21.07.2025

How to Manage and Add Repositories in Debian Linux

Introduction

In the Debian we have various way to update and download software to our system, that can be single archive with set of dependencies, index and etc. Usually that have format tar.gz or .deb, there are files with open-source code which need compile before using.

But some utilities, packets and software may be have snippet of malicious code, unstable or untrusted. For solve that purposes we have repositories with trusted, verified and stable packets, that we can install and using easily. They represent pack of hierarchy of packets, index, libraries needed for installation and sign for more secure usage.

Some repositories come from unofficial or third-party sources. While they may offer useful software or newer versions of packages, they can also pose security or stability risks. Always verify the trustworthiness of the source before adding such repositories, and use them at your own discretion.

Cloud Servers from €4 / moIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channel

Requirements

Root rights;
Debian OS;
Several knowledge about work OS ;
Internet connection.

Manage repositories

For the manage repositories we can use files for configuring our system, for that let's find catalog with label apt and check content:

cd /etc/apt/ && ls -l

Screenshot №1 — List of files

At the screenshot we can see bunch of different files and directories, that we can use for configuring our repositories. Let's consider all files in the catalog and give them explanation:

Sources.list — it's determine list of using repositories, their version and branch of the software, that file combine in it self all list of servers;
Sources.list.d — the file using for separated configuring list of repositories, usually that divide by using services;
Trusted.gpg — that file contain trusted keys of using repositories;
Trusted.gpg.d — the same file as above, but divided by the services.

Consider the file sources.list and add line with repository:

nano /etc/apt/sources.list

deb http://security.debian.org/debian-security bullseye-security main

Screenshot №2 — Repositories list

After that we can update index by the command below:

apt update

Then we can use repository by apt, aptitude and etc command for controlling package in our local machine.

However, we can configuring system separated by the services:

cd /etc/apt/sources.list.d/ && ls

Screenshot №3 — Directory of repo

Go to text editor and consider the file, in your system may be there isn't needed file and you can create this.

For an existing file we just open it, for empty catalog, we create with .list:

nano mysql.list

Screenshot №4 — Repo list of MySQL

In that line we can indicate signed-file for repo, link and version of using servers, usually we need to add .gpg file into the system. In the moment of update index package our machine verified public key of our repo and then update all information. That mechanism of electronic signature help to save integrity and verify author of data. We can add key by the command, where key.asc will your public key:

gpg --import key.asc

Screenshot №5 — List of public keys

And now we can use repository for update and installation software, executing the command below:

apt update

Screenshot №6 — Update

We are installing software to check that repository work:

apt install dnsutils

Screenshot №7 — Installation

Conclusion

This guide provides a comprehensive understanding of Debian repositories and their essential components, empowering users to confidently manage software sources on their Debian-based systems. By learning how to configure sources.list, add third-party APT repositories, import and verify GPG keys, and regularly update package lists, users can ensure their systems remain secure, functional, and up to date. Whether you're maintaining a personal desktop or managing multiple servers, mastering repository management is a key skill for any Linux administrator.

FAQ: Frequently Asked Questions

What is the purpose of the sources.list file in Debian?
This file defines the default list of software repositories used by your system. It contains URLs to official or third-party servers that host packages and updates.
Is it safe to use third-party repositories in Debian?
It depends. Trusted third-party repositories (like those from reputable vendors) are generally safe. However, always verify the GPG key and the source before adding them to avoid security risks.
What’s the difference between .deb packages and repositories?
.deb packages are standalone installation files, while repositories are organized collections of such packages with metadata and signatures that allow safe and automated installation and updates.
How do I add a GPG key to authenticate a repository?
You can import a public key using the command:

gpg --import key.asc

Alternatively, for APT specifically:

curl -fsSL https://example.com/key.gpg | gpg --dearmor -o /usr/share/keyrings/repo-archive-keyring.gpg
Why do I get "NO_PUBKEY" errors during apt update?
This means the system doesn't trust the repository yet. You need to import its public GPG key for proper verification.
Can I manage multiple repositories separately?
Yes. Use the /etc/apt/sources.list.d/ directory to split repository configurations into separate .list files for better organization and service-specific setups.