Cyber Intelligence
PROTEGO
Getting Started with Linux · Foundation

L4. Installing Software: apt, dnf and Package Managers

Video generating

Check back soon for the video lesson on Installing Software: apt, dnf and Package Managers

Package managers handle installing, updating, and removing software on Linux. This lesson covers apt (Debian/Ubuntu) and dnf (RHEL/Fedora), explains the difference between updating and upgrading, and warns about the security risks of third-party repositories.

What Package Managers Do

On Linux, you rarely download software from a website and run an installer. Instead, you use a package manager: a tool that downloads software from trusted repositories, resolves dependencies, installs everything in the right locations, and tracks what is installed so you can update or remove it cleanly.

From a security perspective, package managers provide three critical functions:

  1. Signature verification: Packages are cryptographically signed by the repository maintainer. The package manager verifies these signatures before installation, preventing tampered software from being installed.
  2. Centralized updates: One command can update every package on the system, closing known vulnerabilities across all installed software.
  3. Dependency management: When a shared library has a security patch, the package manager ensures all software using that library gets the updated version.

apt: The Debian/Ubuntu Package Manager

If you are using Ubuntu, Debian, Kali, or any Debian-based distribution, your package manager is apt (Advanced Package Tool).

Essential apt Commands

# Update the package index (downloads the latest list of available packages)
sudo apt update
# Upgrade all installed packages to their latest versions
sudo apt upgrade
# Install a specific package
sudo apt install nmap
# Remove a package (keeps configuration files)
sudo apt remove nmap
# Remove a package and its configuration files
sudo apt purge nmap
# Search for a package
apt search wireshark
# Show information about a package
apt show openssh-server
# List installed packages
apt list --installed
# Remove unused dependencies
sudo apt autoremove

update vs. upgrade

This distinction trips up many beginners:

  • apt update refreshes the package index: the local list of what versions are available in the repositories. It downloads no actual software.
  • apt upgrade installs newer versions of packages that are already installed on the system.

You must run apt update before apt upgrade, or you will be upgrading against a stale package list and may miss critical security patches. 

# The standard update workflow
sudo apt update && sudo apt upgrade -y

dnf: The RHEL/Fedora Package Manager

On Red Hat Enterprise Linux, Rocky Linux, AlmaLinux, and Fedora, the package manager is dnf (Dandified YUM), which replaced the older yum command.

Essential dnf Commands

# Check for and install updates
sudo dnf check-update
sudo dnf upgrade
# Install a specific package
sudo dnf install nmap
# Remove a package
sudo dnf remove nmap
# Search for a package
dnf search wireshark
# Show package information
dnf info openssh-server
# List installed packages
dnf list installed
# Clean cached package data
sudo dnf clean all

Key Difference: dnf upgrade

Unlike apt, dnf upgrade combines the index refresh and the actual upgrade into one step. You do not need to run a separate "update" command first (though dnf check-update is useful to preview what will change before committing).

Repositories: Where Packages Come From

Packages are downloaded from repositories: servers that host collections of signed software packages. Both apt and dnf come preconfigured with official repositories maintained by the distribution vendor.

Viewing Configured Repositories

# Ubuntu/Debian: repository sources
cat /etc/apt/sources.list
ls /etc/apt/sources.list.d/
# RHEL/Fedora: repository configuration
dnf repolist
ls /etc/yum.repos.d/

Adding Third-Party Repositories

Sometimes you need software that is not in the default repositories. Both package managers allow you to add third-party sources. 

# Ubuntu example: adding a PPA (Personal Package Archive)
sudo add-apt-repository ppa:example/repo
sudo apt update
# RHEL example: adding the EPEL repository
sudo dnf install epel-release

Security Risks of Third-Party Repositories

Adding a third-party repository is a trust decision. You are trusting that:

  • The repository maintainer is who they claim to be
  • The packages have not been tampered with
  • The maintainer will continue to release security patches
  • The repository GPG key has not been compromised
Best practices for third-party repositories:
  1. Only add repositories from trusted, well-known sources (official vendor repos, EPEL, Docker's official repo)
  2. Verify the GPG key fingerprint before importing it
  3. Audit which repositories are configured on your production systems regularly
  4. Remove repositories you no longer need
  5. Never add a repository that instructs you to disable GPG signature checking

Automatic Security Updates

Both major package manager families support automatic installation of security-only patches.

Ubuntu: unattended-upgrades

# Install the unattended-upgrades package
sudo apt install unattended-upgrades
# Enable automatic security updates
sudo dpkg-reconfigure -plow unattended-upgrades

The configuration file at /etc/apt/apt.conf.d/50unattended-upgrades lets you control which updates are applied automatically and whether the system should reboot itself when a kernel update requires it.

RHEL: dnf-automatic

# Install dnf-automatic
sudo dnf install dnf-automatic
# Enable and start the timer
sudo systemctl enable --now dnf-automatic.timer

Edit /etc/dnf/automatic.conf to configure whether updates are only downloaded or also applied, and whether to limit to security updates only.

Package Security Auditing

You can check installed packages for known vulnerabilities: 

# Ubuntu: list security updates available
apt list --upgradable 2>/dev/null | grep -i security
# RHEL: list available security updates
dnf updateinfo list security
# Check which CVEs are addressed by pending updates
dnf updateinfo info security

On production servers, integrate these checks into your monitoring pipeline. An unpatched system is one of the most common findings in security assessments.

Key Takeaway: Patch Discipline

The single most impactful security practice you can adopt is keeping your systems patched. Most breaches exploit known vulnerabilities that already have patches available. Your package manager is the primary tool for maintaining that discipline. Build a habit of running update commands regularly, enable automatic security updates where appropriate, and audit your repositories to ensure you are only trusting sources you have deliberately chosen.

Exam Focus Points
  • Package managers verify cryptographic signatures before installation, preventing tampered software from being deployed.
  • apt update refreshes the package index; apt upgrade installs newer versions. You must run update before upgrade.
  • dnf upgrade combines the index refresh and upgrade into one step, unlike apt which requires two separate commands.
  • Third-party repositories are a trust decision: always verify GPG keys and never disable signature checking.
  • Automatic security updates (unattended-upgrades on Ubuntu, dnf-automatic on RHEL) are a critical layer of patch discipline.
Knowledge Check

1. What happens if you run "sudo apt upgrade" without first running "sudo apt update"?

2. Why should you verify the GPG key fingerprint before adding a third-party repository?

3. Which command would you use on an RHEL system to list available security updates?

Sign in to track progress
Users, Groups and the Root Account