When debugging unattended upgrades in Debian/Ubuntu systems, package origins and archives play a crucial role. These metadata fields determine which packages are eligible for automatic updates based on your Allowed-Origins configuration in /etc/apt/apt.conf.d/50unattended-upgrades.
The most precise way to examine a package's origin is using apt-cache policy:
apt-cache policy package-name
For example, examining the nginx package:
$ apt-cache policy nginx
nginx:
Installed: 1.18.0-6ubuntu14.3
Candidate: 1.18.0-6ubuntu14.3
Version table:
*** 1.18.0-6ubuntu14.3 500
500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
100 /var/lib/dpkg/status
1.18.0-6ubuntu14 500
500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
For a more detailed view of all installed packages and their origins:
apt list --installed | awk -F/ '{print $1}' | xargs -n1 apt-cache policy
Or using apt-show-versions (requires installation):
apt-show-versions -a
You can query specific fields using apt-cache show:
apt-cache show package-name | grep -E 'Package|Version|Architecture|Origin'
For a more machine-readable format, use aptitude:
aptitude search '?installed' -F '%p %O %A'
Match the origins found with your 50unattended-upgrades file:
grep -i origin /etc/apt/apt.conf.d/50unattended-upgrades
Common patterns include:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
Remember that origins follow the format archive:component (e.g., Ubuntu:focal or Debian:bullseye). The actual origin string in the package metadata might appear differently in the APT sources.
To understand why a particular package wasn't upgraded automatically:
sudo unattended-upgrade --debug --dry-run
This will show the decision-making process, including origin checks.
The final piece is verifying your sources.list entries match your unattended upgrades configuration:
grep -rhE '^deb ' /etc/apt/sources.list /etc/apt/sources.list.d/
The repository URLs in these files should correspond to the origins you're allowing for automatic updates.
When troubleshooting unattended upgrades in Debian/Ubuntu systems, examining package origins is crucial. The apt-cache policy command reveals detailed package information:
apt-cache policy package-name
Example output for nginx:
nginx:
Installed: 1.18.0-6ubuntu14.4
Candidate: 1.18.0-6ubuntu14.4
Version table:
*** 1.18.0-6ubuntu14.4 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
100 /var/lib/dpkg/status
1.17.10-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
The unattended-upgrades package uses /etc/apt/apt.conf.d/50unattended-upgrades to define allowed origins. A typical configuration might look like:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
To match packages against your allowed origins, use this Python script to extract origin patterns:
import apt
cache = apt.Cache()
pkg = cache["nginx"]
for origin in pkg.candidate.origins:
print(f"Origin: {origin.origin}")
print(f"Archive: {origin.archive}")
print(f"Site: {origin.site}")
print(f"Component: {origin.component}")
When a package isn't upgrading automatically, check these aspects:
- Verify the origin matches your Allowed-Origins pattern
- Check if the package is pinned (
apt-cache policyshows pin priorities) - Confirm the candidate version is newer than installed
For comprehensive verification, this bash command lists all upgradable packages with origins:
apt list --upgradable -a | while read pkg; do \
pkg_name=${pkg%%/*}; \
[ -n "$pkg_name" ] && apt-cache policy "$pkg_name"; \
done
Different repositories use varying origin formats:
| Repository | Typical Origin Pattern |
|---|---|
| Ubuntu Main | Ubuntu:focal |
| Ubuntu Security | Ubuntu:focal-security |
| PPA | LP-PPA-owner-ppa-name |
| Debian | Debian:buster |