How to convert Debian APT sources to deb822 format

Converting Debian APT sources to deb822 format moves repository entries from one-line deb records into structured .sources stanzas. The change is useful when apt update --audit reports legacy source entries, when an image still uses /etc/apt/sources.list, or when repository signing needs a clearer Signed-By field.

APT reads /etc/apt/sources.list first, then supported files under /etc/apt/sources.list.d/. The traditional .list format remains supported, but deb822 files place Types, URIs, Suites, Components, and Signed-By on separate fields that are easier to review, disable, and manage with tools.

The apt modernize-sources command can convert valid one-line sources, write the result as .sources files, and keep .bak copies of the old files. Review third-party repositories before accepting the rewrite, because custom bracketed options may need manual translation instead of an automatic pass.

Steps to convert Debian APT sources to deb822 format:

  1. Run an APT source audit.
    $ sudo apt update --audit
    Get:1 http://deb.debian.org/debian trixie InRelease [140 kB]
    Get:2 http://deb.debian.org/debian trixie-updates InRelease [47.3 kB]
    Get:3 http://deb.debian.org/debian-security trixie-security InRelease [43.4 kB]
    ##### snipped #####
    Reading package lists...
    Building dependency tree...
    Reading state information...
    All packages are up to date.
    Audit: The sources.list(5) entry for 'http://deb.debian.org/debian' should be upgraded to deb822 .sources
    Audit: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
    Audit: Some sources can be modernized. Run 'apt modernize-sources' to do so.

    Fix fetch errors, suite mismatches, or duplicate source entries before converting the files.

  2. Back up the current APT configuration directory.
    $ sudo cp -a /etc/apt /root/apt-backup-before-deb822

    apt modernize-sources creates .bak files for converted sources, but a full /etc/apt copy also preserves keyrings, preferences, and source fragments.

  3. Start the source modernizer.
    $ sudo apt modernize-sources
    The following files need modernizing:
      - /etc/apt/sources.list
    
    Modernizing will replace .list files with the new .sources format,
    add Signed-By values where they can be determined automatically,
    and save the old files into .list.bak files.
    
    This command supports the 'signed-by' and 'trusted' options. If you
    have specified other options inside [] brackets, please transfer them
    manually to the output files; see sources.list(5) for a mapping.
    
    For a simulation, respond N in the following prompt.
    Rewrite 1 sources? [Y/n] Y
    Modernizing /etc/apt/sources.list...
    - Writing /etc/apt/sources.list.d/debian.sources

    Stop at the prompt if the list includes a third-party source that needs manual review, especially one with bracketed options other than signed-by or trusted.

  4. Inspect the generated deb822 source file.
    $ cat /etc/apt/sources.list.d/debian.sources
    # Modernized from /etc/apt/sources.list
    Types: deb
    URIs: http://deb.debian.org/debian/
    Suites: trixie
    Components: main
    Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
    
    # Modernized from /etc/apt/sources.list
    Types: deb
    URIs: http://deb.debian.org/debian/
    Suites: trixie-updates
    Components: main
    Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
    
    # Modernized from /etc/apt/sources.list
    Types: deb
    URIs: http://deb.debian.org/debian-security/
    Suites: trixie-security
    Components: main
    Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

    If APT reports another output path, inspect that .sources file instead. The suites, components, and keyring should match the source entries that were active before conversion.

  5. Confirm the backup and active source file exist.
    $ ls /etc/apt/sources.list.bak /etc/apt/sources.list.d/debian.sources
    /etc/apt/sources.list.bak
    /etc/apt/sources.list.d/debian.sources

    A .bak suffix is outside the active .list and .sources extensions, so APT ignores the backup while keeping it available for rollback.

  6. Refresh package metadata with audit output enabled.
    $ sudo apt update --audit
    Hit:1 http://deb.debian.org/debian trixie InRelease
    Hit:2 http://deb.debian.org/debian trixie-updates InRelease
    Hit:3 http://deb.debian.org/debian-security trixie-security InRelease
    Reading package lists...
    Building dependency tree...
    Reading state information...
    All packages are up to date.

    The converted Debian sources are clean when the audit no longer reports modernization or missing Signed-By messages for those entries.