Linux Package Managers: apt vs yum
A practical comparison of apt and yum/dnf: how they resolve dependencies, where packages come from, command equivalents, and how to avoid breaking your system.
What you'll learn
- ✓How Debian and Red Hat package ecosystems differ
- ✓Command-by-command equivalents between apt and yum/dnf
- ✓How repositories, metadata, and GPG keys work
- ✓How to safely add third-party repos
- ✓Common upgrade mistakes that brick servers
Prerequisites
- •Comfort using the Linux terminal as root or via sudo
What and Why
A Linux package manager installs software, tracks files it owns, resolves dependencies, and applies updates. The two dominant families are Debian-based (Ubuntu, Debian) using .deb files managed by apt on top of dpkg, and Red Hat-based (RHEL, Fedora, Rocky, Alma) using .rpm files managed by yum or its successor dnf on top of rpm.
You need to know both because base images differ across cloud providers, Docker images, and customer environments. Choosing the wrong command at the wrong moment is how production servers end up unbootable.
Mental Model
Both managers do the same four things:
- Read a list of configured repositories.
- Download metadata describing available packages and versions.
- Resolve a dependency graph for what you asked to install.
- Download, verify, and unpack files, then run scripts for setup.
The differences are in defaults: package format, repo config locations, signing, and how aggressively each tool removes orphaned dependencies.
| Concept | Debian/Ubuntu | RHEL/Fedora |
|---|---|---|
| Package format | .deb | .rpm |
| Low-level tool | dpkg | rpm |
| High-level tool | apt | dnf (or yum) |
| Repo config | /etc/apt/sources.list.d/ | /etc/yum.repos.d/ |
| Metadata refresh | apt update | implicit (or dnf makecache) |
| GPG keys | /etc/apt/keyrings/ | /etc/pki/rpm-gpg/ |
Hands-on Example
Install nginx on both, then add a third-party repo.
# Debian/Ubuntu
sudo apt update
sudo apt install -y nginx
apt list --installed | grep nginx
sudo apt remove nginx # keep config files
sudo apt purge nginx # remove config too
sudo apt autoremove # drop orphaned deps
# RHEL/Fedora
sudo dnf install -y nginx
dnf list installed nginx
sudo dnf remove nginx # also removes orphaned deps by default
sudo dnf autoremove # explicit cleanup pass
Adding HashiCorp’s repo on Ubuntu:
curl -fsSL https://apt.releases.hashicorp.com/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/hashicorp.gpg
echo "deb [signed-by=/etc/apt/keyrings/hashicorp.gpg] \
https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform
On RHEL:
sudo dnf config-manager --add-repo \
https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo dnf install terraform
apt install nginx
|
v
sources.list -> fetch Release + Packages -> resolve deps
|
v
.deb downloaded -> dpkg unpacks -> postinst runs
dnf install nginx
|
v
*.repo -> fetch repodata/repomd.xml -> resolve deps
|
v
.rpm downloaded -> rpm unpacks -> %post scriptlet runs Common Pitfalls
- Skipping
apt update: stale metadata makes apt try to fetch versions that no longer exist on the mirror, producing confusing 404s. - Mixing repos: pulling packages from Debian unstable into Debian stable, or EPEL packages that conflict with RHEL versions, leads to broken dependency chains.
- Force installing with
--force-yesor--nobest: these bypass safety checks and frequently break the next upgrade. - Holding partial upgrades: running
apt upgradewhenapt full-upgradeis needed, or excluding kernel updates, can leave a system in an inconsistent state. - Ignoring GPG warnings: a repo whose key is not trusted is a supply chain problem, not a nuisance message.
Practical Tips
- Use
apt-mark hold <pkg>ordnf versionlock <pkg>to pin packages you cannot afford to upgrade unexpectedly. - Inspect what a package owns with
dpkg -L <pkg>orrpm -ql <pkg>. - Find which package owns a file with
dpkg -S /pathorrpm -qf /path. - Run
apt-get dist-upgrade --simulateordnf upgrade --assumenoto preview changes before applying them. - On servers, prefer
unattended-upgrades(Debian) ordnf-automaticfor security patches, scoped to security only.
Wrap-up
apt and yum/dnf solve the same problem with slightly different ergonomics. Learn the equivalents, respect GPG verification, and never trust a --force flag in a postmortem story. Once the mental model clicks, switching between Ubuntu and RHEL boxes is a matter of muscle memory, not relearning.
Related articles
- Linux Linux awk and sed: Text Processing Power Tools
Master awk and sed for text processing on Linux. Learn pattern matching, field extraction, in-place editing, and real-world one-liners for log analysis.
- Linux Linux systemd: Create and Manage Custom Services
Learn how to create, configure, and manage custom systemd service units on Linux. Covers unit files, dependencies, timers, and troubleshooting.
- Linux awk for Text Processing: A Practical Guide with Real Examples
Master awk for text processing on Linux with practical examples covering field extraction, pattern matching, and data transformation.
- Linux cgroups for Resource Isolation and Limits on Linux
Learn how to use Linux cgroups to limit CPU, memory, and I/O for processes, and understand their role in containers.