Debian-Ubuntu: Debian and Debian-Based Distro Administration
Administer Debian, Ubuntu, Linux Mint, Pop!_OS, Devuan, and other Debian-derived systems,
with partial coverage for Kali when the question is about base OS administration rather than
security-distro workflow. Focus on Debian stable and Ubuntu LTS first, then layer in
derivative-specific behavior, PPA workflows, snap confinement, Ubuntu HWE, and explicit checks
for derivatives that diverge on init, packaging defaults, or intended use.
Versions worth pinning (verified June 2026):
Only pin versions here when they materially affect compatibility or troubleshooting shape. For
ordinary Debian and Ubuntu package work, prefer the live distro lane and package policy over a
stale package-version table.
Component
Version
Why it matters
Debian stable
13 (trixie)
current stable baseline and repo behavior
Ubuntu LTS
26.04 (Resolute Raccoon)
current LTS baseline for most Ubuntu guidance
Ubuntu interim lane
verify live
interim releases move fast; check the active upgrade path instead of memorizing one short-lived codename
Ubuntu HWE lane
verify live
kernel metapackage and hardware-enablement behavior matter more than one exact kernel number
NVIDIA driver branch
verify live
proprietary branch choice affects Wayland, gaming, and DKMS behavior
Mesa stack
verify live
AMD and Intel graphics behavior tracks the shipped Mesa lane
Remote gaming and input: Moonlight, Sunshine, Steam Remote Play, controllers
Base Linux ops on Debian-style systems: journalctl, dmesg, lsblk, update-alternatives
When NOT to use
Shell syntax, quoting, or script portability - use command-prompt
Network architecture, DNS, VPNs, reverse proxies, or firewall design - use networking
Docker, Podman, image builds, or container runtime - use docker
Kubernetes cluster or manifest work - use kubernetes
Fleet-wide Linux configuration via playbooks - use ansible
Security review, vulnerability triage, or offensive testing - use security-audit or lockpick
RPM-family distros and tooling - use rhel-fedora. That includes RHEL, Fedora, Rocky, AlmaLinux, Oracle Linux, and Amazon Linux.
Ubuntu Core and snap-only transactional workflows - outside this skill; do not treat them like ordinary apt-managed Ubuntu hosts
NixOS or declarative system management - use nixos-btw
Kali offensive tooling, pentest workflow, or training-image specifics - use kali-linux
OPNsense or pfSense appliance work - use firewall-appliance
AI Self-Check
Before returning Debian or Ubuntu commands, verify:
Distro and release identified: Debian stable/testing/unstable, Ubuntu LTS/interim, Mint, Pop!_OS, Devuan, Kali, or another derivative. Advice diverges quickly.
Init system identified: do not assume systemd on Devuan or other Debian derivatives without checking PID 1, service manager, and boot tooling first.
Release model respected: do not suggest apt upgrade when apt full-upgrade or apt dist-upgrade is required for package transitions. Do not suggest apt dist-upgrade casually on Ubuntu without context.
Ubuntu 24.04 -> 26.04 delta accounted for: Ubuntu 24.04 LTS upgraders inherit 24.10, 25.04, 25.10, and 26.04 changes. Do not treat 26.04 as a small point refresh of 24.04.
Repository state clean: no broken apt lists, missing GPG keys, or mixed releases without pinning.
Boot stack identified: GRUB vs other loader, EFI vs BIOS, initramfs generator, and kernel metapackage before changing boot files.
Fallback path exists: do not remove the only known-good kernel or break the only boot entry on a remote system.
PPA trust boundary respected: review PPA source, key, and maintenance status before adding.
systemd scope is correct: distinguish system units from user units and use systemctl --user only when appropriate.
Wayland stack is coherent: compositor, portal backend, Xwayland compatibility, and user-session services line up.
Session startup path identified: display manager, greeter, or TTY launch path known before debugging env propagation.
Audio stack is coherent: PipeWire, pipewire-pulse, and WirePlumber are not fighting a leftover PulseAudio setup.
Bluetooth path is complete: bluetooth.service alone is not enough if audio routing, trust, pairing, or profile selection is broken.
GPU stack matches hardware: proprietary NVIDIA vs nouveau vs Mesa. Verify actual driver in use before debugging graphics issues.
Gaming stack includes 32-bit userspace when needed: Steam and Proton failures often come from missing i386 graphics libraries.
Capture stack is coherent: portal backend, PipeWire, WebRTC or Electron client path, and any virtual camera module choice line up.
Suspend and hibernation claims are real: hibernation advice matches actual swap layout, initramfs resume hook, and Secure Boot state.
AppArmor state is considered: on Ubuntu, AppArmor denials can silently break services, snaps, or custom binaries.
Snap confinement is not ignored: when a snap misbehaves, check interfaces and confinement level before reinstalling.
Ubuntu desktop session assumptions are current: on Ubuntu 26.04 Desktop, do not assume a stock Xorg session or the old Software & Updates GUI are present by default.
