"The following packages have been kept back:" Why and how do I solve it?

I just added a PPA repository for the development version of the GIMP, but I get this error:

$ apt-get update && apt-get upgrade
...
The following packages have been kept back: gimp gimp-data libgegl-0.0-0 libgimp2.0

Why and how can I solve it so that I can use the latest version instead of the one I have now?

1

23 Answers

According to an article on debian-administration.org,

If the dependencies have changed on one of the packages you have installed so that a new package must be installed to perform the upgrade then that will be listed as "kept-back".

Cautious solution 1:

Per Pablo's answer, you can run sudo apt-get --with-new-pkgs upgrade, and it will install the kept-back packages.

This has the benefit of not marking the kept-back packages as "manually installed," which could force more user intervention down the line (see comments).

If Pablo's solution works for you, please upvote it. If not, please comment what went wrong.

Cautious solution 2:

The cautious solution is to run sudo apt-get install <list of packages kept back>. In most cases this will give the kept-back packages what they need to successfully upgrade.

Aggressive solution:

A more aggressive solution is to run sudo apt-get dist-upgrade, which will force the installation of those new dependencies.

But dist-upgrade can be quite dangerous. Unlike upgrade it may remove packages to resolve complex dependency situations. Unlike you, APT isn't always smart enough to know whether these additions and removals could wreak havoc.

So if you find yourself in a place where the "cautious solution" doesn't work, dist-upgrade may work... but you're probably better off learning a bit more about APT and resolving the dependency issues "by hand" by installing and removing packages on a case-by-case basis.

Think of it like fixing a car... if you have time and are handy with a wrench, you'll get some peace of mind by reading up and doing the repair yourself. If you're feeling lucky, you can drop your car off with your cousin dist-upgrade and hope she knows her stuff.

33

Whenever you receive from the command apt-get upgrade the message

The following packages have been kept back:

then to upgrade one or all of the kept-back packages, without doing a distribution upgrade (this is what dist-upgrade does, if I remember correctly) is to issue the command:

apt-get install <list of packages kept back>

this will resolve the kept-back issues and will ask to install additional packages, etc. as was explained by other answers.

See also: Why use apt-get upgrade instead of apt-get dist-upgrade?

12

I answered a similar question here.

Try this Unix SE answer:

sudo apt-get --with-new-pkgs upgrade

This allows new packages to be installed. It will let you know what packages would be installed and prompt you before actually doing the install.

apt command (friendly alternative to apt-get) share this option.

Using apt install <pkg> instead will mark pkg as "manually installed"!! To mark it again as "automatically installed" use apt-mark auto <pkg> (see also subcommand showmanual). More info on this answer.

10

apt-get dist-upgrade is dangerous for stable environment,

  1. wrong source.list setting and you end up with broken ubuntu.
  2. you might get entire application upgraded to version you dont want.

Use case: kernel upgrade kept back, you just want to upgrade the kernel, dont want to upgrade entire distribution.

Better way to handle kept back package:

sudo aptitude

If you have kept back package you should see Upgradable Packages on top of the list.

  • Hit + on that list
  • Hit g twice
  • Answer debconf stuff if asked
  • Press return to continue
  • Press Q
  • Press yes

Your kept back package installed.

6

There are normally two reasons you may see this message.

If upgrading the program (via sudo apt-get upgrade) would cause packages to be added or removed, then the program will be held back. You can use sudo apt-get dist-upgrade in this case, which will then offer to add or remove the additional packages.

This is pretty common and usually not an issue. Occasionally (particularly during an Ubuntu alpha) a dist-upgrade will offer to remove a lot of other programs, in which case you probably want to cancel it.

If the package depends on packages or versions that are not available, then the program will be held back. You really can't do anything but wait in this circumstance, since the package is basically uninstallable. This can happen when packages get added to the repository out of order, when a package is renamed, or when a package stops providing a virtual package.

2

You can also try:

sudo aptitude safe-upgrade

It's safer than full-upgrade (originally named dist-upgrade) because "packages will not be removed unless they are unused".

From man aptitude:

safe-upgrade

Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused /.../ Packages which are not currently installed may be installed to resolve dependencies unless the --no-new-installs command-line option is supplied.

Most likely these packages are held back because their installation would create dependency inconsistencies. This can either happen because you are using archives under active development, ppas, or because the mirror you uses is not fully updated.

In the last case, just wait, when the dependencies are resolved it will be installed the next time.

Edit:

There is another possibility, packages might be held back if there is put a hold on them, or if they are pinned.

