Pin a Package Version Installed via .deb or apt on Ubuntu

Keep a specific app version even when you run apt update / apt upgrade.

• Quick & simple: sudo apt-mark hold <package>
• Strict version pin: create /etc/apt/preferences.d/<package>.pref with Pin: version <x.y.z>
• (Optional) Disable the vendor repo if it keeps offering newer builds.

Why pin?

If updating a package (e.g., FortiClient) breaks your workflow, you can freeze that package at a working version while keeping the rest of the system updated.

This works whether you installed the app via:

• apt install ./file.deb (local .deb)
• apt install <package> (from a repo)

1) Easiest: apt-mark hold

# Freeze the package at its current version
sudo apt-mark hold forticlient

# Verify
apt-mark showhold
# (shows: forticlient)

# Later, to allow upgrades again
sudo apt-mark unhold forticlient

After this, sudo apt upgrade will skip forticlient.

Tip – simulate an upgrade to confirm:

apt -s upgrade | grep -i forticlient || echo "forticlient not scheduled for upgrade"

2) Pin a specific version (APT pinning)

Use this when you want to lock to an exact version.

# Create a pin file for this package/version
sudo tee /etc/apt/preferences.d/forticlient.pref >/dev/null <<'EOF'
Package: forticlient
Pin: version 7.4.0.1636
Pin-Priority: 1001
EOF

# Refresh and inspect policies
sudo apt update
apt policy forticlient

• Pin-Priority: 1001 ensures your chosen version wins over newer ones.
• To upgrade later, remove the pin:

sudo rm /etc/apt/preferences.d/forticlient.pref
sudo apt update

# Optionally install a specific version when you're ready
sudo apt install forticlient=7.4.3.1736

3) (Optional) Disable a vendor repo

If a vendor repo keeps pushing newer versions, it will still be ignored by hold/pinning, but you can disable it for cleanliness:

# Check for vendor list files
ls /etc/apt/sources.list.d | grep -i forti

# Example: comment out entries inside that list file
sudo sed -i 's/^\s*deb /# deb /' /etc/apt/sources.list.d/fortinet.list
sudo apt update

Example: FortiClient

If apt list --installed shows:

forticlient/now 7.4.0.1636 amd64 [installed,upgradable to: 7.4.3.1736]

Option A – hold:

sudo apt-mark hold forticlient
apt-mark showhold

Option B – exact version pin:

sudo tee /etc/apt/preferences.d/forticlient.pref >/dev/null <<'EOF'
Package: forticlient
Pin: version 7.4.0.1636
Pin-Priority: 1001
EOF

sudo apt update
apt policy forticlient

Notes & Tips

• apt update only refreshes indexes; upgrades happen on apt upgrade / apt full-upgrade.
• hold applies to the package name you specify. If the vendor changes the package name, re-apply the hold for the new name.
• To hold multiple packages:

sudo apt-mark hold pkg1 pkg2 pkg3

• You can always force-install a specific version (if available in any enabled repo or local cache):

sudo apt install package=VERSION

Unfreeze later

When the vendor fixes the issue and you're ready to upgrade:

# If you used hold:
sudo apt-mark unhold forticlient

# If you used pinning:
sudo rm /etc/apt/preferences.d/forticlient.pref

sudo apt update
sudo apt upgrade

That's it—your system stays updated while your problematic app version remains stable.