Debian-Ubuntu: Debian and Debian-Based Distro Administration
Administer Debian, Ubuntu, Linux Mint, Pop!_OS, Devuan, and other Debian-derived systems, with partial coverage for Kali when the question is about base OS administration rather than security-distro workflow. Focus on Debian stable and Ubuntu LTS first, then layer in derivative-specific behavior, PPA workflows, snap confinement, Ubuntu HWE, and explicit checks for derivatives that diverge on init, packaging defaults, or intended use.
Versions worth pinning (verified May 2026):
Only pin versions here when they materially affect compatibility or troubleshooting shape. For ordinary Debian and Ubuntu package work, prefer the live distro lane and package policy over a stale package-version table.
| Component | Version | Why it matters |
|---|---|---|
| Debian stable | 13 (trixie) | current stable baseline and repo behavior |
| Ubuntu LTS | 26.04 (Resolute Raccoon) | current LTS baseline for most Ubuntu guidance |
| Ubuntu interim lane | verify live | interim releases move fast; check the active upgrade path instead of memorizing one short-lived codename |
| Ubuntu HWE lane | verify live | kernel metapackage and hardware-enablement behavior matter more than one exact kernel number |
| NVIDIA driver branch | verify live | proprietary branch choice affects Wayland, gaming, and DKMS behavior |
| Mesa stack | verify live | AMD and Intel graphics behavior tracks the shipped Mesa lane |
| Kernel security | verify live via USN tracker | patch high-severity privesc CVEs promptly; mid-2026 examples to confirm fixed: Copy Fail CVE-2026-31431 (CISA KEV, exploited), Dirty Frag CVE-2026-43284/43500, Fragnesia CVE-2026-46300 (ESP-in-TCP, exploited), ptrace CVE-2026-46333 |
When to use
- Package management with
apt,apt-get,dpkg,apt-cache, pinning, or holds - PPA management on Ubuntu, Mint, or Pop!_OS (
add-apt-repository, key handling) - Snap and Flatpak workflow, confinement issues, and alternatives
- systemd service, timer, boot, and journal troubleshooting on Debian-style systems
- GRUB, initramfs, EFI, kernel, and recovery work on Debian or Ubuntu
- Release maintenance: dist-upgrades, HWE transitions, release upgrades (
do-release-upgrade) - Desktop stack: Wayland vs X11, GNOME, KDE, Cinnamon, COSMIC, portals, PipeWire, Bluetooth
- Session startup and laptop work: GDM, SDDM, LightDM, suspend/resume, power profiles, hybrid graphics
- GPU and gaming: NVIDIA proprietary vs nouveau, AMD Mesa, Intel, Vulkan, Steam, Proton, Gamescope
- Capture and communication: OBS, WebRTC screen sharing, Discord/Teams, portals, virtual cameras
- Storage: ext4, Btrfs, LUKS, LVM, TRIM, hibernation
- Firmware and hardware enablement:
fwupd,ubuntu-drivers, HWE stacks, backports - Security: AppArmor profiles, unattended-upgrades, needrestart, debian-security updates
- Remote gaming and input: Moonlight, Sunshine, Steam Remote Play, controllers
- Base Linux ops on Debian-style systems:
journalctl,dmesg,lsblk,update-alternatives
When NOT to use
- Shell syntax, quoting, or script portability - use command-prompt
- Network architecture, DNS, VPNs, reverse proxies, or firewall design - use networking
- Docker, Podman, image builds, or container runtime - use docker
- Kubernetes cluster or manifest work - use kubernetes
- Fleet-wide Linux configuration via playbooks - use ansible
- Security review, vulnerability triage, or offensive testing - use security-audit or lockpick
- RPM-family distros and tooling - use rhel-fedora. That includes RHEL, Fedora, Rocky, AlmaLinux, Oracle Linux, and Amazon Linux.
- Ubuntu Core and snap-only transactional workflows - outside this skill; do not treat them like ordinary apt-managed Ubuntu hosts
- NixOS or declarative system management - use nixos-btw
- Kali offensive tooling, pentest workflow, or training-image specifics - use kali-linux
- OPNsense or pfSense appliance work - use firewall-appliance
AI Self-Check
Before returning Debian or Ubuntu commands, verify:
- Distro and release identified: Debian stable/testing/unstable, Ubuntu LTS/interim, Mint, Pop!_OS, Devuan, Kali, or another derivative. Advice diverges quickly.
- Init system identified: do not assume systemd on Devuan or other Debian derivatives without checking PID 1, service manager, and boot tooling first.
- Release model respected: do not suggest
apt upgradewhenapt full-upgradeorapt dist-upgradeis required for package transitions. Do not suggestapt dist-upgradecasually on Ubuntu without context. - Ubuntu 24.04 -> 26.04 delta accounted for: Ubuntu 24.04 LTS upgraders inherit 24.10, 25.04, 25.10, and 26.04 changes. Do not treat 26.04 as a small point refresh of 24.04.
- Repository state clean: no broken apt lists, missing GPG keys, or mixed releases without pinning.
- Boot stack identified: GRUB vs other loader, EFI vs BIOS, initramfs generator, and kernel metapackage before changing boot files.
- Fallback path exists: do not remove the only known-good kernel or break the only boot entry on a remote system.
- PPA trust boundary respected: review PPA source, key, and maintenance status before adding.
- systemd scope is correct: distinguish system units from user units and use
systemctl --useronly when appropriate. - Wayland stack is coherent: compositor, portal backend, Xwayland compatibility, and user-session services line up.
- Session startup path identified: display manager, greeter, or TTY launch path known before debugging env propagation.
- Audio stack is coherent: PipeWire,
pipewire-pulse, and WirePlumber are not fighting a leftover PulseAudio setup. - Bluetooth path is complete:
bluetooth.servicealone is not enough if audio routing, trust, pairing, or profile selection is broken. - GPU stack matches hardware: proprietary NVIDIA vs nouveau vs Mesa. Verify actual driver in use before debugging graphics issues.
- Gaming stack includes 32-bit userspace when needed: Steam and Proton failures often come from missing
i386graphics libraries. - Capture stack is coherent: portal backend, PipeWire, WebRTC or Electron client path, and any virtual camera module choice line up.
- Suspend and hibernation claims are real: hibernation advice matches actual swap layout, initramfs resume hook, and Secure Boot state.
- AppArmor state is considered: on Ubuntu, AppArmor denials can silently break services, snaps, or custom binaries.
- Snap confinement is not ignored: when a snap misbehaves, check interfaces and confinement level before reinstalling.
- Ubuntu desktop session assumptions are current: on Ubuntu 26.04 Desktop, do not assume a stock Xorg session or the old
Software & UpdatesGUI are present by default. - HWE kernel path is understood: Ubuntu HWE stacks transition kernel metapackages. Know whether the system tracks
genericorhwe. - Diagnostic errors are not silenced: do not mask failures with
2>/dev/nullon commands whose error reason matters. Use2>&1 || trueto surface errors without aborting. - Firmware updates are not conflated with package updates:
fwupdand vendor tools (e.g.,system76-firmware) are separate fromapt upgrade. - Debian alternatives are checked: when a command behaves oddly, verify
update-alternativesfor that binary. - Current source checked: dated versions, CLI flags, API names, and support windows are verified against primary docs before repeating them
- Hidden state identified: local config, credentials, caches, contexts, branches, cluster targets, or previous runs are made explicit before acting
- Verification is real: final checks exercise the actual runtime, parser, service, or integration point instead of only linting prose or ha