Debian-Ubuntu: Debian and Debian-Based Distro Administration
Administer Debian, Ubuntu, Linux Mint, Pop!_OS, Devuan, and other Debian-derived systems,
with partial coverage for Kali when the question is about base OS administration rather than
security-distro workflow. Focus on Debian stable and Ubuntu LTS first, then layer in
derivative-specific behavior, PPA workflows, snap confinement, Ubuntu HWE, and explicit checks
for derivatives that diverge on init, packaging defaults, or intended use.
Versions worth pinning (verified April 2026):
Only pin versions here when they materially affect compatibility or troubleshooting shape. For
ordinary Debian and Ubuntu package work, prefer the live distro lane and package policy over a
stale package-version table.
Component
Version
Why it matters
Debian stable
13 (trixie)
current stable baseline and repo behavior
Ubuntu LTS
26.04 (Resolute Raccoon)
current LTS baseline for most Ubuntu guidance
Ubuntu interim lane
verify live
interim releases move fast; check the active upgrade path instead of memorizing one short-lived codename
Ubuntu HWE lane
verify live
kernel metapackage and hardware-enablement behavior matter more than one exact kernel number
NVIDIA driver branch
verify live
proprietary branch choice affects Wayland, gaming, and DKMS behavior
Mesa stack
verify live
AMD and Intel graphics behavior tracks the shipped Mesa lane
When to use
Package management with
apt
,
apt-get
,
dpkg
,
apt-cache
, pinning, or holds
PPA management on Ubuntu, Mint, or Pop!_OS (
add-apt-repository
, key handling)
Snap and Flatpak workflow, confinement issues, and alternatives
systemd service, timer, boot, and journal troubleshooting on Debian-style systems
GRUB, initramfs, EFI, kernel, and recovery work on Debian or Ubuntu
Remote gaming and input: Moonlight, Sunshine, Steam Remote Play, controllers
Base Linux ops on Debian-style systems:
journalctl
,
dmesg
,
lsblk
,
update-alternatives
When NOT to use
Shell syntax, quoting, or script portability - use command-prompt
Network architecture, DNS, VPNs, reverse proxies, or firewall design - use networking
Docker, Podman, image builds, or container runtime - use docker
Kubernetes cluster or manifest work - use kubernetes
Fleet-wide Linux configuration via playbooks - use ansible
Security review, vulnerability triage, or offensive testing - use security-audit or lockpick
RPM-family distros and tooling - use rhel-fedora. That includes RHEL, Fedora, Rocky, AlmaLinux, Oracle Linux, and Amazon Linux.
Ubuntu Core and snap-only transactional workflows - outside this skill; do not treat them like ordinary apt-managed Ubuntu hosts
NixOS or declarative system management - outside this skill; route to a dedicated NixOS skill when one exists
Kali offensive tooling, pentest workflow, or training-image specifics - use kali-linux
OPNsense or pfSense appliance work - use firewall-appliance
AI Self-Check
Before returning Debian or Ubuntu commands, verify:
Distro and release identified: Debian stable/testing/unstable, Ubuntu LTS/interim, Mint, Pop!_OS, Devuan, Kali, or another derivative. Advice diverges quickly.
Init system identified: do not assume systemd on Devuan or other Debian derivatives without checking PID 1, service manager, and boot tooling first.
Release model respected: do not suggest
apt upgrade
when
apt full-upgrade
or
apt dist-upgrade
is required for package transitions. Do not suggest
apt dist-upgrade
casually on Ubuntu without context.
Ubuntu 24.04 -> 26.04 delta accounted for: Ubuntu 24.04 LTS upgraders inherit 24.10, 25.04, 25.10, and 26.04 changes. Do not treat 26.04 as a small point refresh of 24.04.
Repository state clean: no broken apt lists, missing GPG keys, or mixed releases without pinning.
Boot stack identified: GRUB vs other loader, EFI vs BIOS, initramfs generator, and kernel metapackage before changing boot files.
Fallback path exists: do not remove the only known-good kernel or break the only boot entry on a remote system.
PPA trust boundary respected: review PPA source, key, and maintenance status before adding.
systemd scope is correct: distinguish system units from user units and use
systemctl --user
only when appropriate.
Wayland stack is coherent: compositor, portal backend, Xwayland compatibility, and user-session services line up.
Session startup path identified: display manager, greeter, or TTY launch path known before debugging env propagation.
Audio stack is coherent: PipeWire,
pipewire-pulse
, and WirePlumber are not fighting a leftover PulseAudio setup.
Bluetooth path is complete:
bluetooth.service
alone is not enough if audio routing, trust, pairing, or profile selection is broken.
