I just added a PPA repository for the development version of the GIMP, but I get this error:

$ apt-get update && apt-get upgrade
The following packages have been kept back:
  gimp gimp-data libgegl-0.0-0 libgimp2.0

Why and how can I solve it so that I can use the latest version instead of the one I have now?

  • 21
    Staggered releases are a safety feature called "Phased Updates." Commented Aug 9, 2022 at 9:14
  • 8
    @AndrewKoster: or, tell us why it's not, yeah? That'd be helpful. Phased Updates does seem to have been the answer for me, though. See also: wiki.ubuntu.com/PhasedUpdates ... additionally, apt show <package>=<new-version> (where <package> is one of the packages listed in apt list --upgradable and <new-version> is the version string listed as the 2nd (space-separated) field in the output of same) should show a line saying Phased-Update-Percentage: <n> for some <n> that's the current percentage. Presumably once that gets to 100%, one will get the upgrade.
    – lindes
    Commented Sep 17, 2022 at 17:15
  • 6
    P.S. I found this helpful (in zsh or bash): apt show -a $(apt list --upgradable 2>&1 | grep / | cut -d/ -f1) 2>&1 | grep Phased | sort -n | uniq -c -- shows how many packages are at what phased-update percentages. (e.g. I currently have 3 at 0%, and 14 at 70%).
    – lindes
    Commented Sep 17, 2022 at 17:17
  • 4
    To save everyone a lot of time reading, I recommend looking at Afilu's answer first. Commented Sep 27, 2022 at 1:50
  • If everything is working fine in the system regardless of some packages being held back, is it really necessary to "fix" this "warning"? Some will be fixed eventually by doing apt update in the long run, and some new others will appear as held back. But if it does not affect the system negatively, would there be a reason to "fix" this excluding getting rid of the warning?
    – M.K
    Commented Feb 8, 2023 at 14:38

29 Answers 29


According to an article on debian-administration.org,

If the dependencies have changed on one of the packages you have installed so that a new package must be installed to perform the upgrade then that will be listed as "kept-back".

(Note that this is not the only reason that you may be seeing the message "packages have been kept back". Another reason is that phased updates may be enabled, and the updates have not yet been released for your machine.)

Cautious solution 1:

Per Pablo's answer, you can run sudo apt-get --with-new-pkgs upgrade <list of packages kept back>, and it will install the kept-back packages.

This has the benefit of not marking the kept-back packages as "manually installed," which could force more user intervention down the line (see comments).

If Pablo's solution works for you, please upvote it. If not, please comment what went wrong.

Cautious solution 2:

The cautious solution is to run sudo apt-get install <list of packages kept back>. In most cases this will give the kept-back packages what they need to successfully upgrade.

Aggressive solution:

A more aggressive solution is to run sudo apt-get dist-upgrade, which will force the installation of those new dependencies.

But dist-upgrade can be quite dangerous. Unlike upgrade it may remove packages to resolve complex dependency situations. Unlike you, APT isn't always smart enough to know whether these additions and removals could wreak havoc.

So if you find yourself in a place where the "cautious solution" doesn't work, dist-upgrade may work... but you're probably better off learning a bit more about APT and resolving the dependency issues "by hand" by installing and removing packages on a case-by-case basis.

Think of it like fixing a car... if you have time and are handy with a wrench, you'll get some peace of mind by reading up and doing the repair yourself. If you're feeling lucky, you can drop your car off with your cousin dist-upgrade and hope she knows her stuff.

  • 239
    As this is an accepted answer needs, it really needs updating to warn about using dist-upgrade on a stable system as many of the other answers below have pointed out. Personally I think there is a simpler/safer answer that needs promoted: apt-get install <list of pkgs>
    – Cas
    Commented Oct 3, 2012 at 12:41
  • 13
    Cas, should I just add that it could be dangerous to run a dist-upgrade on a stable system? Why exactly is that dangerous? (I honestly don't know apt all that well.) Commented Oct 3, 2012 at 16:27
  • 26
    There is a Server Fault answer that explains dist-upgrade in a bit more detail. I think its just worth clarifying (not dangerous as such) that it may upgrade the entire system which may be beyond what the user expects/wants i.e. in the OP example they are wondering why gimp is being held back.
    – Cas
    Commented Oct 5, 2012 at 16:38
  • 25
    Please note that sudo apt-get dist-upgrade can also remove packages. Consequently, it's best always to inspect the list of changes that will be made before agreeing to them, when running sudo apt-get dist-upgrade. Commented Mar 22, 2013 at 13:56
  • 12
    @EliahKagan May I add that even apt-get upgrade can remove packages? It will always do that when there would be a version conflict otherwise. Think of llvm3.6 vs. llvm3.6v5 (with the "v5" meaning that it was compiled with gcc 5). These two cannot co-exist, only either of both can be kept on the system. So yes dist-upgrade may remove some packages as well, but it's not only dist-upgrade that would do this; under certain circumstances, upgrade would, as well. Commented Oct 12, 2015 at 15:58

Whenever you receive from the command apt-get upgrade the message

The following packages have been kept back:

then to upgrade one or all of the kept-back packages, without doing a distribution upgrade (this is what dist-upgrade does, if I remember correctly) is to issue the command:

apt-get install <list of packages kept back>

this will resolve the kept-back issues and will ask to install additional packages, etc. as was explained by other answers.

