Downgrading packages after removing a repository

Andrew Sayers andrew-ubuntu-devel at
Sat Aug 1 18:49:33 UTC 2009

I've found a bug (or maybe it's a feature request) in apt (or maybe it's 
in software-properties-gtk).  I'd like to get people's opinions about 
where this is best reported, and what the report should say.

When you add a repository to your computer, then remove that repository, 
it's not obvious how to downgrade packages that are no longer available.

Normally this is a minor irritant, but it can be a security issue, or 
can even make recovery very hard indeed.  Here are three user stories to 
illustrate the issue:

Anna added a PPA through Synaptic > Settings > Repositories, which 
upgraded emacs.  She didn't like the upgraded version, so she removed 
the repository.  She scrambled around for a while, before realising she 
could get her old emacs back by removing it then reinstalling.

Tim added a repository from a random website through System > Admin > 
Software Sources, then updated and was notified that a new version of 
debconf was available.  He installed the upgrade, then realised that the 
upgrade had been downloaded from the new repository.  Realising he'd 
been tricked, he removed the new repository and assumed that debconf had 
been uninstalled as well.

Bob, thinking that a Debian-based distribution should be okay with 
Debian packages, followed command-line instructions to create 
/etc/apt/sources.list.d/debian-unstable.  Once his Ubuntu/Debian hybrid 
was installed, he rang his technical friend to clear up the mess.  The 
friend tried every "apt-get" command he knew, before gradually realising 
that he had to run "apt-cache showpkg <name>", find the package version, 
do "apt-get install <name>=<ubuntu version>", and repeat many, many times.

Ideally, I would like well-advertised command-line and GUI options that 
can downgrade packages to the latest downloadable version.  Something 
like this for example:

1) Add a "--ignore-status" option to apt-get, which forces it to ignore 
package versions listed in /var/lib/dpkg/status.  This would let "sudo 
apt-get --ignore-status install ubuntu-desktop" clear up most any problem.

2) When "apt-get update" deletes a file in /var/lib/apt/lists/, print a 
warning for every installed package that's just become non-downloadable, 
something like "the latest version of <package> is no longer 
downloadable.  You may want to run `apt-get --ignore-status install 

3) Provide similar functionality to (1) and (2) through synaptic

4) Provide similar functionality through AppCenter

Would you find this too intrusive?  Not intrusive enough?  Should I 
forget about Synaptic now that AppCenter is coming along, or should I 
focus on getting functionality into APT that can later be made available 
through the GUI?

	- Andrew

More information about the Ubuntu-devel-discuss mailing list