The problem

While updating a Debian system I ran:

apt-get update
apt-get upgrade

And got this at the end:

The following packages have been kept back:
  linux-image-amd64 linux-headers-amd64
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

The packages were not updated. Running apt-get upgrade again produced the same result.

Why it happens

apt upgrade is intentionally conservative. It will not install new packages or remove existing ones to satisfy dependencies — it only upgrades packages that can be resolved without touching anything else.

When a package update introduces new dependencies or requires removing a conflicting package, apt upgrade holds it back rather than making those changes automatically.

This is most common with:

  • Kernel upgrades (which install a new linux-image-* package alongside the old one)
  • Packages that have changed their dependency tree between versions
  • Transitions between major library versions

The fix

apt-get dist-upgrade

Or with the modern apt command (Debian 8+ / Ubuntu 14.04+):

apt full-upgrade

Both do the same thing: they allow resolving dependencies by installing new packages or removing obsolete ones. The held-back packages get upgraded.

Before running it — check what will change

dist-upgrade can be more disruptive than a regular upgrade. Before confirming, review what it plans to do:

apt-get dist-upgrade --dry-run

Look at the summary line:

5 upgraded, 2 newly installed, 1 to remove and 0 not upgraded.

If you see unexpected removals of packages you care about, investigate before proceeding. For routine kernel upgrades and library transitions on a well-maintained system, it is safe to confirm.

See what is held back

To list packages that have available upgrades:

apt list --upgradable

To upgrade a single held-back package without running a full dist-upgrade:

apt-get install package-name

Specifying the package name directly forces apt to resolve its new dependencies.

upgrade vs full-upgrade — when to use each

Command Behavior
apt upgrade Safe, never removes packages or installs new ones
apt full-upgrade Resolves dependencies fully, may install or remove packages

For a desktop or server you maintain regularly, running full-upgrade is the normal path. Use upgrade only when you want to apply non-disruptive security patches without touching dependency graphs.

  • Created: June 16, 2007
  • Last edited: July 7, 2026