Apt modernize-sources

A test:

apt update --audit

did show:

Audit: The sources.list(5) entry for 'https://deb.debian.org/debian' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'https://deb.debian.org/debian'
Audit: The sources.list(5) entry for 'https://deb.debian.org/debian' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'https://deb.debian.org/debian'
Audit: The sources.list(5) entry for 'https://deb.debian.org/debian-security' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'https://deb.debian.org/debian-security'
Audit: The sources.list(5) entry for 'https://deb.debian.org/debian' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'https://deb.debian.org/debian'
Audit: The sources.list(5) entry for 'https://dietpi.com/apt' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'https://dietpi.com/apt'
Audit: Consider migrating all sources.list(5) entries to the deb822 .sources format
Audit: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Audit: See apt-secure(8) for best practices in configuring repository signing.
Audit: Some sources can be modernized. Run 'apt modernize-sources' to do so.

Some sources can be modernized. Run 'apt modernize-sources' to do so.

Is that recommended to do that?

I run these services:

[  OK  ] DietPi-Services | nmbd                 active (running) since Mon 2025-11-24 11:55:11 CET; 18h ago
[  OK  ] DietPi-Services | smbd                 active (running) since Mon 2025-11-24 11:55:11 CET; 18h ago
[  OK  ] DietPi-Services | roonserver           active (running) since Mon 2025-11-24 11:55:11 CET; 18h ago
[  OK  ] DietPi-Services | cron                 active (running) since Mon 2025-11-24 11:55:11 CET; 18h ago
[  OK  ] DietPi-Services | dropbear             active (running) since Mon 2025-11-24 11:53:18 CET; 18h ago
[ INFO ] DietPi-Services | dietpi-vpn           inactive (dead)
[ INFO ] DietPi-Services | dietpi-cloudshell    inactive (dead)
[  OK  ] DietPi-Services | dietpi-dashboard     active (running) since Mon 2025-11-24 11:53:18 CET; 18h ago
[  OK  ] DietPi-Services | dietpi-ramlog        active (exited) since Mon 2025-11-24 11:52:45 CET; 18h ago
[  OK  ] DietPi-Services | dietpi-preboot       active (exited) since Mon 2025-11-24 11:52:45 CET; 18h ago
[  OK  ] DietPi-Services | dietpi-postboot      active (exited) since Mon 2025-11-24 11:53:18 CET; 18h ago
[ INFO ] DietPi-Services | dietpi-wifi-monitor  inactive (dead)

root@DietPi:~# echo $G_DISTRO_NAME $G_RASPBIAN
trixie
root@DietPi:~#

THX

Torben

I quite often used apt modernize-sources.

Sometimes afterwards, apt update gave a message
Notice: Missing Signed-By in the sources.list(5) entry for 'https://deb.debian.org/debian'

The reason for this then was that in the file
/etc/apt/sources.list.d/debian-backports.sources
there was the line Signed-By: empty.
I had to change it to
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
and then all worked fine (i.e. the identical entry as in the file debian.sources).
The file /usr/share/keyrings/debian-archive-keyring.gpg should exist (at least a logical link of that name) on your system.

I did look at

/ etc / apt / sources.list.d / dietpi.list

but the only information there is:

deb https://dietpi.com/apt trixie main

and

/ etc / apt / sources.list

deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware

Torben

I got the message after I executed apt modernize-sources. Then the system generates sources files in a different format.

Example: The “modernized” file /etc/apt/sources.list.d/debian-backports.sources e.g. then looks like

# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

after I corrected it.

I did a test with “n”:

root@DietPi:~# apt modernize-sources
The following files need modernizing:
  - /etc/apt/sources.list
  - /etc/apt/sources.list.d/dietpi.list

Modernizing will replace .list files with the new .sources format,
add Signed-By values where they can be determined automatically,
and save the old files into .list.bak files.

This command supports the 'signed-by' and 'trusted' options. If you
have specified other options inside [] brackets, please transfer them
manually to the output files; see sources.list(5) for a mapping.

For a simulation, respond N in the following prompt.
Rewrite 2 sources? [Y/n]

Simulating only...
Modernizing /etc/apt/sources.list...

# Would write to: /etc/apt/sources.list.d/debian.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

# Would write to: /etc/apt/sources.list.d/debian.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

# Would write to: /etc/apt/sources.list.d/debian.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian-security/
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

# Would write to: /etc/apt/sources.list.d/debian-backports.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By:
Warning: Could not determine Signed-By for URIs: https://deb.debian.org/debian/, Suites: trixie-backports

Modernizing /etc/apt/sources.list.d/dietpi.list...

# Would write to: /etc/apt/sources.list.d/dietpi.sources
Types: deb
URIs: https://dietpi.com/apt/
Suites: trixie
Components: main
Signed-By: /etc/apt/trusted.gpg.d/dietpi.asc

There is a warning:

Warning: Could not determine Signed-By for URIs: https://deb.debian.org/debian/, Suites: trixie-backports

Torben

That’s the message I described above to get rid of by editing the debian-backports.sources file.

@StephanStS - Thanks

/ etc / apt / sources.list.d / debian-backports.sources

# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: 

so I just need to add: Signed-By:

/usr/share/keyrings/debian-archive-keyring.gpg

It now shows:

root@DietPi:~# apt modernize-sources
All sources are modern.
root@DietPi:~#

Torben

As far as I know, it is not necessary to switch to modernize-sources at this point, and there is no real reason to do so. Furthermore, the DietPi scripts expect the “old” apt source files, and using modernize-sources can lead to “challenges.” We have already had a few cases where this caused problems. @MichaIng can certainly explain this better.

