Linux Package Managers: apt vs yum
A practical comparison of apt and yum/dnf: how they resolve dependencies, where packages come from, command equivalents, and how to avoid breaking your system.
What you'll learn
- ✓How Debian and Red Hat package ecosystems differ
- ✓Command-by-command equivalents between apt and yum/dnf
- ✓How repositories, metadata, and GPG keys work
- ✓How to safely add third-party repos
- ✓Common upgrade mistakes that brick servers
Prerequisites
- •Comfort using the Linux terminal as root or via sudo
What and Why
A Linux package manager installs software, tracks files it owns, resolves dependencies, and applies updates. The two dominant families are Debian-based (Ubuntu, Debian) using .deb files managed by apt on top of dpkg, and Red Hat-based (RHEL, Fedora, Rocky, Alma) using .rpm files managed by yum or its successor dnf on top of rpm.
You need to know both because base images differ across cloud providers, Docker images, and customer environments. Choosing the wrong command at the wrong moment is how production servers end up unbootable.
Mental Model
Both managers do the same four things:
- Read a list of configured repositories.
- Download metadata describing available packages and versions.
- Resolve a dependency graph for what you asked to install.
- Download, verify, and unpack files, then run scripts for setup.
The differences are in defaults: package format, repo config locations, signing, and how aggressively each tool removes orphaned dependencies.
| Concept | Debian/Ubuntu | RHEL/Fedora |
|---|---|---|
| Package format | .deb | .rpm |
| Low-level tool | dpkg | rpm |
| High-level tool | apt | dnf (or yum) |
| Repo config | /etc/apt/sources.list.d/ | /etc/yum.repos.d/ |
| Metadata refresh | apt update | implicit (or dnf makecache) |
| GPG keys | /etc/apt/keyrings/ | /etc/pki/rpm-gpg/ |
Hands-on Example
Install nginx on both, then add a third-party repo.
# Debian/Ubuntu
sudo apt update
sudo apt install -y nginx
apt list --installed | grep nginx
sudo apt remove nginx # keep config files
sudo apt purge nginx # remove config too
sudo apt autoremove # drop orphaned deps# RHEL/Fedora
sudo dnf install -y nginx
dnf list installed nginx
sudo dnf remove nginx # also removes orphaned deps by default
sudo dnf autoremove # explicit cleanup passAdding HashiCorp’s repo on Ubuntu:
curl -fsSL https://apt.releases.hashicorp.com/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/hashicorp.gpg
echo "deb [signed-by=/etc/apt/keyrings/hashicorp.gpg] \
https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraformOn RHEL:
sudo dnf config-manager --add-repo \
https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo dnf install terraformapt install nginx
|
v
sources.list -> fetch Release + Packages -> resolve deps
|
v
.deb downloaded -> dpkg unpacks -> postinst runs
dnf install nginx
|
v
*.repo -> fetch repodata/repomd.xml -> resolve deps
|
v
.rpm downloaded -> rpm unpacks -> %post scriptlet runsCommon Pitfalls
- Skipping
apt update: stale metadata makes apt try to fetch versions that no longer exist on the mirror, producing confusing 404s. - Mixing repos: pulling packages from Debian unstable into Debian stable, or EPEL packages that conflict with RHEL versions, leads to broken dependency chains.
- Force installing with
--force-yesor--nobest: these bypass safety checks and frequently break the next upgrade. - Holding partial upgrades: running
apt upgradewhenapt full-upgradeis needed, or excluding kernel updates, can leave a system in an inconsistent state. - Ignoring GPG warnings: a repo whose key is not trusted is a supply chain problem, not a nuisance message.
Practical Tips
- Use
apt-mark hold <pkg>ordnf versionlock <pkg>to pin packages you cannot afford to upgrade unexpectedly. - Inspect what a package owns with
dpkg -L <pkg>orrpm -ql <pkg>. - Find which package owns a file with
dpkg -S /pathorrpm -qf /path. - Run
apt-get dist-upgrade --simulateordnf upgrade --assumenoto preview changes before applying them. - On servers, prefer
unattended-upgrades(Debian) ordnf-automaticfor security patches, scoped to security only.
Wrap-up
apt and yum/dnf solve the same problem with slightly different ergonomics. Learn the equivalents, respect GPG verification, and never trust a --force flag in a postmortem story. Once the mental model clicks, switching between Ubuntu and RHEL boxes is a matter of muscle memory, not relearning.
Related articles
- Linux Linux cgroups Explained: How Containers Get Their Limits
A practical introduction to Linux control groups. Learn what cgroups do, how v1 and v2 differ, and how Docker and Kubernetes use them to cap CPU and memory.
- Linux Linux Cron and systemd Timers: A Practical Comparison
Run scheduled jobs on Linux with cron or systemd timers. How they differ, when to choose each, and recipes that survive reboots and log rotations.
- Linux Linux Disk Management and LVM: A Hands-on Tutorial
Partition disks, build LVM volume groups, grow filesystems online, and recover safely. The Linux storage stack from physical disks to mounted paths.
- Linux Linux File Permissions: A chmod and chown Deep Dive
Understand the Linux permission model from user/group/other to setuid and sticky bits, with practical chmod and chown patterns you can use today.