Each active line in the /etc/apt/sources.list file represents a package source (repository) and is made of at least three parts separated by spaces. For a complete description of the file format and the accepted entry compositions see sources.list(5).
例 6.1. Example entry format in /etc/apt/sources.list
deb url distribution component1 component2 component3 [..] componentX
deb-src url distribution component1 component2 component3 [..] componentX
package source (repository) of binary packages
package source (repository) of source packages
The second field gives the base URL of the source. Combined with the filenames listed in the Packages.xz files, it must give a full and valid URL. This can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with file:// to indicate a local source installed in the system's file hierarchy, with http:// or https:// to indicate a source accessible from a web server server, or with ftp:// or ftps:// for a source available on an FTP server. The URL can also start with cdrom: for CD-ROM/DVD/Blu-ray disc based installations, although this is less frequent, since network-based installation methods are eventually more common.
The syntax of the last field depends on the structure of the repository. In the simplest case, you can simply indicate a subdirectory (with a required trailing slash) of the desired source. This is often a simple “./” which refers to the absence of a subdirectory. The packages are then directly at the specified URL. But in the most common case, the repositories will be structured like a Debian mirror, with multiple distributions, each having multiple components. In those cases, name the chosen distribution by its “codename” — see the list in sidebar 社区 Bruce Perens，一位有争议的领导者 — or by the corresponding “suite” oldstable, stable, testing, unstable) and then the components to enable. A typical Debian mirror provides the components main, contrib, and non-free.
关键词 main, contrib 和 non-free 存档
Debian uses three components to differentiate packages according to the licenses chosen by the authors of each work. Main gathers all packages which fully comply with the Debian Free Software Guidelines.
The non-free component is different because it contains software which does not (entirely) conform to these principles but which can, nevertheless, be distributed without restrictions. This archive, which is not officially part of Debian, is a service for users who could need some of those programs and, nowadays, also require the firmware for their hardware. However, Debian always recommends giving priority to free software. The existence of this component represents a considerable problem for Richard M. Stallman and keeps the Free Software Foundation from recommending Debian to users.
Contrib (contributions) is a set of open source software which cannot function without some non-free elements — these elements can be software from the non-free section, or non-free files such as game ROMs, BIOS of consoles, etc. — or some elements, not available from the Debian main archive at all. The contrib component also includes free software whose compilation requires proprietary elements. This was initially the case for the OpenOffice.org office suite, which used to require a proprietary Java environment.
TIP /etc/apt/sources.list.d/*.list 文件
如果很多个软件包的源库在被引用，将它们分成多个文件会很实用。每一部分存在/etc/apt/sources.list.d/文件名.list （参见边栏基本 结尾是 .d 的文件夹名称)。
cdrom 条目描述了你所有的CD/DVD光盘。 与其他条目不同，因为一个CD光盘需要插入光驱中，并且每次只能读一张，所以并不总是可用。因此这种仓库管理起来稍有不同，需要加在apt-cdrom 程序中，经常与add 参数一起执行。后者会要求驱动中插入光盘，并会浏览内容，寻找Packages 文件。这些文件会用于更新可用软件包的数据库（此过程由apt update 命令执行）。 自此， 如果某软件包需要光盘，APT 可发出要求插入光驱。
6.1.2. 给Stable 使用者的仓库
下面是一个标准的sources.list文件，它被用于 Stable 版本的 Debian 系统：
例 6.2. /etc/apt/sources.list 给 Debian Stable 使用者的文件
# Security updates
deb http://security.debian.org/ buster/updates main contrib non-free
deb-src http://security.debian.org/ buster/updates main contrib non-free
## Debian mirror
# Base repository
deb https://deb.debian.org/debian buster main contrib non-free
deb-src https://deb.debian.org/debian buster main contrib non-free
# Stable updates
deb https://deb.debian.org/debian buster-updates main contrib non-free
deb-src https://deb.debian.org/debian buster-updates main contrib non-free
# Stable backports
deb https://deb.debian.org/debian buster-backports main contrib non-free
deb-src https://deb.debian.org/debian buster-backports main contrib non-free
This file lists all sources of packages associated with the Buster version of Debian (the current Stable suite as of this writing). In the example above, we opted to name “buster” explicitly instead of using the corresponding “stable“ aliases (stable, stable-updates, stable-backports) because we don't want to have the underlying distribution changed outside of our control when the next stable release comes out.
