Check and change Raspbian package sources
Simply Linux is a kernel and packages. Packages include programs, libraries and drivers. Packages can build on each other and often depend on other packages. The versions of the packages and their dependencies are managed in the package sources. The repositories provide lists of the packages and their dependencies.
Each Linux distribution may have different and multiple repositories (repository, software archive).
Occasionally there are reasons to change or supplement the sources of the packages.
- Determine and check package sources.
- Change repositories.
- Delete unnecessary package sources.
Solution: Identify and test package sources
It’s not necessarily about changing anything in the repositories, but checking from which sources the packages are sourced and whether those sources are trustworthy enough for the purpose and application.
The following command lists all repositories and their priority.
The /etc/apt/sources.list file tells Debian’s / Raspbian’s package manager about new programs and updates.
In addition, you have to look in the directory “/etc/apt/sources.list.d”, which package sources are additionally entered.
Here is an example of the file “raspi.list”.
Solution: Change repositories
Depending on the application, it makes sense to change or exclude one or the other area of the distribution or entire package sources. The entries of the package sources in text files can be changed with a text editor. But you should not just remove such a line, but comment out with a “#”.
sudo nano /etc/apt/sources.list
It’s not about forcibly changing anything here. The following entry makes sense here.
For Raspbian Wheezy:
deb http://mirrordirector.raspbian.org/raspbian wheezy main contrib non-free firmware rpi
For Raspbian Jessie:
deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
If necessary, further files from the directory “/etc/apt/sources.list.d/” have to be edited. But you should not just remove the lines contained therein, but comment out with a “#”.
sudo nano /etc/apt/sources.list.d/raspi.list
Once the files have been edited, they must not only be saved, but also the list of available packages must be updated.
sudo apt-get update
Only then will the change in the available packages be taken into account.
“apt-get update” reads in all the package sources entered in the “/etc/apt/sources.list” and in the directory “/etc/apt/sources.list.d/” and then downloads the lists from these sources.
Solution: Delete unnecessary package sources
The repositories in the directory “/etc/apt/sources.list.d/” do not necessarily have to be used. If you want, you can delete them. Unless you have made individual settings here. Alternatively, the lines in these files can also be commented out with “#”.
sudo rm -f /etc/apt/sources.list.d/*
Then the package lists have to be updated.
sudo apt-get update
Explanation of the configuration of the package sources
A packet source is addressed, for example, as follows. It is an excerpt from the file “/etc/apt/sources.list”.
deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free firmware rpi
What exactly does that mean?
The line consists, separated by blanks, of the package type, type and path of the source, the release name of the distribution, and the components of a distribution whose lists are to be loaded. The components are again separated by spaces.
The package type has the value “deb” or “deb-src”. “deb” refers to a package source whose packages are in binary format. The value “deb-src” is only interesting if you want to download the source code of Debian packages. For example, because you want to check the source code, make changes to it or compile yourself. The source code of a package must always be loaded separately, but assumes that the package source is entered with “deb-src”.
The type of source can be a URL with the path. The source can also be a CD-ROM or a USB stick. A URL contains the path to the root of the source.
The release of a distribution usually corresponds to a codename or the values “stable”, “testing” or “unstable”. So there are several versions of each release.
“stable” would be the current release. The difference between “stable” and the codename becomes noticeable when a new release is released. If the code name is entered, then the selected release will remain, even if it is outdated. If “stable”, it will automatically switch to the new release when it is released.
As a rule, you will always choose the code name of the currently installed release to prevent a new release from overwriting a running system. This can have unpredictable consequences.
“testing” is the test version of the current releases and contains packages that are not yet included in the stable version but are already queued for it. The advantage of this version is that you get faster-updated versions of the software.
“unstable” is currently in the active development version. This version is mainly used by the developers working on it. In addition, there is no reason to use this version for normal use.
The components at the end contain one or more areas of the distribution. Several entries are separated by spaces. Typical are the areas “main”, “contrib” and “non-free”. Raspberry Pi also contains the “rpi” area.
Due to restrictive licenses or legal issues, not all packages may be included in a list. All packages that are under free license and need only software that is also under free license are included in “main”. Packages put under a free license by their author but in need of software that is not free are included in “contrib”. This non-free software is subject to license terms that restrict the use or distribution of the Software and is therefore included in “non-free”.
Raspbian includes two additional sections, “firmware” and “rpi,” which contains packages specifically designed for Raspberry Pi. For example, the firmware, kernel and other modules and libraries.
Packages from foreign sources
All sections of a distribution that are not “main” may contain packages that are untrusted. Packages that are non-free contain packages whose source code is not published. Including drivers for hardware for which there is no free driver. Once you install software from non-free on your machine, you have to expect that this computer can be compromised. Because for “non-free” packages there is not always publicly available source code that you can check.
When it comes to high security, one will avoid using hardware and software that require non-free packages. Only then can you be sure to retain complete control of this computer.
In addition to the packages from “non-free” there are other foreign sources. In doing so, one has to check the trustworthiness of the source or question its necessity. Installing packages from external sources can damage the system, cause conflicts and malfunction between official and foreign packages, result in data loss or malicious software installation. It is therefore not recommended to use foreign sources.