GPU stack matches hardware: proprietary NVIDIA vs nouveau vs Mesa. Verify actual driver in use before debugging graphics issues.
Gaming stack includes 32-bit userspace when needed: Steam and Proton failures often come from missing
i386
graphics libraries.
Capture stack is coherent: portal backend, PipeWire, WebRTC or Electron client path, and any virtual camera module choice line up.
Suspend and hibernation claims are real: hibernation advice matches actual swap layout, initramfs resume hook, and Secure Boot state.
AppArmor state is considered: on Ubuntu, AppArmor denials can silently break services, snaps, or custom binaries.
Snap confinement is not ignored: when a snap misbehaves, check interfaces and confinement level before reinstalling.
Ubuntu desktop session assumptions are current: on Ubuntu 26.04 Desktop, do not assume a stock Xorg session or the old
Software & Updates
GUI are present by default.
HWE kernel path is understood: Ubuntu HWE stacks transition kernel metapackages. Know whether the system tracks
generic
or
hwe
.
Diagnostic errors are not silenced: do not mask failures with
2>/dev/null
on commands whose error reason matters. Use
2>&1 || true
to surface errors without aborting.
Firmware updates are not conflated with package updates:
fwupd
and vendor tools (e.g.,
system76-firmware
) are separate from
apt upgrade
.
Debian alternatives are checked: when a command behaves oddly, verify
update-alternatives
for that binary.
Workflow
Step 1: Identify the distro lane first
Distro
Default stance
What changes
Debian stable
Conservative, pin-oriented
stable
repo only unless testing/unstable explicitly requested. Backports for select packages.
Debian testing
Rolling-ish, with freezes
Closer to Ubuntu but without Ubuntu-specific tooling.
Debian unstable (sid)
True rolling
No release, just
sid
. Higher breakage risk.
Ubuntu LTS
Default baseline
do-release-upgrade
for release jumps. Treat Ubuntu 26.04 as the current baseline, but remember that 24.04 LTS upgraders also inherit 24.10, 25.04, and 25.10 changes. HWE kernel optional. Snap presence.
Ubuntu interim
Short-lived
Common stepping stone into the current LTS. Quick to EOL.
Linux Mint
Ubuntu LTS derivative
Cinnamon/XFCE focus. Mint-specific repos and update manager. PPAs from Ubuntu often work.
Pop!_OS
Ubuntu derivative with extras
System76 firmware, COSMIC desktop, Pop repos,
system76-power
. NVIDIA ISO available.
Devuan
Debian derivative with a major service-model split
Do not assume systemd,
systemctl
, or Ubuntu-style desktop/session plumbing. Verify init and service tooling first.
Kali
Debian-derived security distro
Fine for base apt, kernel, boot, or service administration, but use kali-linux for Kali-specific branches, images, metapackages, training-image workflow, and offensive-distro context.
If the host is Ubuntu 24.04 LTS or the user is planning a 24.04 -> 26.04 move, load
references/derivatives-and-hwe.md
early. That path bundles interim-release churn, desktop-session
changes, app swaps, and GUI-tool changes that do not show up if you treat 26.04 like a routine
point upgrade.
When a bug looks desktop-only, compare one clean baseline:
GNOME vs KDE vs Cinnamon vs COSMIC
browser WebRTC vs packaged client
plain game launch vs Gamescope or MangoHud
stock kernel vs HWE kernel
Default Decisions
Debian stable means conservative updates. Pin when mixing repos. Use backports selectively. Avoid
testing
or
sid
packages on stable without a transition plan.
Ubuntu LTS means predictable cadence. Ubuntu 26.04 is the current baseline, but 24.04 -> 26.04 upgrades bundle three interim releases plus the final LTS delta. Expect bigger desktop, app, and workflow changes than the version jump alone suggests.
Ubuntu Desktop assumptions changed in 26.04. Stock Ubuntu Desktop is Wayland-only, and the old
Software & Updates
GUI is no longer installed by default on new installs. GUI-first troubleshooting advice from 24.04-era blog posts may be wrong on fresh 26.04 systems.
Use systemd-native tools first. Reach for
systemctl
,
journalctl
,
timedatectl
, and
localectl
before distro wrappers.
Treat PPAs as exceptions, not defaults. Review maintainer, signing key, freshness, and package origin before adding one. Remove dead PPAs promptly.
Prefer distro packages before third-party repos. Use Debian backports, Ubuntu official repos, or vendor packages first; escalate to PPAs only when the distro lane is genuinely insufficient.
Treat snaps as sandboxed first. Interface and confinement issues explain more snap failures than package bugs.
GRUB and initramfs are one subsystem. Kernel metapackage,
update-initramfs
,
update-grub
, and EFI fallback all have to agree.
