ArcLibrary
L1入门L2进阶L3生态

Package Managers

apt / yum / dnf / pacman / brew — stop running `make install` from source.

Packagesaptdnf
核心 · Key Idea

In one line: a package manager is the distro's app store — resolves dependencies, verifies signatures, upgrades uniformly, removes cleanly. Always reach for the package manager first; build from source as a last resort.

Mainstream package managers#

Debian / Ubuntu
apt (high-level) / dpkg (low-level); .deb
RHEL / CentOS / Fedora / Rocky
dnf (new) / yum (old); .rpm
Alpine
apk; lightweight — common in containers
Arch
pacman; rolling release
macOS
brew (user-level)
Cross-distro
snap / flatpak / appimage (sandboxed)
Language-level
pip / npm / cargo / gem / composer (not system packages)

Analogy#

打个比方 · Analogy

Package manager = a vetted app store: auto-installs deps, checks signatures, uninstall is a single command. Build from source = assembling Lego yourself: you control everything, but upgrade / uninstall / dependencies are now your bookkeeping.

Common commands side-by-side#

# Ubuntu / Debian
sudo apt update                  # refresh sources
sudo apt install -y nginx        # install
sudo apt upgrade                 # upgrade everything
sudo apt remove nginx            # uninstall (keeps config)
sudo apt purge nginx             # uninstall + remove config
apt list --installed | grep nginx
apt-cache search keyword
dpkg -L nginx                    # list files
 
# RHEL / Fedora
sudo dnf install -y nginx
sudo dnf update
sudo dnf remove nginx
rpm -qa | grep nginx
rpm -ql nginx
 
# Arch
sudo pacman -S nginx
sudo pacman -Syu                 # sync + upgrade all
yay -S aur-package               # AUR
 
# Alpine
apk add nginx
apk update && apk upgrade

Key concepts#

Source / RepoRepository
`/etc/apt/sources.list`, `/etc/yum.repos.d/`. Switching to a closer mirror is a huge speedup.
Dependencies / Reverse depsDepends / Reverse Depends
Web of inter-package dependencies. Removing one often cascades.
SignaturesGPG / RPM signatures
Public-key verification ensures packages haven't been tampered with. Import the key when adding third-party repos.
Pin / HoldPin
`apt-mark hold pkg` locks a package at its current version.
PPA / COPRThird-party repos
Ubuntu's PPA, Fedora's COPR — community-built packages.
snap / flatpakSandboxed packages
Bundle their own dependencies, cross-distro — bigger disk, slower startup.

How it works#

Practical notes#

  • Always update before install: apt update && apt install.

  • Auto-updates: install unattended-upgrades on Debian/Ubuntu for automatic security patches.

  • Add a third-party repo: import GPG key → write /etc/apt/sources.list.d/xxx.listapt update.

  • Server minimization: pick the server / minimal image — don't pull in desktop packages.

  • Inside containers: alpine uses apk, ubuntu/debian uses apt — clear caches after install: rm -rf /var/lib/apt/lists/* shrinks the image.

  • Don't use pip install --user for system services — multi-user / CI gets messy. Use venv / pipx / uv.

  • Find which package provides a file:

    apt-file search /usr/bin/nginx        # Debian
dnf provides /usr/bin/nginx           # RHEL

Easy confusions#

System package mgr
apt / dnf / brew.
System-level binaries + libs.
Language package mgr
pip / npm / cargo.
Application deps — **scope to projects, not system**.

Further reading#