apt-get upgrade holds back a kernel update. What are the official instructions for applying updates on Debian 9?

Question

I saw the following on Debian 9 "stretch":

# apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  linux-image-marvell
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

An update does not install, despite this command being an official way to update Debian according to the "Securing Debian Manual". (Snapshot at time of reading here).

By contrast, both aptitude and the newer apt command are prepared to install it. That said, this particular version is not a security update. I understand that apt and potentially aptitude have different defaults. I would like to ask how deliberate this behaviour on Debian's part...

The Securing Debian Manual lists aptitude first, when describing how to apply updates. And I know apt has some changed defaults that are supposed to be more user-friendly. Looking carefully at the current Debian Installation Guide, it is pointing new users to apt or aptitude. I think all the example commands now reference apt, not apt-get.

My starting assumption is that security updates to the kernel would not be held back by an update method endorsed by the Debian Security Manual. (Let me know if I assume wrongly :-). But I want to make sure I understand how to update my Debian system.

Questions

1. If I want to get the defaults that modern Debian is setting up for new users, I'm being recommended to train my fingers to type apt instead of apt-get. Right?
2. The previous Installation Guide (for Debian 8) references apt-get, as does the documentation for upgrading from Debian 8 to Debian 9. So very broadly, I guess the safest option is not to use apt before the Debian 8 -> Debian 9 transition?
3. Is there a widely known case or cases that you would like to suggest I watch out for, where the current solution is to use apt-get for some task?
4. Does Debian have a comment somewhere about the choice to make apt more eager to apply updates, which specifically confirms there is is distinction of security and non-security updates?
5. On a slightly different angle, is there any information about Debian's choice to arrange a (non-security) kernel update like this, that avoids them being applied with the normal configuration used by apt-get on my system?

---

Details of this update

# apt-cache policy linux-image-marvell
linux-image-marvell:
  Installed: 4.9+80+deb9u4                                             
  Candidate: 4.9+80+deb9u5      
  Version table:                     
     4.9+80+deb9u5 500
        500 http://ftp.uk.debian.org/debian stretch/main armel Packages
 *** 4.9+80+deb9u4 500
        500 http://security.debian.org stretch/updates/main armel Packages
        100 /var/lib/dpkg/status

Version of "apt-get" used

# apt-cache policy apt
apt:
  Installed: 1.4.8
  Candidate: 1.4.8
...

Different behaviour with different update methods

# aptitude upgrade
Resolving dependencies...                
The following NEW packages will be installed:
  linux-image-4.9.0-7-marvell{a}
The following packages will be upgraded:
  linux-image-marvell
1 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/21.9 MB of archives. After unpacking 91.2 MB will be used.
Do you want to continue? [Y/n/?] n
Abort.

# apt upgrade
Reading package lists... Done
Building dependency tree        
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  linux-image-4.9.0-7-marvell
The following packages will be upgraded:
  linux-image-marvell
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/21.9 MB of archives.
After this operation, 91.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.

Answer 1

First, I’ll start by explaining the behaviour you’re seeing. By default, apt-get is very conservative and won’t install new packages when running upgrade, only dist-upgrade (this can be changed with the --with-new-pkgs option). apt on the other hand will (it enables the APT::Get::Upgrade-Allow-New option by default), as will aptitude (which has a different resolution algorithm anyway). Since the kernel went through an ABI bump, upgrading it involves installing a new package...

Note too that strictly speaking you’re not getting this kernel update as a security fix, but as part of last weekend’s 9.5 point release. That’s neither here nor there though since the priorities are the same. (You’re aware of this already, I mention this for other readers.) Security updates to the kernel can involve ABI bumps, so this situation can arise with security updates as well as point-release updates; the distinction, as far as the kernel packages in Debian are concerned, is mostly one of opportunity and timing, since all kernel updates are security updates anyway.

Now to answer your questions:

1. apt is now the recommended APT front-end, yes, at least for interactive use; it’s supposed to have user-friendlier defaults (compared with apt-get). Both tools use the same algorithms and apt-get can be configured to behave like apt; run apt-config dump | grep Binary::apt to see the specific settings apt enables. If you prefer aptitude you can keep on using that too.

2. In Debian 8, as far as I can tell, apt is exactly equivalent to apt-get, so you can use it too; apt came to the forefront with Debian 9 following work by its developers to make it more useful as a user-facing tool. The Debian FAQ suggests using apt instead of apt-get and apt-cache starting with Debian 8 (Jessie). (I see it gets the description of apt update slightly wrong.)

3. The current recommendation is to avoid apt in scripts since its interface may change. Apart from that, there shouldn’t be any scenarios where you’d need apt-get rather than apt.

4. apt doesn’t distinguish between security and non-security updates, unless you configure it to do so.

5. I’m not sure it’s a conscious decision... The last update to the Securing Debian Manual is quite a bit older than Debian 9. Note that, when using apt-get, the Debian FAQ refers to apt-get dist-upgrade to keep a Debian system up-to-date. The FAQ is also older than Debian 9, but was updated more recently.