majorwiki/05-troubleshooting/ubuntu-dist-upgrade-repo-quarantine.md

title	domain	category	tags	status	created	updated
Ubuntu dist-upgrade Quarantines Third-Party Repos	troubleshooting	ubuntu	ubuntu apt dist-upgrade repositories tailscale digitalocean	published	2026-04-28	2026-04-28

Ubuntu dist-upgrade Quarantines Third-Party Repos

Problem

When running do-release-upgrade (e.g., Jammy 22.04 to Noble 24.04), Ubuntu renames all third-party .list files in /etc/apt/sources.list.d/ to .list.distUpgrade. This silently disables every third-party repo — packages from those repos stop receiving updates with no warning.

The upgrade process does this intentionally because it can't guarantee third-party repos will have packages for the new release. Some repos get re-added as .sources files during the upgrade, but many don't.

Symptoms

• apt list --upgradable shows nothing for packages you know have updates (e.g., Tailscale stuck on an old version)
• apt list --installed shows packages as [installed,local] instead of [installed] — the "local" tag means apt has no repo to check for updates
• .distUpgrade files accumulate in /etc/apt/sources.list.d/ indefinitely

Diagnosis

Check for quarantined repos:

ls /etc/apt/sources.list.d/*.distUpgrade

For each file, check whether a replacement .list or .sources file already exists:

ls /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources

Fix

Distro-agnostic repos (e.g., DigitalOcean agents)

If the repo URL doesn't reference a distro codename (jammy/noble), just rename:

mv /etc/apt/sources.list.d/digitalocean-agent.list.distUpgrade \
   /etc/apt/sources.list.d/digitalocean-agent.list

Distro-specific repos (e.g., Tailscale, ondrej-php)

The quarantined file references the old distro (jammy). Re-run the upstream install script to get a correct entry for the new release:

# Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Or manually: update the codename
sed 's/jammy/noble/' /etc/apt/sources.list.d/tailscale.list.distUpgrade \
  > /etc/apt/sources.list.d/tailscale.list
apt update && apt upgrade tailscale

Already replaced by .sources

If the upgrade process already created a .sources replacement (common for ubuntu-esm-apps, ondrej-php), the .distUpgrade file is just clutter — delete it:

rm /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list.distUpgrade

After all fixes

apt update
apt list --upgradable   # should now show pending updates
apt upgrade

Real-World Example: MajorsHouse Fleet (2026-04-28)

Five Ubuntu 24.04 servers were dist-upgraded from Jammy in October 2024. The .distUpgrade quarantine was discovered 6 months later when Tailscale's website wouldn't load (Pi-hole was blocking subdomains, but the investigation revealed teelia was stuck on Tailscale 1.76.0 — 20 versions behind — because the repo was disabled).

Host	Quarantined files	Impact
dcaprod	8	Tailscale, DO agents, MySQL, ondrej-php, ESM, vector
teelia	4	Tailscale (stuck on 1.76.0), DO agents, certbot bionic PPA
majorlinux	8	Tailscale, DO agents, MySQL, ondrej-php, ESM, apt-fast
majortoot	11	Tailscale, DO agents, nodesource, PostgreSQL, vector, zabbix, ESM
tttpod	0	Clean — was likely rebuilt rather than upgraded

All files were audited, stale ones deleted, distro-agnostic repos renamed, and distro-specific repos re-added via upstream install scripts. DO agents upgraded from 3.16.11 to 3.18.12, teelia's Tailscale jumped from 1.76.0 to 1.96.4.

Prevention

• Post-upgrade audit: After any do-release-upgrade, immediately run ls /etc/apt/sources.list.d/*.distUpgrade and resolve each file.
• Prefer .sources format: When adding new third-party repos, use the DEB822 .sources format — it's what Ubuntu itself uses on Noble and is handled more gracefully during upgrades.
• Ansible playbook: Consider a post-upgrade play that checks for .distUpgrade files and alerts or auto-fixes distro-agnostic repos.