See also: Why use apt-get upgrade instead of apt-get dist-upgrade?

  • 5
    When packages are kept back this way and I manually apt-get upgrade <list of packages>, if I redo apt-get upgrade, it will list the packages in question as no longer required and that I can use apt autoremove to remove them, which I do, and then one last apt-get upgrade and they are no longer listed as kept back... Very weird. Any thoughts?
    – cram2208
    Commented May 16, 2017 at 14:31
  • Does apt-get install also remove packages when necessary to resolve gnarly dependency situations, or would you have to run a separate apt-get remove command to accomplish that part of the upgrade process? Commented Sep 5, 2017 at 21:23
  • 1
    @cram2208 I believe that's the expected behaviour. The packages that were "automatically installed and [...] no longer required" are the previous versions of the upgraded packages, which are now no longer needed. apt autoremove then removes these unused dependencies.
    – Alex
    Commented Sep 7, 2017 at 0:56
  • 5
    If the upgrade would require a new package to be installed, the package will be "kept back." First consider using: sudo apt-get --with-new-pkgs upgrade which would not have side affect of causing packages to be marked as manually installed Commented Dec 6, 2017 at 21:59
  • @mac9416 yes it does.
    – jarno
    Commented Jan 26, 2018 at 18:04

I answered a similar question here, explaining a bit more about the reasons behind this issue.

Try this Unix SE answer:

sudo apt-get --with-new-pkgs upgrade

This allows new packages to be installed. It will let you know what packages would be installed and prompt you before actually doing the install.

apt command (friendly alternative to apt-get) share this option.

Using apt install <pkg> instead will mark pkg as "manually installed"!! To mark it again as "automatically installed" use apt-mark auto <pkg> (see also subcommand showmanual). More info on this answer.

  • 40
    +1 because it does not have side affect of causing packages to be marked as manually installed. Commented Oct 7, 2017 at 11:05
  • 114
    For some reason sudo apt-get --with-new-pkgs upgrade still shows the packages as "kept back". No error message. Commented Nov 12, 2018 at 19:06
  • 14
    This solution doesn't have the side effect of causing packages to be marked as "manually installed". It also doesn't have the side effect of "actually installing the dang packages". Commented Oct 11, 2021 at 20:38
  • 15
    This had no effect for me - packages still kept back.
    – UpTheCreek
    Commented Mar 15, 2022 at 12:33
  • 12
    This doesn't do anything. Still says The following packages have been kept back:
    – endolith
    Commented Jul 30, 2022 at 16:20

apt-get dist-upgrade is dangerous for stable environment,

  1. wrong source.list setting and you end up with broken ubuntu.
  2. you might get entire application upgraded to version you dont want.

Use case: kernel upgrade kept back, you just want to upgrade the kernel, dont want to upgrade entire distribution.

Better way to handle kept back package:

sudo aptitude

If you have kept back package you should see Upgradable Packages on top of the list.

  • Hit + on that list
  • Hit g twice
  • Answer debconf stuff if asked
  • Press return to continue
  • Press Q
  • Press yes

Your kept back package installed.

  • 44
    apt-get dist-upgrade is only dangerous if you have bad repositories in /etc/apt/sources.list*. It's good to be aware that dist-upgrade upgrades all packages, but with the default repositories, that should be fine. Not using dist-upgrade could be dangerous, as you might miss security updates.
    – Flimm
    Commented Dec 27, 2012 at 19:35
  • 12
    apt-get dist-upgrade can remove as well as add packages, but it is not really dangerous. Any package installation command can cause serious damage if you have problems in your sources.list file! A regular apt-get upgrade command will install any package from any software source that is enabled; dist-upgrade is not unique in this way. Furthermore, using aptitude to perform any operation at all, at least on amd64, is much more dangerous than running apt-get dist-upgrade, in a release where bug 831768 isn't fixed. Commented Mar 22, 2013 at 14:03
  • 17
    Also sudo aptitude safe-upgrade
    – msanford
    Commented May 19, 2016 at 15:31
  • 3
    @msanford Thank you! Your solution fixed it for me where sudo apt-get --with-new-pkgs upgrade did not.
    – John
    Commented Mar 26, 2020 at 9:36
  • 1
    dist-upgrade will not update/upgrade the whole distribution (like do-release-upgrade). It is a misnomer. Use full-upgrade equivalent. Commented Mar 23, 2022 at 21:42

I'm adding this answer because I'm not satisfied with how other answers handle the why part of the question to understand what's going on and choose the appropriate course of action.

Hopefully this will help someone avoid blindly running apt dist-upgrade in despair!

Why is a package kept back?

To my knowledge, there are 3 categories of reasons for packages being kept back during apt upgrade.

1) It is marked as held back

apt-mark can do this:

sudo apt-mark hold <package>

hold is used to mark a package as held back, which will prevent the package from being automatically installed, upgraded or removed.