HWE kernel path is understood: Ubuntu HWE stacks transition kernel metapackages. Know whether the system tracks generic or hwe.
Diagnostic errors are not silenced: do not mask failures with 2>/dev/null on commands whose error reason matters. Use 2>&1 || true to surface errors without aborting.
Firmware updates are not conflated with package updates: fwupd and vendor tools (e.g., system76-firmware) are separate from apt upgrade.
Debian alternatives are checked: when a command behaves oddly, verify update-alternatives for that binary.
Current source checked: dated versions, CLI flags, API names, and support windows are verified against primary docs before repeating them
Hidden state identified: local config, credentials, caches, contexts, branches, cluster targets, or previous runs are made explicit before acting
Verification is real: final checks exercise the actual runtime, parser, service, or integration point instead of only linting prose or happy paths
Routing overlap checked: overlapping skills, trigger terms, and "When NOT to use" boundaries are checked before returning guidance
Spec claims verified: claims about tool behavior, output contracts, or repo conventions are checked against current docs, scripts, or skill files
Release support checked: Debian/Ubuntu/Mint/Pop advice matches current lifecycle and enabled repositories
Third-party repo risk handled: PPAs, snaps, vendor repos, and pin priorities are explicit
Performance
Use apt-cache policy, apt list --upgradable, and targeted installs before broad reinstall attempts.
Keep package index updates scoped; repeated apt update in scripts wastes time and load.
For slow upgrades, identify held packages and phased updates before forcing resolver choices.
Best Practices
Do not mix Debian releases or Ubuntu series unless apt pinning is deliberate and documented.
Snapshot or back up before release upgrades, kernel changes, filesystem work, or bootloader repair.
Prefer distro packages for core system components; isolate vendor repos to the packages they own.
Workflow
Step 1: Identify the distro lane first
Distro
Default stance
What changes
Debian stable
Conservative, pin-oriented
stable repo only unless testing/unstable explicitly requested. Backports for select packages.
Debian testing
Rolling-ish, with freezes
Closer to Ubuntu but without Ubuntu-specific tooling.
Debian unstable (sid)
True rolling
No release, just sid. Higher breakage risk.
Ubuntu LTS
Default baseline
do-release-upgrade for release jumps. Treat Ubuntu 26.04 as the current baseline, but remember that 24.04 LTS upgraders also inherit 24.10, 25.04, and 25.10 changes. HWE kernel optional. Snap presence.
Ubuntu interim
Short-lived
Common stepping stone into the current LTS. Quick to EOL.
Linux Mint
Ubuntu LTS derivative
Cinnamon/XFCE focus. Mint-specific repos and update manager. PPAs from Ubuntu often work.
Pop!_OS
Ubuntu derivative with extras
System76 firmware, COSMIC desktop, Pop repos, system76-power. NVIDIA ISO available.
Devuan
Debian derivative with a major service-model split
Do not assume systemd, systemctl, or Ubuntu-style desktop/session plumbing. Verify init and service tooling first.
Kali
Debian-derived security distro
Fine for base apt, kernel, boot, or service administration, but use kali-linux for Kali-specific branches, images, metapackages, training-image workflow, and offensive-distro context.
If the host is Ubuntu 24.04 LTS or the user is planning a 24.04 -> 26.04 move, load
references/derivatives-and-hwe.md early. That path bundles interim-release churn, desktop-session
changes, app swaps, and GUI-tool changes that do not show up if you treat 26.04 like a routine
point upgrade.
When a bug looks desktop-only, compare one clean baseline:
GNOME vs KDE vs Cinnamon vs COSMIC
browser WebRTC vs packaged client
plain game launch vs Gamescope or MangoHud
stock kernel vs HWE kernel
Default Decisions
Debian stable means conservative updates. Pin when mixing repos. Use backports selectively. Avoid testing or sid packages on stable without a transition plan.
Ubuntu LTS means predictable cadence. Ubuntu 26.04 is the current baseline, but 24.04 -> 26.04 upgrades bundle three interim releases plus the final LTS delta. Expect bigger desktop, app, and workflow changes than the version jump alone suggests.
Ubuntu Desktop assumptions changed in 26.04. Stock Ubuntu Desktop is Wayland-only, and the old Software & Updates GUI is no longer installed by default on new installs. GUI-first troubleshooting advice from 24.04-era blog posts may be wrong on fresh 26.04 systems.
Use systemd-native tools first. Reach for systemctl, journalctl, timedatectl, and localectl before distro wrappers.
Treat PPAs as exceptions, not defaults. Review maintainer, signing key, freshness, and package origin before adding one. Remove dead PPAs promptly.
Prefer distro packages before third-party repos. Use Debian backports, Ubuntu official repos, or vendor packages first; escalate to PPAs only when the distro lane is genuinely insufficient.
Treat snaps as sandboxed first. Interface and confinement issues explain more snap failures than package bugs.