本节提到的稳定Stable 对于Oldstable 一样适用。后者只是同时维护的较旧Stable 版本。
Debian takes security seriously. Known software vulnerabilities in Debian are tracked in the Security Bug Tracker and usually get fixed in a reasonable timeframe. The security updates are not hosted on the usual network of Debian mirrors but on security.debian.org, a small set of machines maintained by the Debian System Administrators. This archive contains security updates prepared by the Debian Security Team and/or by package maintainers for the Stable and Oldstable distribution.
The server can also host security updates for Testing but this doesn't happen very often since those updates tend to reach the Testing suite via the regular flow of updates coming from Unstable.
For serious issues, the security team issues a Debian Security Advisory (DSA) and announces it together with the security update on the firstname.lastname@example.org mailing list (archive).
This repository will typically contain fixes for critical and serious bugs which could not be fixed before release or which have been introduced by subsequent updates. Depending on the urgency, it can also contain updates for packages that have to evolve over time, like spamassassin's spam detection rules, clamav's virus database, the daylight-saving time rules of all timezones (tzdata), the ESR version of Firefox (firefox-esr) or cryptographic keyrings like debian-archive-keyring.
In practice, this repository is a subset of the proposed-updates repository, carefully selected by the Stable Release Managers. All updates are announced on the email@example.com mailing list (archive) and will be included in the next Stable point release anyway.
deb https://deb.debian.org/debian buster-updates main contrib non-free
Anyone can use this repository to test those updates before their official publication. The extract below uses the buster-proposed-updates alias which is both more explicit and more consistent since stretch-proposed-updates also exists (for the Oldstable updates):
deb https://deb.debian.org/debian buster-proposed-updates main contrib non-free
22.214.171.124. 向后移植到稳定版(Stable Backports)
When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current Stable suite, which is only modified to address the most critical problems, such as security issues. Since the Testing and Unstable suites can be more risky, package maintainers sometimes voluntarily offer recompilations of recent software applications for Stable, which has the advantage to users and system administrators to limit potential instability to a small number of chosen packages. The page https://backports.debian.org provides more information.
Backports from stable-backports are only created from packages available in Testing. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
Even though this repository provides newer versions of packages, APT will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
$ sudo apt-get install package/buster-backports
$ sudo apt-get install -t buster-backports package
6.1.3. 给测试/非稳定 版本用户的仓库
下面是一个标准 sources.list文件，用于系统运行 Debian 测试或非稳定 版本：
例 6.3. Debian Testing/Unstable 用户的 /etc/apt/sources.list文件
deb https://deb.debian.org/debian unstable main contrib non-free
deb-src https://deb.debian.org/debian unstable main contrib non-free
deb https://deb.debian.org/debian testing main contrib non-free
deb-src https://deb.debian.org/debian testing main contrib non-free
# Testing security updates
deb http://security.debian.org/ testing-security main contrib non-free
deb-src http://security.debian.org/ testing-security main contrib non-free
deb https://deb.debian.org/debian stable main contrib non-free
deb-src https://deb.debian.org/debian stable main contrib non-free
# Stable security updates
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free
NOTE Layout of security repositories
Starting with Debian 11 Bullseye, the codename of the repository providing security updates has been renamed from codename/updates into codename-security to avoid the confusion with codename-updates (see 第 126.96.36.199 节 “稳定更新”).
With this sources.list file APT will install packages from the Unstable suite. If that is not desired, use the APT::Default-Release setting (see 第 6.2.3 节 “系统升级”) to instruct APT to pick packages from another suite (most likely Testing in this case).
应该纳入这些典藏库，即使一个也该这么做。测试版 用户将感谢管理者从 不稳定版 中挑选修改过的软件包，当 测试版 受到错误的干扰时。反过来说，被无预期错误干扰的 不稳定版 用户，可能降级至他们 (若以此工作) 使用的 测试版 软件包。
The inclusion of Stable is more debatable but it often gives access to some packages, which have been removed from the development versions. It also ensures that you get the latest updates for packages, which have not been modified since the last stable release.