To list all packages marked on hold or find out if a package is on hold use:

apt-mark showhold
apt-mark showhold <package>

To remove a hold on a package and allow it to be upgraded:

sudo apt-mark unhold <package>

2) apt detects a dependency change

The best authoritative source of information I could find regarding this is marked as obsolete, but it says:

[Kept back] means that there are new versions of these packages which will not be installed for some reason. Possible reasons are broken dependencies (a package on which it depends doesn't have a version available for download) or new dependencies (the package has come to depend on new packages since the last version)

This will tell you the current and candidate upgrade versions of the package:

$ apt list <package>

# example output:
vim/bionic-updates,bionic-security 2:8.0.1453-1ubuntu1.4 amd64 [upgradable from: 2:8.0.1453-1ubuntu1.3]
N: There are 2 additional versions. Please use the '-a' switch to see them.

With the current version (e.g. 2:8.0.1453-1ubuntu1.3) and new version (e.g. 2:8.0.1453-1ubuntu1.4), we can figure out the changed dependencies with apt show:

apt show <package>=<old version> <package>=<new version>

# example:
apt show vim=2:8.0.1453-1ubuntu1.3 vim=2:8.0.1453-1ubuntu1.4

(or just use apt show -a to view all versions directly, but it makes the version comparison harder in my opinion)

The important parts are the Depends and Recommends package lists. If there are new packages in those lists in the new version of the kept back package, apt won't automatically upgrade it.

At this point there are 2 options to upgrade the kept back package. Note that both solutions below have the proper arguments to avoid erroneously changing a package from "automatically installed" to "manually installed".

  1. To upgrade the package and install any new "Recommended" packages (i.e. as if newly installed with apt install <package>, use --with-new-pkgs:

    sudo apt upgrade --with-new-pkgs <package>

    (Tip: add --dry-run to see what will happen before doing it)

  2. To upgrade the package without installing any newly added "Recommended" packages, use --only-upgrade.

    sudo apt install --only-upgrade <package>

3) Phased updates


Once an update is released to -updates, the update is then phased so that the update is gradually made available to expanding subsets of Ubuntu users. This process allows us to automatically monitor for regressions and halt the update process if any are found.

You can check for phased updates with:

sudo apt -o APT::Get::Always-Include-Phased-Updates=true upgrade --dry-run

Lots more info here: What are phased updates, and why does Ubuntu use them?

Case study: upgrading the docker-ce package

Upgrading the docker-ce package on Ubuntu 18.04 is what brought me here in the first place so I thought it would be interesting to have a full concrete example.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

$ apt list docker-ce
Listing... Done
docker-ce/bionic 5:20.10.3~3-0~ubuntu-bionic amd64 [upgradable from: 5:19.03.12~3-0~ubuntu-bionic]
N: There are 34 additional versions. Please use the '-a' switch to see them.

Ok let's see what's holding back docker-ce:

$ apt show docker-ce=5:19.03.12~3-0~ubuntu-bionic docker-ce=5:20.10.3~3-0~ubuntu-bionic
Package: docker-ce
Version: 5:19.03.12~3-0~ubuntu-bionic
Priority: optional
Section: admin
Maintainer: Docker <[email protected]>
Installed-Size: 107 MB
Depends: docker-ce-cli, containerd.io (>= 1.2.2-3), iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.8), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0
Recommends: aufs-tools, ca-certificates, cgroupfs-mount | cgroup-lite, git, pigz, xz-utils, libltdl7, apparmor
Conflicts: docker (<< 1.5~), docker-engine, docker-engine-cs, docker.io, lxc-docker, lxc-docker-virtual-package
Replaces: docker-engine
Homepage: https://www.docker.com
Download-Size: 22.5 MB
APT-Manual-Installed: yes
APT-Sources: https://download.docker.com/linux/ubuntu bionic/stable amd64 Packages
Description: Docker: the open-source application container engine
 Docker is a product for you to build, ship and run any application as a
 lightweight container
 Docker containers are both hardware-agnostic and platform-agnostic. This means
 they can run anywhere, from your laptop to the largest cloud compute instance and
 everything in between - and they don't require you to use a particular
 language, framework or packaging system. That makes them great building blocks
 for deploying and scaling web apps, databases, and backend services without
 depending on a particular stack or provider.

Package: docker-ce
Version: 5:20.10.3~3-0~ubuntu-bionic
Priority: optional
Section: admin
Maintainer: Docker <[email protected]>
Installed-Size: 121 MB
Depends: containerd.io (>= 1.4.1), docker-ce-cli, iptables, libseccomp2 (>= 2.3.0), libc6 (>= 2.8), libdevmapper1.02.1 (>= 2:1.02.97), libsystemd0
Recommends: apparmor, ca-certificates, docker-ce-rootless-extras, git, libltdl7, pigz, xz-utils
Suggests: aufs-tools, cgroupfs-mount | cgroup-lite
Conflicts: docker (<< 1.5~), docker-engine, docker-engine-cs, docker.io, lxc-docker, lxc-docker-virtual-package
Replaces: docker-engine
Homepage: https://www.docker.com
Download-Size: 24.8 MB
APT-Sources: https://download.docker.com/linux/ubuntu bionic/stable amd64 Packages
Description: Docker: the open-source application container engine
 Docker is a product for you to build, ship and run any application as a
 lightweight container
 Docker containers are both hardware-agnostic and platform-agnostic. This means
 they can run anywhere, from your laptop to the largest cloud compute instance and
 everything in between - and they don't require you to use a particular
 language, framework or packaging system. That makes them great building blocks
 for deploying and scaling web apps, databases, and backend services without
 depending on a particular stack or provider.

