$ Linux One Liners
Back to lessons

Cybersecurity Triage

Review Kept-Back Packages Before Patching

A normal apt upgrade simulation reports packages kept back, and you need to capture them before choosing a broader upgrade path.

Command

apt-get -s upgrade | sed -n '/kept back:/,/^Inst/p'

What changed

Nothing changes. The command prints the kept-back section from simulated apt output.

Danger

safe

When to use it

Use when kernel, agent, or dependency updates may need dist-upgrade, full-upgrade, or manual review.

When not to use it

Do not assume kept-back means safe to ignore; security fixes can be hidden behind dependency changes.

Undo or recovery

No undo needed because the command is read-only simulation.

Expected output

The kept-back package section from apt simulation output.

demo script

Disposable terminal steps

  1. apt-get -s upgrade
  2. apt-get -s upgrade | sed -n '/kept back:/,/^Inst/p'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ apt-get -s upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
The following packages have been kept back:
  app-agent linux-image-generic
The following packages will be upgraded:
  curl nginx openssl
3 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Inst curl [8.5.0-2ubuntu10.6] (8.5.0-2ubuntu10.7 Ubuntu:24.04/noble-updates [amd64])
Inst nginx [1.24.0-2ubuntu7.3] (1.24.0-2ubuntu7.4 Ubuntu:24.04/noble-updates [amd64])
Inst openssl [3.0.13-0ubuntu3.5] (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
Conf curl (8.5.0-2ubuntu10.7 Ubuntu:24.04/noble-updates [amd64])
Conf nginx (1.24.0-2ubuntu7.4 Ubuntu:24.04/noble-updates [amd64])
Conf openssl (3.0.13-0ubuntu3.6 Ubuntu:24.04/noble-security [amd64])
::exit-code::0
$ apt-get -s upgrade | sed -n '/kept back:/,/^Inst/p'
The following packages have been kept back:
  app-agent linux-image-generic
The following packages will be upgraded:
  curl nginx openssl
3 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Inst curl [8.5.0-2ubuntu10.6] (8.5.0-2ubuntu10.7 Ubuntu:24.04/noble-updates [amd64])
::exit-code::0

YouTube Short

Do not ignore kept-back packages.

A normal upgrade can leave packages behind. Capture the kept-back list before deciding what kind of patch window you need.

LinkedIn hook

Kept-back packages are where simple upgrade plans stop being simple.

Question: How do you handle kept-back packages during security maintenance?

experiments

A/B tests to run

Metric: comment_rate

A: Kept-back packages deserve review.

B: Simple upgrade plans stop here.