$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find Held Packages Blocking Patches

Patch simulation shows kept-back packages and you need to see whether apt holds are part of the reason.

Command

apt-mark showhold | sed 's/^/held: /'

What changed

Nothing changes. apt-mark prints held package names and sed labels them for incident notes.

Danger

safe

When to use it

Use before blaming repositories, mirrors, or dependency conflicts for missing security updates.

When not to use it

Do not remove holds automatically; confirm why each package was held and who owns the risk.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Held package names prefixed with held: for quick review.

demo script

Disposable terminal steps

  1. apt-mark showhold
  2. apt-mark showhold | sed 's/^/held: /'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ apt-mark showhold
app-agent
linux-image-generic
::exit-code::0
$ apt-mark showhold | sed 's/^/held: /'
held: app-agent
held: linux-image-generic
::exit-code::0

YouTube Short

Find patch blockers.

If security patches are not moving, check held packages before assuming apt is broken.

LinkedIn hook

A held package can quietly keep a security update out of production.

Question: Do your patch reviews include a held-package check?

experiments

A/B tests to run

Metric: save_rate

A: Held packages can hide patch debt.

B: Security update missing? Check holds.