Desktop failures are often session failures. On Wayland, user units, portals, and session env matter as much as the package list.
Gaming failures are often stack mismatches. Wrong driver branch, missing
i386
userspace, absent firmware, or broken Proton path is more common than "Linux gaming is bad."
Capture failures are portal/PipeWire failures. OBS, browser WebRTC, Discord, and Teams often fail at the screencast path.
AppArmor is invisible until it is not. On Ubuntu, check
aa-status
and journal denials when a service or binary mysteriously fails.
Firmware is separate from packages.
fwupd
and vendor tools update hardware firmware. Do not expect
apt upgrade
to fix BIOS or SSD firmware.
Quick Triage Checklist
Symptom
First checks
Package weirdness after install
apt update
first. Broken dependencies?
apt -f install
. Held packages?
apt-mark showhold
. Mixed releases?
apt-cache policy
Service fails after update
Config merge needed?
ucf
or
dpkg --configure -a
. Check unit overrides and
journalctl -b
Won't boot after kernel work
GRUB menu, fallback kernel, initramfs. From live media, mount root and the ESP, then bind-mount
/dev
,
/proc
,
/sys
, and
/run
before
chroot
; use the boot recovery reference instead of a one-line chroot recipe.
PPA broke the system
ppa-purge
if available, or manual downgrade + remove after checking package origin with
apt-cache policy
Snap app misbehaves
snap connections
,
snap info
, confinement level, interfaces
Desktop weirdness after update
XDG_SESSION_TYPE
, portal, Xwayland, user services. On Ubuntu 26.04, verify the user is not expecting the old Ubuntu Xorg session to exist by default.
Bluetooth audio issues
BlueZ pairing, PipeWire nodes, card profile
Game blackscreen/crash
GPU driver (proprietary vs Mesa), Vulkan, Steam
i386
libs, Gamescope/MangoHud
Screen share broken
Wayland vs X11, portal backend, PipeWire user units
docker - container runtime and image concerns instead of host distro administration
kubernetes - cluster and manifest work that sits above host OS administration
ansible - codifying Linux changes across many machines
security-audit - hardening and security review rather than normal package/service administration
rhel-fedora - RPM-family distro administration rather than Debian-family behavior
kali-linux - Kali-specific branch, image, and offensive-workflow concerns
firewall-appliance - OPNsense and pfSense appliance work rather than Linux host administration
arch-btw - Arch Linux and CachyOS administration (the upstream inspiration for this skill)
update-docs - after substantial system administration changes that introduce new operational gotchas
Rules
Identify the distro and release before prescribing commands. Debian stable, testing, sid, Ubuntu LTS or interim, Mint, Pop!_OS, Devuan, and Kali differ where it matters: repos, init systems, kernels, and recovery assumptions.
No mixed-release advice without pinning context. Adding
testing
or
sid
sources to Debian stable without apt pinning is usually wrong.
Keep PPAs in perspective. Prefer distro packages, Debian backports, or vendor-supported repos first. Use PPAs only when the distro lane is genuinely insufficient, and verify package origin before adding one.
Know the boot chain before touching it. Confirm GRUB stage, ESP mount, kernel metapackage, initramfs hooks, and EFI fallback path first.
Never remove the last known-good kernel path casually. Especially on remote or encrypted systems.
Prefer systemd-native diagnostics.
systemctl
,
journalctl
, and
update-grub
usually tell you more than distro wrappers or generic forum folklore.
Ubuntu 26.04 changed some desktop defaults in ways that affect support. Do not assume a stock Ubuntu Xorg session, the old
Software & Updates
GUI, or 24.04-era desktop app names are still present on fresh installs.
Ubuntu HWE is opt-in complexity. Treat HWE kernels as additions that must be validated, not magic defaults.
For Wayland issues, inspect the user session first. Portals, user units, and Xwayland compatibility usually matter more than package reinstall churn.
For gaming issues, identify the GPU vendor and userspace first. Driver branch, Vulkan stack,
i386
multilib, and launch wrappers usually explain more than random tweak cargo cults.
For capture issues, debug portals and PipeWire before app folklore. OBS, browser WebRTC, Discord, and Teams often fail at the screencast path.
AppArmor can silently break things. On Ubuntu, check
aa-status
and AppArmor denials when a service or binary mysteriously fails.
Do not oversell hibernation or resume. These depend on exact swap layout, initramfs resume hook, and Secure Boot state.
Reach for common Debian/Ubuntu failure patterns before exotic explanations. Mixed repos, stale PPAs, DKMS drift, AppArmor denials, HWE metapackage mismatch, and snap confinement explain a large share of the chaos.