Version 5:20.10.3~3-0~ubuntu-bionic has added docker-ce-rootless-extras as a new recommended dependency. I wish apt would be more helpful and simply suggest installing it or something instead of leaving me with an old version... Anyhow, here are the 2 possible fixes (with --dry-run for illustration purposes):

$ sudo apt upgrade --with-new-pkgs --dry-run docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst docker-ce [5:19.03.12~3-0~ubuntu-bionic] (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])

$ sudo apt install --only-upgrade --dry-run docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
Recommended packages:
The following NEW packages will be installed:
The following packages will be upgraded:
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Inst docker-ce [5:19.03.12~3-0~ubuntu-bionic] (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Inst docker-ce-rootless-extras (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
Conf docker-ce-rootless-extras (5:20.10.3~3-0~ubuntu-bionic Docker CE:bionic [amd64])
  • 14
    If I understand correctly, there is a third reason for kept-back updates: Phased updates. These are gradually distributed to increasing portions of the user base until the update is made available to everyone. (see here)
    – Dunkelkoon
    Commented Aug 10, 2022 at 11:56
  • 1
    @Dunkelkoon Correct. When I did the comparison with apt show that the answer recommended for one of the packages that are being held back (gnome-tweaks), I found that the only differences between the outputs produced for the version I have installed, and that for the available update, were (1) the Version line, (2) the APT-Sources line, (3) that the installed version had the line APT-Manual-Installed: yes, and (4) that the available update had the line Phased-Update-Percentage: 30. Commented Sep 23, 2022 at 6:48
  • 4
    I updated my answer to include PhasedUpdates. Thanks!
    – bernie
    Commented Sep 29, 2022 at 20:37
  • 6
    This should be the accepted answer
    – P Varga
    Commented Dec 13, 2022 at 21:41
  • 7
    You can check for phased updates with sudo apt -o APT::Get::Always-Include-Phased-Updates=true upgrade --dry-run.
    – Ed McMan
    Commented Jan 31, 2023 at 14:06

You can also try aptitude. First install it:

sudo apt-get install aptitude -y


sudo aptitude safe-upgrade

It's safer than full-upgrade (originally named dist-upgrade) because "packages will not be removed unless they are unused".

From man aptitude:


Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused [...] Packages which are not currently installed may be installed to resolve dependencies unless the --no-new-installs command-line option is supplied.

  • 2
    This just gives sudo: aptitude: command not found
    – MikeB
    Commented Aug 14, 2022 at 14:27
  • 6
    @MikeB Did you first install aptitude, as the answer instructed? Commented Sep 23, 2022 at 6:28
  • 4
    this is the correct answer
    – acgbox
    Commented Jan 26, 2023 at 16:31
  • 1
    This worked for me (+1), but I'd like to understand what's happening better. sudo apt-get dist-upgrade did not upgrade the packages for me, so it's not just that it's a safer version of dist-upgrade.
    – Charles
    Commented Jan 26, 2023 at 20:18
  • sudo apt-get --with-new-pkgs upgrade had also failed for me.
    – Charles
    Commented Jan 26, 2023 at 20:19

This has been happening more since I upgraded to Ubuntu 22.04 jammy.

The reason is usually phased updates. (Thanks to @louis-waweru for the link.)

  1. The solution is to ignore those "have been kept back" messages. When the repository maintainers deem these packages safe enough for you to install, you will get them.

  2. If you absolutely must get these updates, you can create the file /etc/apt/apt.conf.d/99-Phased-Updates with the contents:

Update-Manager::Always-Include-Phased-Updates "1";
APT::Get::Always-Include-Phased-Updates "1";
  • 12
    This! This seems to be the answer relevant to me. Further note: when I do apt list --upgradable, it shows various packages and old and new versions. I can then do apt show package -a on any of the listed packages, and, at least in my case, I'll see something like Phased-Update-Percentage: 70 or Phased-Update-Percentage: 0 or whatever. See also: wiki.ubuntu.com/PhasedUpdates
    – lindes
    Commented Sep 17, 2022 at 17:09
  • You can also avoid using apt and use aptitude instead. If you run sudo aptitude upgrade or sudo aptitude dist-upgrade, it will install all the available upgrades without minding about phased updates. Commented Jan 24 at 17:23

There are normally two reasons you may see this message.

If upgrading the program (via sudo apt-get upgrade) would cause packages to be added or removed, then the program will be held back. You can use sudo apt-get dist-upgrade in this case, which will then offer to add or remove the additional packages.

