meta-packages</code>] source code folder.

Or use for example.

{{CodeSelect|code=
apt-cache show kicksecure-packages-recommended-gui
}}
{{Anchor|Which packages should never be removed?}}
|-

! scope="row"| Which meta packages should never be removed?
| Do not remove any packages which include the name <code>dependencies</code>, unless the implications are fully understood.

TODO: document
|-

! scope="row"| How to uninstall <code>qubes-core-agent-passwordless-root</code> without also uninstalling <code>kicksecure-qubes-gui</code> or <code>kicksecure-qubes-cli</code>?
|
{{CodeSelect|code=
dummy-dependency --purge qubes-core-agent-passwordless-root
}}
|-

|}

== dummy-dependency ==
<code>dummy-dependency</code> <ref>
https://github.com/Kicksecure/helper-scripts/blob/master/usr/bin/dummy-dependency
</ref> ([https://github.com/Kicksecure/helper-scripts/blob/master/man/dummy-dependency.8.ronn man page]) can be used to install a dummy dependency package in place of a real dependency package. This allows the uninstallation of packages that are normally not uninstallable, without removing a (meta) package that depends on the original package.

== Removal Instructions ==

'''Syntax.'''

<u>Notes:</u>

* Optional: <code>--purge</code>. Same as <code>apt-get purge</code>.
* Optional: <code>--yes</code>. Does not ask for confirmation.

{{CodeSelect|code=
sudo dummy-dependency --yes --purge package-name
}}

'''Example.'''

<u>Note:</u> Replace <code>user-sysmaint-split</code> with the actual package you want to remove.

* Replace <code>user-sysmaint-split</code> with the actual package you want to remove.
* Optional: <code>--purge</code>. Same as <code>apt-get purge</code>.
* Optional: <code>--yes</code>. Does not ask for confirmation.

{{CodeSelect|code=
sudo dummy-dependency --yes --purge user-sysmaint-split
}}

forum topic: [https://forums.whonix.org/t/issues-with-removal-of-specific-packages-by-users-builders/653/9 Issues with removal of specific packages by users / builders].

== Technical Information ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This section provides technical information for interested readers and can be skipped.
}}

The underlying technical issues with meta packages are not caused by {{project_name_short}}, but instead have been inherited from Debian. Those are also described here:

* [https://administratosphere.wordpress.com/2011/11/29/the-metapackage-problem-and-apt-get-autoremove/ The Metapackage Problem and apt autoremove]
* [https://tanguy.ortolo.eu/blog/article8/uninstall-meta-package Uninstalling a single component of a meta-package]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942303 Debian bug report: Weak-Depends - something in the middle between 'Recommends:' and 'Depends:']
* [https://lists.debian.org/debian-devel/2024/11/msg00018.html RFC: "Recommended bloat", and how to possibly fix it]
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086801 apt: autoremove fails to remove garbage packages with unrelated Suggests links]

The Debian manual also provides further information about meta packages:

* [https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.html#bpp-meta Best practices for meta-packages]

The {{project_name_short}} build script installs all packages using <code>apt --no-install-recommends</code>. <ref>
Function <code>pkg-install-maybe</code> in https://github.com/{{project_name_short}}/derivative-maker/blob/master/build-steps.d/3500_install-packages#L96C17.
</ref> The <code>--no-install-recommends</code> option is being used to prevent installation of many additional packages that are unwanted. For example:
* <code>kicksecure-packages-recommended-gui</code> (used to) <code>Depends: gwenview</code>.
* gwenview <code>Recommends: kamera</code>.
* Without using <code>--no-install-recommends</code>, <code>kamera</code> would also be installed and then pull its own <code>Depends:</code> as well.
* <code>kamera</code> [+ dependencies] would not be useful to have installed by default on {{project_name_workstation_short}} as it would cost unnecessary disk space. There are many more examples which could end up installing packages by default that are unrecommended for privacy reasons.

Since the <code>--no-install-recommends</code> option is used, meta packages like <code>kicksecure-packages-recommended-gui</code> must use the <code>Depends:</code> field and cannot use the <code>Recommends:</code> field. (Since no packages would be installed then.)

Even if {{project_name_short}} could and did use the <code>Recommends:</code> field, new packages added to the <code>Recommends:</code> field would not be installed when the meta package that <code>Recommends:</code> them gets upgraded. This is because packages listed after the <code>Recommends:</code> field only get installed during their initial <code>sudo apt install package-name</code> installation.

Some readers might notice that despite this explanation, <code>kicksecure-meta-packages</code>'s <code>debian/control</code> file uses the <code>Recommends:</code> field anyway. This is not a contradiction because it may be useful for a later [[Dev/Installation_from_Repository|{{project_name_short}} installation from {{project_name_short}} repository]] use case.

Forum discussion:<br />
[https://forums.whonix.org/t/issues-with-removal-of-specific-packages-by-users-builders Issues with removal of specific packages by users / builders]

= See Also =
* [[Configuration_Files#Configuration_Drop-In_Folders|Configuration Drop-In Folders]]
* [[Configuration_Files#Reset_Configuration_Files_to_Vendor_Default|Reset Configuration Files to Vendor Default]]
* [[Factory Reset|{{project_name_short}} Factory Reset]]
* [[Packages for Debian Hosts]]
* [[Project-APT-Repository|{{project_name_short}} APT Repository]]
* [[Dev/Build Documentation‏‎|Building and Update {{project_name_short}} from Source Code]]

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]