GRUB and initramfs are one subsystem. Kernel metapackage, update-initramfs, update-grub, and EFI fallback all have to agree.
Desktop failures are often session failures. On Wayland, user units, portals, and session env matter as much as the package list.
Gaming failures are often stack mismatches. Wrong driver branch, missing i386 userspace, absent firmware, or broken Proton path is more common than "Linux gaming is bad."
Capture failures are portal/PipeWire failures. OBS, browser WebRTC, Discord, and Teams often fail at the screencast path.
AppArmor is invisible until it is not. On Ubuntu, check aa-status and journal denials when a service or binary mysteriously fails.
Firmware is separate from packages.fwupd and vendor tools update hardware firmware. Do not expect apt upgrade to fix BIOS or SSD firmware.
Config merge needed? ucf or dpkg --configure -a. Check unit overrides and journalctl -b
Won't boot after kernel work
GRUB menu, fallback kernel, initramfs. From live media, mount root and the ESP, then bind-mount /dev, /proc, /sys, and /run before chroot; use the boot recovery reference instead of a one-line chroot recipe.
PPA broke the system
ppa-purge if available, or manual downgrade + remove after checking package origin with apt-cache policy
references/remote-gaming-input-and-tooling.md - Moonlight, Sunshine, controllers, Steam Remote Play
references/base-linux-and-cli.md - core Linux inspection commands and Debian tools such as update-alternatives
references/gotchas-and-special-situations.md - recurring Debian/Ubuntu failure patterns and edge cases
Output Contract
See references/output-contract.md for the full contract.
Skill name: DEBIAN-UBUNTU
Deliverable bucket:audits
Mode: conditional. When invoked to analyze, review, audit, or improve existing repo content, emit the full contract - boxed inline header, body summary inline plus per-finding detail in the deliverable file, boxed conclusion, conclusion table - and write the deliverable to docs/local/audits/debian-ubuntu/<YYYY-MM-DD>-<slug>.md. When invoked to answer a question, teach a concept, build a new artifact, or generate content, respond freely without the contract.
Severity scale:P0 | P1 | P2 | P3 | info (see shared contract; only used in audit/review mode).
Related Skills
command-prompt - shell syntax, zsh or bash behavior, script portability
docker - container runtime and image concerns instead of host distro administration
kubernetes - cluster and manifest work that sits above host OS administration
ansible - codifying Linux changes across many machines
security-audit - hardening and security review rather than normal package/service administration
rhel-fedora - RPM-family distro administration rather than Debian-family behavior
nixos-btw - NixOS and declarative Nix system management rather than apt-based administration
kali-linux - Kali-specific branch, image, and offensive-workflow concerns
firewall-appliance - OPNsense and pfSense appliance work rather than Linux host administration
arch-btw - Arch Linux and CachyOS administration (the upstream inspiration for this skill)
update-docs - after substantial system administration changes that introduce new operational gotchas
Rules
Identify the distro and release before prescribing commands. Debian stable, testing, sid, Ubuntu LTS or interim, Mint, Pop!_OS, Devuan, and Kali differ where it matters: repos, init systems, kernels, and recovery assumptions.
No mixed-release advice without pinning context. Adding testing or sid sources to Debian stable without apt pinning is usually wrong.
Keep PPAs in perspective. Prefer distro packages, Debian backports, or vendor-supported repos first. Use PPAs only when the distro lane is genuinely insufficient, and verify package origin before adding one.
Know the boot chain before touching it. Confirm GRUB stage, ESP mount, kernel metapackage, initramfs hooks, and EFI fallback path first.
Never remove the last known-good kernel path casually. Especially on remote or encrypted systems.
Prefer systemd-native diagnostics.systemctl, journalctl, and update-grub usually tell you more than distro wrappers or generic forum folklore.
Ubuntu 26.04 changed some desktop defaults in ways that affect support. Do not assume a stock Ubuntu Xorg session, the old Software & Updates GUI, or 24.04-era desktop app names are still present on fresh installs.
Ubuntu HWE is opt-in complexity. Treat HWE kernels as additions that must be validated, not magic defaults.
For Wayland issues, inspect the user session first. Portals, user units, and Xwayland compatibility usually matter more than package reinstall churn.
For gaming issues, identify the GPU vendor and userspace first. Driver branch, Vulkan stack, i386 multilib, and launch wrappers usually explain more than random tweak cargo cults.
For capture issues, debug portals and PipeWire before app folklore. OBS, browser WebRTC, Discord, and Teams often fail at the screencast path.
AppArmor can silently break things. On Ubuntu, check aa-status and AppArmor denials when a service or binary mysteriously fails.
Do not oversell hibernation or resume. These depend on exact swap layout, initramfs resume hook, and Secure Boot state.
Reach for common Debian/Ubuntu failure patterns before exotic explanations. Mixed repos, stale PPAs, DKMS drift, AppArmor denials, HWE metapackage mismatch, and snap confinement explain a large share of the chaos.