Right, please revert anything apt modernize-sources did, it will cause issues, duplicate lists, missing updates/fixes, failing distro upgrades etc.

We will add support at some point and then migrate the lists we manage correctly. No need/reason/benefit to do this manually.

EDIT:
@TRHH did it really split the Debian repo lists like that into individual blocks for each suite? This breaks one of the main benefits the DEB822 format has, hence I am wondering. Debian lists should be possible like that, with only 2 blocks, since there are only two different URLs:

Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-trixie-automatic.gpg

Types: deb
URIs: https://deb.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-trixie-security-automatic.gpg

I did copy everything what the system did above. It looks like this:

image1424×266 17.8 KB

Torben

Is this the correct roll-back:

/ etc / apt / sources.list.d / debian.sources

# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian-security/
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

to

Types: deb
URIs: https://deb.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-trixie-security-automatic.gpg

and

/ etc / apt / sources.list.d / debian-backports.sources

# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

to

Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-trixie-automatic.gpg

Torben

No, this was just the conversion to DEB822 I was expecting. But indeed, it does a very bad job, no idea why:

Modernizing /etc/apt/sources.list...

# Would write to: /etc/apt/sources.list.d/moved-from-main.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie
Components: main contrib non-free non-free-firmware
Signed-By:

# Would write to: /etc/apt/sources.list.d/moved-from-main.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By:

# Would write to: /etc/apt/sources.list.d/moved-from-main.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian-security/
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By:

# Would write to: /etc/apt/sources.list.d/moved-from-main.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By:

That is a pretty inefficient “modernization”. That multiple suites are possible per block, instead of previously only 1 suite per line (duplicating the components), is one of the arguments for this new format. It however almost only applies to the Debian repo itself, while 3rd party repos almost never use multiple suites anyway. And then this apt modernize-sources does not even make use of this possibility but creates an own block for every suite instead. Just tested on Forky, and it has not become better. Hence 4 lines become 24 lines . However, as said, we will do this via dietpi-update once our scripts support it, making use of the DEB822 formatting features.

For you to revert:

• Delete all *.sources files
• Restore all *.bak files

There is a /etc/apt/sources.list.bak as well, right?

Yes:

/ etc / apt / sources.list.bak

deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware

Torben

Sorry, I don’t know what you want me to do?

THX

Torben

Exactly what it says there. Delete all *.sources files and rename the *.bak files, like removing the *.bak at the end so that they are pure *.list files again.

Or like this:

cd /etc/apt
rm -v sources.list.d/*.sources
for i in *.list.bak sources.list.d/*.list.bak; do mv -v "$i" "${i%.bak}"; done
apt update # for testing

Big THANKS:

root@DietPi:~# cd /etc/apt
rm -v sources.list.d/*.sources
for i in *.list.bak sources.list.d/*.list.bak; do mv -v "$i" "${i%.bak}"; done
apt update # for testing
rm: cannot remove 'sources.list.d/*.sources': No such file or directory
renamed 'sources.list.bak' -> 'sources.list'
renamed 'sources.list.d/dietpi.list.bak' -> 'sources.list.d/dietpi.list'
Get:1 https://deb.debian.org/debian trixie InRelease [140 kB]
Get:2 https://deb.debian.org/debian trixie-updates InRelease [47.3 kB]
Get:3 https://deb.debian.org/debian-security trixie-security InRelease [43.4 kB]
Get:4 https://deb.debian.org/debian trixie-backports InRelease [54.0 kB]
Get:5 https://dietpi.com/apt trixie InRelease [2140 B]
Get:6 https://deb.debian.org/debian trixie/contrib amd64 Packages [53.8 kB]
Get:7 https://deb.debian.org/debian trixie/non-free-firmware amd64 Packages [6888 B]
Get:8 https://deb.debian.org/debian trixie/main amd64 Packages [9670 kB]
Get:9 https://dietpi.com/apt trixie/main amd64 Packages [3964 B]
Get:10 https://deb.debian.org/debian trixie/non-free amd64 Packages [100 kB]
Get:11 https://deb.debian.org/debian trixie-updates/main amd64 Packages [5412 B]
Get:12 https://deb.debian.org/debian-security trixie-security/non-free-firmware amd64 Packages [544 B]
Get:13 https://deb.debian.org/debian-security trixie-security/main amd64 Packages [71.8 kB]
Get:14 https://deb.debian.org/debian trixie-backports/main amd64 Packages [116 kB]
Get:15 https://deb.debian.org/debian trixie-backports/contrib amd64 Packages [5248 B]
Get:16 https://deb.debian.org/debian trixie-backports/non-free-firmware amd64 Packages [3648 B]
Get:17 https://deb.debian.org/debian trixie-backports/non-free amd64 Packages [1288 B]
Fetched 10.3 MB in 2s (4768 kB/s)
All packages are up to date.
root@DietPi:/etc/apt#

Torben

PS: Sorry for the trouble

How it looks like:

/ etc / apt / sources.list.d / dietpi.list

deb https://dietpi.com/apt trixie main

/ etc / apt / sources.list

deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware

Torben

Please check whether there are still files ending *.sources in the folder /etc/apt / and its subfolder /etc/apt/sources.list.d/.