5

Ubuntu 18.04, 20.04 (and newer) provide a streamlined syntax via apt full-upgrade which functions like sudo apt-get dist-upgrade.

sudo apt full-upgrade

sudo apt upgrade is used to install available upgrades of all packages currently installed on the system from the sources configured via sources.list(5). New packages will be installed if required to satisfy dependencies, but existing packages will never be removed. If an upgrade for a package requires the remove of an installed package the upgrade for this package isn't performed.

sudo apt full-upgrade performs the function of upgrade but will remove currently installed packages if this is needed to upgrade the system as a whole.

Note: full-upgrade remains on the current distribution.

See: apt man page: 18.04, 20.04, 22.04

3

This worked for me

sudo aptitude full-upgrade
3

This is usually because the package has added a dependency, and upgrade doesn't want to add it for you without permission.

If you run:

sudo apt-get install gimp gimp-data libgegl-0.0-0 libgimp2.0

Then the new versions should be installed together with their new dependency.

2

I'm adding this answer because I'm not satisfied with how other answers handle the why part of the question to understand what's going on and choose the appropriate course of action.

Hopefully this will help someone avoid blindly running apt dist-upgrade in despair!

Why is a package kept back?

To my knowledge, there are 2 categories of reasons for packages being kept back during apt upgrade.

It is marked as held back

apt-mark can do this:

sudo apt-mark hold <package>

hold is used to mark a package as held back, which will prevent the package from being automatically installed, upgraded or removed.

To list all packages marked on hold or find out if a package is on hold use:

apt-mark showhold
apt-mark showhold <package>

To remove a hold on a package and allow it to be upgraded:

sudo apt-mark unhold <package>

apt detects a dependency change

The best authoritative source of information I could find regarding this is marked as obsolete, but it says:

[Kept back] means that there are new versions of these packages which will not be installed for some reason. Possible reasons are broken dependencies (a package on which it depends doesn't have a version available for download) or new dependencies (the package has come to depend on new packages since the last version)

This will tell you the current and candidate upgrade versions of the package:

$ apt list <package>
# example output:
vim/bionic-updates,bionic-security 2:8.0.1453-1ubuntu1.4 amd64 [upgradable from: 2:8.0.1453-1ubuntu1.3]
N: There are 2 additional versions. Please use the '-a' switch to see them.

With the current version (e.g. 2:8.0.1453-1ubuntu1.3) and new version (e.g. 2:8.0.1453-1ubuntu1.4), we can figure out the changed dependencies with apt show:

apt show <package>=<old version> <package>=<new version>
# example:
apt show vim=2:8.0.1453-1ubuntu1.3 vim=2:8.0.1453-1ubuntu1.4

(or just use apt show -a to view all versions directly, but it makes the version comparison harder in my opinion)

The important parts are the Depends and Recommends package lists. If there are new packages in those lists in the new version of the kept back package, apt won't automatically upgrade it.

At this point there are 2 options to upgrade the kept back package. Note that both solutions below have the proper arguments to avoid erroneously changing a package from "automatically installed" to "manually installed".

  1. To upgrade the package and install any new "Recommended" packages (i.e. as if newly installed with apt install <package>, use --only-upgrade:

    sudo apt install --only-upgrade <package>

    (Tip: add --dry-run to see what will happen before doing it)

  2. To upgrade the package without installing any newly added "Recommended" packages, use --with-new-pkgs.

    sudo apt upgrade --with-new-pkgs <package>

Case study: upgrading the docker-ce package

Upgrading the docker-ce package on Ubuntu 18.04 is what brought me here in the first place so I thought it would be interesting to have a full concrete example.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back: docker-ce
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
$ apt list docker-ce
Listing... Done
docker-ce/bionic 5:20.10.3~3-0~ubuntu-bionic amd64 [upgradable from: 5:19.03.12~3-0~ubuntu-bionic]
N: There are 34 additional versions. Please use the '-a' switch to see them.