This is pretty common and usually not an issue. Occasionally (particularly during an Ubuntu alpha) a dist-upgrade will offer to remove a lot of other programs, in which case you probably want to cancel it.

If the package depends on packages or versions that are not available, then the program will be held back. You really can't do anything but wait in this circumstance, since the package is basically uninstallable. This can happen when packages get added to the repository out of order, when a package is renamed, or when a package stops providing a virtual package.

  • 7
    Is there a way to determine whether the held package needs a dependency that can't be installed or if it is being held because other packages depend on it. I have many held packages and I believe both of these cases may apply on my system.
    – Jake
    Commented Dec 8, 2016 at 9:29
  • 1
    Thanks, the second reason was the issue for me. Even apt-get dist-upgrade refused to install it. Inspecting the package with aptitude showed that it depends on a package that isn't available. I guess I'll have to wait.
    – jlh
    Commented May 2, 2018 at 14:55

Ubuntu 18.04 LTS Bionic and newer Ubuntu versions … provide a streamlined syntax via apt full-upgrade which functions like apt-get dist-upgrade.

sudo apt full-upgrade

sudo apt upgrade is used to install available upgrades of all packages currently installed on the system from the sources configured via sources.list(5). New packages will be installed if required to satisfy dependencies, but existing packages will never be removed. If an upgrade for a package requires the remove of an installed package the upgrade for this package isn't performed.

sudo apt full-upgrade performs the function of upgrade but will remove currently installed packages if this is needed to upgrade the system as a whole.

Note: sudo apt full-upgrade remains on the current distribution.

See: apt man page: 18.04, 20.04, 22.04, 22.10

  • After this operation, 2,548 MB disk space will be freed. You are about to do something potentially harmful. To continue type in the phrase 'Yes, do as I say!' Commented Apr 1, 2020 at 22:59
  • 3
    full-upgrade does the same thing as dist-upgrade! This answer is wrong! See here askubuntu.com/questions/770135/…
    – bernie
    Commented Feb 14, 2021 at 14:17
  • @bernie Answer updated per your observation. Commented Feb 16, 2021 at 4:51

Most likely these packages are held back because their installation would create dependency inconsistencies. This can either happen because you are using archives under active development, ppas, or because the mirror you uses is not fully updated.

In the last case, just wait, when the dependencies are resolved it will be installed the next time.


There is another possibility, packages might be held back if there is put a hold on them, or if they are pinned.

  • What do you base that likelihood on, without knowing whatever he ran an apt-get upgrade or an apt-get dist-upgrade (alt. the aptitude equivalents)?
    – andol
    Commented Jul 31, 2010 at 22:21
  • 2
    this is the most occurring problem in support questions and bugs
    – txwikinger
    Commented Jul 31, 2010 at 22:25
  • Agreed. You should probably wait and check you apt_preferences. This is often caused by development archives where the and available packages dependencies are changing very quickly. Wait for them to settle down and you may not need to dist-upgrade at all. If you'd still like to dist-upgrade, then look at the NEW packages to be installed and the packages to be removed before going ahead.
    – Umang
    Commented Aug 1, 2010 at 2:29
  • 1
    This is my case because I get the "kept back" message using dist-upgrade Commented Aug 17, 2012 at 9:02
  • 1
    In cases where this problem is due to a messup with apt preferences (pinning), I found reinstallation of the kept packages helped me: apt-get install --reinstall <packages>.
    – tanius
    Commented Apr 13, 2014 at 11:11

This worked for me

sudo aptitude full-upgrade
  • 2
    Even aptitude upgrade worked for me.
    – Bibhas
    Commented Dec 14, 2013 at 16:15
  • I`am using Ubuntu 14.04 and I does not have aptitude command line Commented Mar 31, 2015 at 13:33
  • apt-get dist-upgrade gave me the same message, but this solved it for me. I had a package which was breaking the upgrade of another package. I didn't need the one I installed, so aptitude full-upgrade gave me the option to remove it so it could upgrade everything else.
    – f.ardelian
    Commented Apr 30, 2015 at 0:53

This is usually because the package has added a dependency, and upgrade doesn't want to add it for you without permission.

If you run:

sudo apt-get install gimp gimp-data libgegl-0.0-0 libgimp2.0

Then the new versions should be installed together with their new dependency.

  • Upgrades specific packages (and their dependencies) without the commitment (risks) of a dist-upgrade.
    – John Mee
    Commented Sep 21, 2015 at 7:43
  • 1
    The package manager doesn't want to manage packages "without my permission" even though I manually typed sudo apt upgrade. Lol. Commented Oct 11, 2021 at 20:40

I have found that aptitude does a better job at upgrading packages if the versions differ just slightly. I had a situation like this:

me@compy:/etc/apt$ apt-cache policy gzip
  Installed: 1.3.5-15
  Candidate: 1.3.5-15+etch1
  Version table:
     1.3.5-15+etch1 0
        500 http://archive.debian.org etch/main Packages
 *** 1.3.5-15 0
        100 /var/lib/dpkg/status

This made apt-get hold back the update, but aptitude updated it just fine. I'm unsure which algorithm is used to determine if a package should be updated or not. I guess these two had the same version, only a different 'qualifier'. But in any case, apt-get wouldn't update it, but aptitude would.


