How to install specific Ubuntu deb packages, with exact version?

Question

I want to setup a new virtual machine with some specified packages (name and version), that are provided.

For example, apache2 in version 2.2.20-1ubuntu1 with all dependencies. Even if there is a new version of this package on the servers this one should be installed.

The solution has to work/scale with multiple (n) "setups". Another virtual machine might need an older version of apache2.

I currently know of some possibilities that install the exact packages, but do not scale that good:

1. Copy all required *.deb to every virtual machine manually and enter: dpkg -i ... -> Could work, but it is very error-prone. (Manual scripts etc.)
2. Create and use a new Ubuntu repository for each setup. -> Does not work because I would need n repositories.
3. Setup the machine once and copy the VM / create a snapshot. -> Does not work because I would need to store n VMs.

My problem could be labeled as patch management, but I do not want to update my packages to the current version. My goal is to install old packages.

Answer 1

You can use apt-get to install a specific version of the package a long as it is in an archive that apt knows about. From the apt-get manpage:

A specific version of a package can be selected for installation by following the package name with an equals and the version of the package to select. This will cause that version to be located and selected for install. Alternatively a specific distribution can be selected by following the package name with a slash and the version of the distribution or the Archive name (stable, frozen, unstable).

For example, you could do:

sudo apt-get install apache2=2.2.20-1ubuntu1

Note that you may need to do some dependency resolution on your own in this case, but if there are any problems apt-get will tell you what is causing them. On my 11.10 system I would need to do the following to get this to work:

sudo apt-get install apache2=2.2.20-1ubuntu1 \
                     apache2.2-common=2.2.20-1ubuntu1 \
                     apache2.2-bin=2.2.20-1ubuntu1 \
                     apache2-mpm-worker=2.2.20-1ubuntu1

You can display available package versions as follows:

sudo apt list -a apache2

Answer 2

To check which versions are available, you can check via:

sudo apt-cache madison ^apache2

^{If won't work, consider running sudo apt-get update before to update the package list.}

Then copy the version or use the following syntax:

sudo apt-get install apache2=2.2.\*

To check which version you've installed, run:

dpkg -l 'apache2*' | grep ^i

If the version info is truncated, try:

COLUMNS=100 dpkg -l <packageName>

Answer 3

I'll expand on earlier answers with other handy versioning commands in the apt family. To see which versions are available, run apt-cache policy:

# apt-cache policy apache2
apache2:
  Installed: (none)
  Candidate: 2.4.7-1ubuntu4.5
  Version table:
     2.4.10-1ubuntu1.1~ubuntu14.04.1 0
        100 http://us.archive.ubuntu.com/ubuntu/ trusty-backports/main amd64 Packages
     2.4.7-1ubuntu4.5 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.4.7-1ubuntu4 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Then, as mentioned elsewhere, install a specific version with apt-get:

# apt-get install apache2=2.4.7-1ubuntu4.5
...

You can now see which version you have installed by running apt-cache policy again:

# apt-cache policy apache2
apache2:
  Installed: 2.4.7-1ubuntu4.5
  Candidate: 2.4.7-1ubuntu4.5
  Version table:
     2.4.10-1ubuntu1.1~ubuntu14.04.1 0
        100 http://us.archive.ubuntu.com/ubuntu/ trusty-backports/main amd64 Packages
 *** 2.4.7-1ubuntu4.5 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.7-1ubuntu4 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

If you don't want newer versions to be installed on updates, pin the package with apt-mark:

# apt-mark hold apache2
apache2 set on hold.

Let's say a new version of apache2 is added to the package index and your machine is synced with apt-get update. You'll see this when you next run apt-get upgrade:

# apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  apache2
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

Answer 4

As psusi explains, old versions are not kept in the ubuntu repository, but apparently you can still find them on launchpad. So, you go to (replace trusty and amd64 with your ubuntu version and architecture):

https://launchpad.net/ubuntu/trusty/amd64/apache2

and select the version you desire. Then you download the deb as a file and install with:

dpkg -i apache2_2.4.7-1ubuntu4.20_amd64.deb

Again, replace the filename to your file. This gets tedious if you have to downgrade a lot of packages but it's better than nothing if you're desperate.

Answer 5

Practically speaking, this isn't possible because the old versions are not kept in the archive, so unless you have a copy of the old version laying around somewhere, you can't install it. You should be asking yourself why you want to install an older version in the first place. On a stable release, the main reason for a new version being released is to correct a security vulnerability, and you don't want to be running a vulnerable server do you?

Answer 6

Also consider "wildcarding" the minor version

I've just learnt today that PPA minor versions are sometimes removed and replaced with another. E.g. it happened recently that the Git PPA https://launchpad.net/~git-core/+archive/ubuntu/ppa removed 1:2.36.0-0ppa1~ubuntu20.04.1 and replaced it with 1:2.36.1-0ppa1~ubuntu20.04.1. This then broke some Docker setup I had.

Luckily, I've found that wildcards do work on apt install, so I replaced the broken:

sudo apt install git=1:2.36.0-0ppa1~ubuntu20.04.1

with:

sudo apt install git='1:2.36.*'

Hopefully this will keep my scripts going for some longer.