188.8.131.52. 实验 仓库
实验性 典藏所的软件包是所有 Debian 镜射站的内容，包括因为品质关系尚未被纳入 不稳定版 的软件包 — 通常是发展中的软件版本或前置版 (alpha、beta、待发布…)。修改过的软件包多少有点问题，可送至此处。在高端用户的协助下，维护者努力找出该等问题。经过第一阶段后，把软件包移至 不稳定版，更多的用户以更详细的方式测试它。
不在乎系统崩盘并有能力自行修复的用户，就会取用 实验性 的软件包。用户导入此等软件包并测试其功能、检查是否满足其需求。这就是 Debian 的诉求，加入 APT 的 sources.list 内，并不表示该软件包可顺利使用，应加入这一个行：
deb https://deb.debian.org/debian experimental main contrib non-free
6.1.4. Using Alternate Mirrors
The sources.list examples in this chapter refer to package repositories hosted on deb.debian.org. Those URLs will redirect you to servers which are close to you and which are managed by Content Delivery Networks (CDN) whose main role is to store multiple copies of the files across the world, and to deliver them as fast as possible to users. The CDN companies that Debian is working with are Debian partners who are offering their services freely to Debian. While none of those servers are under direct control of Debian, the fact that the whole archive is sealed by GPG signatures makes it a non-issue.
Picky users who are not satisfied with the performance of deb.debian.org can try to find a better mirror in the official mirror list:
But when you don't know which mirror is best for you, this list is of not much use. Fortunately for you, Debian maintains DNS entries of the form ftp.country-code.debian.org (e.g. ftp.us.debian.org for the USA, ftp.fr.debian.org for France, etc.) which are covering many countries and which are pointing to one (or more) of the best mirrors available within that country.
As an alternative to deb.debian.org, there used to be httpredir.debian.org. This service would identify a mirror close to you (among the list of official mirrors, using GeoIP mainly) and would redirect APT's requests to that mirror. This service has been deprecated due to reliability concerns and now httpredir.debian.org provides the same CDN-based service as deb.debian.org.
6.1.5. 非官方来源： mentors.debian.net
There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software (Ubuntu made this popular with their Personal Package Archive (PPA) service, by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online.
The mentors.debian.net site is interesting (although it only provides source packages), since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
社区 debian.net 站点
debian.net 域名不是一个 Debian 项目的官方源。每个 Debian 开发者都可基于自己用途而使用此域名。这些网址包含一些非官方服务（有时为个人站点），其主机不属于项目本身而由 Debian 开发者设置，甚至还有将要迁移到debian.org的项目原型。有两个理由来解释为什么这些项目原型会留在debian.net：或者是没有人做出足够的努力将其迁移到官方服务（ 位于debian.org 域名上，具备一定维护保证），或者是服务争议太大以至于无法官方化。
安装一个包意味着需要给包的创建者以 root 权限，因为其决定了以该身份运行的初始化脚本的内容。官方的 Debian 包由志愿者创建，志愿者经过指派和评估，且能封装软件包，因而软件包的来源与完整性可以确认。
In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package.
The snapshot.debian.org service, introduced in April 2010, can be used to “go backwards in time” and to find an old version of a package not longer contained in the Debian archives. It can be used, for example, to identify which version of a package introduced a regression, and more concretely, to come back to the former version while waiting for the regression fix.
6.1.6. Debian 软件包 缓存 代理
您可以配置 APT 使用一个“标准”的代理（参见第 6.2.4 节 “配置选项” 获取 APT 相关内容，参见第 11.6 节 “HTTP/FTP Proxy”获取代理相关内容），Debian 体系提供了一个解决问题的更佳手段。本段中所述的专用软件比普通的代理缓存更加智能，因为它们可依赖于 APT 软件源的特定结构（例如，它们了解单独的文件在什么时间废弃与否，并由此来调整在保持阶段的时间）。
apt-cacher与apt-cacher-ng的工作方式类似代理缓存服务器。对于外部请求，APT 的sources.list 保持不变，但是 APT 被配置为把它们作为代理使用。
另一方面，approx，工作方式则类似一个 HTTP 服务器，其在它的顶级 URL 地址上“镜像”任意数量的远程软件源。这些顶级目录与远程 URL 之间的映射存储于/etc/approx/approx.conf中：
approx runs by default on port 9999 via a systemd socket and requires the users to adjust their sources.list file to point to the approx server:
# Sample sources.list pointing to a local approx server
deb http://localhost:9999/security buster/updates main contrib non-free
deb http://localhost:9999/debian buster main contrib non-free