Update/Upgrade not working [last answer]

The kept-back packages (...) are currently in Phased Updates.

Phased Updates is one precaution to prevent everybody from receiving a buggy package via upgrade: Some people get the upgraded a few days earlier, others a few days later. This provides an opportunity to pause distribution if early folks report problems.

There is nothing wrong. Your system is NOT broken.

  • 2
    I don't know yet if this is the correct answer, but I do know that the highly-upvoted answers here are incorrect answers - unless perhaps you're running a 10-year-old-system.
    – Seamus
    Commented Sep 15, 2022 at 23:04
  • For what it's worth, this seems to be what I'm running up against. More info at wiki.ubuntu.com/PhasedUpdates ... I wish apt would mention this in the "kept back" messaging!
    – lindes
    Commented Sep 17, 2022 at 17:11
  • 1
    @Seamus the question is from 2010, so no wonders they answers are mostly not correct if the behaviour changed in the OS version released in 2022. Seems there's a new mechanism which this answer is valid for and seems like the mechanism is quite good to avoid unnecessary harm. As lndes noted, it would be good if apt mentioned something about this new mechanism.
    – tymik
    Commented Jan 30, 2023 at 15:28

This looks like the correct way to reinstall kept back package:

apt-get install --reinstall libjpeg-progs

At least this worked for me when libjpeg-progs was stuck after upgrading from Ubuntu 14.04 to 16.04. I'm sure you can do the same with any other kept back app, e.g. gimp.


  • 1
    You could do it without --reinstall, too.
    – jarno
    Commented Jan 26, 2018 at 18:00
  • Funny thing is that it removes the libjpeg-turbo-progs package.
    – jarno
    Commented Jan 26, 2018 at 20:11

I ran into this problem when a new kernel was released. (Possibly because I have unstable updates enabled.) I found the simplest way to do the install was through Ubuntu's graphical installer (update-manager).


In my case packages held back were those related to linux-headers and kernel. I came to this by trying to solve an issue with having a red exclamation mark in the notification area and not being able to update packages.

To solve it, I did not have to use neither dist-upgrade nor manual apt-get install xxx.

What I did and has helped has been simple and clean:

sudo apt-get update
sudo apt-get autoremove
sudo apt-get autoclean
sudo apt-get upgrade

I had to manually confirm Grub update and its configuration.

Then I just worked with the computer for a while and then standard update dialogue has appeared again finally including "Ubuntu base" section with kernel and related. The update was performed without any trouble and I do not see any held back packages any more.

Also, it is very important to keep in mind that those *buntu updates including kernel updates are sensitive to hibernation - I've got this problem several times and I always get it resolved by restarting the machine and performing the steps above.

So maybe this would be just enough?!

(situation being described in here is related to my Xubuntu 15.10 in the end of december 2015)


While other answers have cautioned that apt dist-upgrade might remove programs, notice that you can just run the command and then answer "no" to the "Do you want to continue?" question in order to investigate what apt would do.

After updating a raspberry pi from buster to bullseye I ended up with apt reporting

The following packages have been kept back:

So I started searching for the error message, landed on this page, read a few answers and then ran

$ apt-get dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be REMOVED:
The following NEW packages will be installed:
  fuse3 libfuse3-3
The following packages will be upgraded:
1 upgraded, 2 newly installed, 1 to remove and 0 not upgraded.
Need to get 147 kB of archives.
After this operation, 196 kB of additional disk space will be used.
Do you want to continue? [Y/n] 

At this point it is clear that fuse had been replaced by fuse3 and I am happy to let apt remove it.

Your situation might be different but doing a (potential) dry-run will give you more detailed information and quite possibly answer the "why" question.


In actual fact, the switch you need is dselect-upgrade which installs / removes dependencies for the particular package set involved.


I have read all the posts and found that there are many interesting explanations. I was trying all of them but have not any results completely. I have a problem with mysql-utilities which I couldn't upgrade. The updating was proposed by the system. So, I want to show some steps to do it. Of course, I will repeat in some moments all of the aforementioned posts. Here is my mistake, yes I found it by already existed posts, but what should I do next? enter image description here

The next step is:

sudo apt-get --purge remove mysql-utilities

The results we can see in the image beneath. I remove the package and check this by command:

sudo apt-get -f install

Results - Fine! Later I installed this new version of package correctly. enter image description here

This way, I think can help for more new people because having other packages we can do the same steps.

Once, I am sorry, when I repeated in some places other posts.

  • 9
    Please don't use screenshots for terminal text, since that makes it unsearchable by Google and unreadable by some people. Instead, paste the terminal text into your answer, select that text, and press the {} button in the editor to properly format it. Commented Jan 25, 2018 at 22:14
  • @ChaiT.Rex Thanks for remarks, I will take it in opinion for the future. Commented Jan 25, 2018 at 22:43

I ran into this problem using synaptic because it appeared to hang, and to try and fix this I re-booted and tried again.