Ok let's see what's holding back docker-ce:

$ apt show docker-ce=5:19.03.12~3-0~ubuntu-bionic docker-ce=5:20.10.3~3-0~ubuntu-bionic
Package: docker-ce
Version: 5:19.03.12~3-0~ubuntu-bionic
Priority: optional
Section: admin
Maintainer: Docker <>
Installed-Size: 107 MB
Depends: docker-ce-cli, containerd.io (>= 1.2.2-3), iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.8), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0
Recommends: aufs-tools, ca-certificates, cgroupfs-mount | cgroup-lite, git, pigz, xz-utils, libltdl7, apparmor
Conflicts: docker (<< 1.5~), docker-engine, docker-engine-cs, docker.io, lxc-docker, lxc-docker-virtual-package
Replaces: docker-engine
Homepage:
Download-Size: 22.5 MB
APT-Manual-Installed: yes
APT-Sources: bionic/stable amd64 Packages
Description: Docker: the open-source application container engine Docker is a product for you to build, ship and run any application as a lightweight container . Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest cloud compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blocks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider.
Package: docker-ce
Version: 5:20.10.3~3-0~ubuntu-bionic
Priority: optional
Section: admin
Maintainer: Docker <>
Installed-Size: 121 MB
Depends: containerd.io (>= 1.4.1), docker-ce-cli, iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.8), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0
Recommends: apparmor, ca-certificates, docker-ce-rootless-extras, git, libltdl7, pigz, xz-utils
Suggests: aufs-tools, cgroupfs-mount | cgroup-lite
Conflicts: docker (<< 1.5~), docker-engine, docker-engine-cs, docker.io, lxc-docker, lxc-docker-virtual-package
Replaces: docker-engine
Homepage:
Download-Size: 24.8 MB
APT-Sources: bionic/stable amd64 Packages
Description: Docker: the open-source application container engine Docker is a product for you to build, ship and run any application as a lightweight container . Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest cloud compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blocks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider.

Version 5:20.10.3~3-0~ubuntu-bionic has added docker-ce-rootless-extras as a new recommended dependency. I wish apt would be more helpful and simply suggest installing it or something instead of leaving me with an old version... Anyhow, here are the 2 possible fixes (with --dry-run for illustration purposes):

$ sudo apt upgrade --with-new-pkgs --dry-run docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded: docker-ce
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst docker-ce [5:19.03.12~3-0~ubuntu-bionic] (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
$ sudo apt install --only-upgrade --dry-run docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed: docker-ce-rootless-extras
Recommended packages: slirp4netns
The following NEW packages will be installed: docker-ce-rootless-extras
The following packages will be upgraded: docker-ce
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Inst docker-ce [5:19.03.12~3-0~ubuntu-bionic] (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Inst docker-ce-rootless-extras (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce-rootless-extras (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])

I have found that aptitude does a better job at upgrading packages if the versions differ just slightly. I had a situation like this:

me@compy:/etc/apt$ apt-cache policy gzip
gzip: Installed: 1.3.5-15 Candidate: 1.3.5-15+etch1 Version table: 1.3.5-15+etch1 0 500 etch/main Packages *** 1.3.5-15 0 100 /var/lib/dpkg/status

This made apt-get hold back the update, but aptitude updated it just fine. I'm unsure which algorithm is used to determine if a package should be updated or not. I guess these two had the same version, only a different 'qualifier'. But in any case, apt-get wouldn't update it, but aptitude would.

In my case packages held back were those related to linux-headers and kernel. I came to this by trying to solve an issue with having a red exclamation mark in the notification area and not being able to update packages.

To solve it, I did not have to use neither dist-upgrade nor manual apt-get install xxx.

What I did and has helped has been simple and clean:

sudo apt-get update
sudo apt-get autoremove
sudo apt-get autoclean
sudo apt-get upgrade

I had to manually confirm Grub update and its configuration.

Then I just worked with the computer for a while and then standard update dialogue has appeared again finally including "Ubuntu base" section with kernel and related. The update was performed without any trouble and I do not see any held back packages any more.

Also, it is very important to keep in mind that those *buntu updates including kernel updates are sensitive to hibernation - I've got this problem several times and I always get it resolved by restarting the machine and performing the steps above.

So maybe this would be just enough?!

(situation being described in here is related to my Xubuntu 15.10 in the end of december 2015)

I ran into this problem when a new kernel was released. (Possibly because I have unstable updates enabled.) I found the simplest way to do the install was through Ubuntu's graphical installer (update-manager).

This looks like the correct way to reinstall kept back package:

apt-get install --reinstall libjpeg-progs

At least this worked for me when libjpeg-progs was stuck after upgrading from Ubuntu 14.04 to 16.04. I'm sure you can do the same with any other kept back app, e.g. gimp.

Source

2

I ran into this problem using synaptic because it appeared to hang, and to try and fix this I re-booted and tried again.

SOLUTION: Then I discovered an informative message as part of the package with some post-installation instructions for me.

I had to hit "details", and then 'q' for quit after reading the message, and then things proceeded normally.

In actual fact, the switch you need is dselect-upgrade which installs / removes dependencies for the particular package set involved.