SOLUTION: Then I discovered an informative message as part of the package with some post-installation instructions for me.

I had to hit "details", and then 'q' for quit after reading the message, and then things proceeded normally.


For me and several commenters on Pablo's answer,

sudo apt-get --with-new-pkgs upgrade  # No effect

had no effect. I do not care to have my package marked as manually installed, so I did the following, using kept back package docker-ce as an example:

sudo apt install docker-ce  # Answer no, do not install

Abort the installation by answering n. Observe the new package(s) that would have been installed, and install them:

sudo apt install docker-ce-rootless-extras

Now apt upgrade will upgrade the previously kept back package:

sudo apt upgrade  # Upgrades docker-ce

This one line solves the issue automatically for me:

sudo apt-get install --only-upgrade `sudo apt-get upgrade | awk 'BEGIN{flag=0} /The following packages have been kept back:/ { flag=1} /^ /{if (flag) print}'`

It runs minimal update with --only-upgrade flag so it should not add any unnecessary packages to the dependency.

How: the line above looks for the "The following packages have been kept back" message in apt update and if found' it feeds the list to apt-get install --only-upgrade

Note: be very careful with any modifications to your system. Doing things with apt may leave your system broken!

I always run apt update a&& apt upgrade just to make sure the upgrade is stable.


I always run dist-upgrade on my dev laptop because I like latest and greatest, it is not do-release-upgrade which actually upgrades to a newer version,

On ubuntu 22.04 I had this issue with both :

ubuntu@ubuntu-inspiron-5482:~$ sudo apt dist-upgrade 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  python3-distupgrade ubuntu-release-upgrader-core ubuntu-release-upgrader-gtk
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.


ubuntu@ubuntu-inspiron-5482:~$ sudo apt-get --with-new-pkgs upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  python3-distupgrade ubuntu-release-upgrader-core ubuntu-release-upgrader-gtk
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

So both solutions from the highest rated answer do not work. What worked is to install a package, it actually had the other two as dependencies:

sudo apt install ubuntu-release-upgrader-core 

After that the 3 packages installed and everything is up to date. I wonder why those were kept back, I seen no difference on my system, but perhaps there is an issue with the new release running the tools.

Anyway, this is the only option that works for me.


Some recently installed packages may require a reboot before new can be installed (and the latter are held back), e.g.:

$ sudo apt list --upgradable
Listing... Done
distro-info-data/jammy-updates,jammy-updates 0.52ubuntu0.2 all [upgradable from: 0.52ubuntu0.1]
gnome-shell-common/jammy-updates,jammy-updates 42.5-0ubuntu1 all [upgradable from: 42.4-0ubuntu0.22.04.1]
gnome-shell/jammy-updates 42.5-0ubuntu1 amd64 [upgradable from: 42.4-0ubuntu0.22.04.1]
grub-efi-amd64-bin/jammy-updates 2.06-2ubuntu10 amd64 [upgradable from: 2.06-2ubuntu7]
grub-efi-amd64-signed/jammy-updates 1.182~22.04.1+2.06-2ubuntu10 amd64 [upgradable from: 1.180+2.06-2ubuntu7]
The following packages have been kept back:
  clang-9 cpp g++ gcc gcc-10-base kali-linux-default lib32gcc-s1 lib32stdc++6 libatomic1 libcc1-0
  libclang-common-9-dev libclang-cpp9 libgcc-s1 libgfortran5 libgomp1 libitm1 libllvm9 liblsan0 libobjc4
  libpython2-stdlib libquadmath0 libstdc++6 libtsan0 libubsan1 linux-headers-amd64 llvm-9 llvm-9-dev llvm-9-runtime
  llvm-9-tools python2 python2-minimal python3-chardet python3-pandas python3-pandas-lib

apt upgrade; apt update just kept coming back to that and wouldn't install anything. There was a huge block of stuff as well that needed to be autoremoved and that went fine, but still would not install the kept back packages. I tried the easy options 1 and 2 way up there at the beginning of this thread and they did not work.

So I just did apt install /that whole list of kept back packages/, and it all started going.

I've actually never run into this problem before. I just thought it was odd that apt update; apt upgrade didn't work but apt install and then copying that whole list in went off without a hitch and it's working fine now.

And I'm going to apologize now. I wasn't using an ubuntu distribution (I just realized this). I was actually updating a Kali installation when this all occurred. I've never seen anything like this on Ubuntu.

Let me know if I should delete this post (still new).



Following a do-release-upgrade, your third-party or private repositories (such as PPAs) may be disabled. This can stop a package being updated because it can no longer find the dependencies it needs, and/or old packages conflict with newer packages.

Have a look through your .list files, usually in /etc/apt/sources.list.d, to see what needs to be re-enabled.

Then run apt update and try again.

This is happened to me after a do-release-upgrade on a Google VM.