I have read all the posts and found that there are many interesting explanations. I was trying all of them but have not any results completely. I have a problem with mysql-utilities which I couldn't upgrade. The updating was proposed by the system. So, I want to show some steps to do it. Of course, I will repeat in some moments all of the aforementioned posts. Here is my mistake, yes I found it by already existed posts, but what should I do next?enter image description here

The next step is:

sudo apt-get --purge remove mysql-utilities

The results we can see in the image beneath. I remove the package and check this by command:

sudo apt-get -f install

Results - Fine! Later I installed this new version of package correctly.enter image description here

This way, I think can help for more new people because having other packages we can do the same steps.

Once, I am sorry, when I repeated in some places other posts.

2

For me and several commenters on Pablo's answer,

sudo apt-get --with-new-pkgs upgrade # No effect

had no effect. I do not care to have my package marked as manually installed, so I did the following, using kept back package docker-ce as an example:

sudo apt install docker-ce # Answer no, do not install

Abort the installation by answering n. Observe the new package(s) that would have been installed, and install them:

sudo apt install docker-ce-rootless-extras

Now apt upgrade will upgrade the previously kept back package:

sudo apt upgrade # Upgrades docker-ce
The following packages have been kept back: clang-9 cpp g++ gcc gcc-10-base kali-linux-default lib32gcc-s1 lib32stdc++6 libatomic1 libcc1-0 libclang-common-9-dev libclang-cpp9 libgcc-s1 libgfortran5 libgomp1 libitm1 libllvm9 liblsan0 libobjc4 libpython2-stdlib libquadmath0 libstdc++6 libtsan0 libubsan1 linux-headers-amd64 llvm-9 llvm-9-dev llvm-9-runtime llvm-9-tools python2 python2-minimal python3-chardet python3-pandas python3-pandas-lib

apt upgrade; apt update just kept coming back to that and wouldn't install anything. There was a huge block of stuff as well that needed to be autoremoved and that went fine, but still would not install the kept back packages. I tried the easy options 1 and 2 way up there at the beginning of this thread and they did not work.

So I just did apt install /that whole list of kept back packages/, and it all started going.

I've actually never run into this problem before. I just thought it was odd that apt update; apt upgrade didn't work but apt install and then copying that whole list in went off without a hitch and it's working fine now.

And I'm going to apologize now. I wasn't using an ubuntu distribution (I just realized this). I was actually updating a Kali installation when this all occurred. I've never seen anything like this on Ubuntu.

Let me know if I should delete this post (still new).

Ron

For the very specific flavour of this problem where the proprietary nvidia drivers are halfway updated to a new version, I reinstalled them using the driver manager. To give some context: I was stuck halfway between the 440 and 450 version of the driver and a whole package of libnvidia 440 packages were kept back. This resulted in my kubuntu being stuck at the spash screen after grub. To get into the system, I had to add "nomodeset" to the grub command as described here.

In this specific case

sudo apt-get --with-new-pkgs upgrade

did have no effect. However, I was able to reinstall the drivers through the additional driver management. In my case, on Kubuntu I started

sudo kubuntu-driver-manager

On Ubuntu you can reach the same thing via System Settings > System > Software & Updates > Additional Drivers

There I selected the 450 driver and the graphic drivers were reinstalled, resulting in a properly booting machine.

Following a do-release-upgrade, your third-party or private repositories (such as PPAs) may be disabled. This can stop a package being updated because it can no longer find the dependencies it needs, and/or old packages conflict with newer packages.

Have a look through your .list files, usually in /etc/apt/sources.list.d, to see what needs to be re-enabled.

Then run apt update and try again.

This is happened to me after a do-release-upgrade on a Google VM.

While other answers have cautioned that apt dist-upgrade might remove programs, notice that you can just run the command and then answer "no" to the "Do you want to continue?" question in order to investigate what apt would do.


After updating a raspberry pi from buster to bullseye I ended up with apt reporting

The following packages have been kept back: sshfs

So I started searching for the error message, landed on this page, read a few answers and then ran

$ apt-get dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be REMOVED: fuse
The following NEW packages will be installed: fuse3 libfuse3-3
The following packages will be upgraded: sshfs
1 upgraded, 2 newly installed, 1 to remove and 0 not upgraded.
Need to get 147 kB of archives.
After this operation, 196 kB of additional disk space will be used.
Do you want to continue? [Y/n] 

At this point it is clear that fuse had been replaced by fuse3 and I am happy to let apt remove it.


Your situation might be different but doing a (potential) dry-run will give you more detailed information and quite possibly answer the "why" question.

You Might Also Like