In my case, I got the message because I run sudo apt upgrade without first running sudo apt update.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  alsa-ucm-conf fonts-opensymbol libreoffice-base-core libreoffice-calc libreoffice-common libreoffice-core libreoffice-draw
  libreoffice-gnome libreoffice-gtk3 libreoffice-help-common libreoffice-help-en-gb libreoffice-help-en-us libreoffice-impress
  libreoffice-l10n-en-gb libreoffice-l10n-en-za libreoffice-math libreoffice-style-colibre libreoffice-style-elementary
  libreoffice-style-yaru libreoffice-uiconfig-calc libreoffice-uiconfig-common libreoffice-uiconfig-draw
  libreoffice-uiconfig-impress libreoffice-uiconfig-math libreoffice-uiconfig-writer libreoffice-writer libuno-cppu3
  libuno-cppuhelpergcc3-3 libuno-purpenvhelpergcc3-3 libuno-sal3 libuno-salhelpergcc3-3 python3-uno uno-libs-private ure
0 upgraded, 0 newly installed, 0 to remove and 34 not upgraded.

Running sudo apt-get --with-new-pkgs upgrade alsa-ucm-conf fonts-opensymbol libreoffice-base-core libreoffice-calc libreoffice-common libreoffice-core libreoffice-drawlibreoffice-gnome libreoffice-gtk3 libreoffice-help-common libreoffice-help-en-gb libreoffice-help-en-us libreoffice-impresslibreoffice-l10n-en-gb libreoffice-l10n-en-za libreoffice-math libreoffice-style-colibre libreoffice-style-elementarylibreoffice-style-yaru libreoffice-uiconfig-calc libreoffice-uiconfig-common libreoffice-uiconfig-drawlibreoffice-uiconfig-impress libreoffice-uiconfig-math libreoffice-uiconfig-writer libreoffice-writer libuno-cppu3libuno-cppuhelpergcc3-3 libuno-purpenvhelpergcc3-3 libuno-sal3 libuno-salhelpergcc3-3 python3-uno uno-libs-private ure as suggested in other answers did not help.

$ sudo apt-get --with-new-pkgs upgrade alsa-ucm-conf fonts-opensymbol libreoffice-base-core libreoffice-calc libreoffice-common libreoffice-core libreoffice-drawlibreoffice-gnome libreoffice-gtk3 libreoffice-help-common libreoffice-help-en-gb libreoffice-help-en-us libreoffice-impresslibreoffice-l10n-en-gb libreoffice-l10n-en-za libreoffice-math libreoffice-style-colibre libreoffice-style-elementarylibreoffice-style-yaru libreoffice-uiconfig-calc libreoffice-uiconfig-common libreoffice-uiconfig-drawlibreoffice-uiconfig-impress libreoffice-uiconfig-math libreoffice-uiconfig-writer libreoffice-writer libuno-cppu3libuno-cppuhelpergcc3-3 libuno-purpenvhelpergcc3-3 libuno-sal3 libuno-salhelpergcc3-3 python3-uno uno-libs-private ure
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package libreoffice-drawlibreoffice-gnome
E: Unable to locate package libreoffice-impresslibreoffice-l10n-en-gb
E: Unable to locate package libreoffice-style-elementarylibreoffice-style-yaru
E: Unable to locate package libreoffice-uiconfig-drawlibreoffice-uiconfig-impress
E: Unable to locate package libuno-cppu3libuno-cppuhelpergcc3-3

I ran sudo apt update before sudo apt upgrade and it worked out.

$ sudo apt update
Hit:1 https://dl.winehq.org/wine-builds/ubuntu mantic InRelease
Hit:2 http://it.archive.ubuntu.com/ubuntu mantic InRelease                                                                      
Get:3 http://it.archive.ubuntu.com/ubuntu mantic-updates InRelease [109 kB]                                                     
Hit:4 http://security.ubuntu.com/ubuntu mantic-security InRelease
Hit:5 http://it.archive.ubuntu.com/ubuntu mantic-backports InRelease
Get:6 http://it.archive.ubuntu.com/ubuntu mantic-updates/main amd64 Packages [331 kB]
Get:7 http://it.archive.ubuntu.com/ubuntu mantic-updates/main i386 Packages [168 kB]
Get:8 http://it.archive.ubuntu.com/ubuntu mantic-updates/universe amd64 Packages [296 kB]
Get:9 http://it.archive.ubuntu.com/ubuntu mantic-updates/universe i386 Packages [123 kB]
Fetched 1,027 kB in 1s (792 kB/s)                       
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
34 packages can be upgraded. Run 'apt list --upgradable' to see them.

For the very specific flavour of this problem where the proprietary nvidia drivers are halfway updated to a new version, I reinstalled them using the driver manager. To give some context: I was stuck halfway between the 440 and 450 version of the driver and a whole package of libnvidia 440 packages were kept back. This resulted in my kubuntu being stuck at the spash screen after grub. To get into the system, I had to add "nomodeset" to the grub command as described here.

In this specific case

sudo apt-get --with-new-pkgs upgrade

did have no effect. However, I was able to reinstall the drivers through the additional driver management. In my case, on Kubuntu I started

sudo kubuntu-driver-manager

On Ubuntu you can reach the same thing via System Settings > System > Software & Updates > Additional Drivers

There I selected the 450 driver and the graphic drivers were reinstalled, resulting in a properly booting machine.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .