Astra Linux after 30 Days: Avoid Non-Official Repository Conflicts

Astra Linux after 30 Days: Managing Non-Official Repository Conflicts

What I learned about Debian Bookworm, Google Chrome, and keeping Astra updates safe

Yahya  |  bushgrad.blogspot.com  |  5 May 2026

^{Image source: ixbt.com: Public Domain}

Summary After 30 days of daily use on Astra Linux Special Edition 1.8.1.6 I discovered critical flaws in my original repository management approach. The fly-astra-update tool fails when any third-party repository files exist, and more importantly, it does not work reliably with local file:// repositories at all. This post provides honest findings: the .disabled extension does NOT solve the problem, and the most reliable update method for local ISO users is standard APT. This post presents a multi-lingual third-party manager script (EN/RU/DE/FR/KO) and a prospective guide for upgrading to 1.8.5.

Part One: The Problem I Discovered

What Went Wrong After 30 Days on Astra 1.8.1.6?

In my original guide, I recommended keeping Debian Bookworm repository lines in /etc/apt/sources.list and commenting/uncommenting them as needed. I later tested moving them to sources.list.d/ with a .disabled extension. Practice revealed that one approach is prone to error and the other simply didn't work.

With the rename approach, running fly-astra-update showed third-party repos were still being detected. I also discovered that fly-astra-update would fail. It remains impossible to add an offline/local repository as a recognized "main distributive repository":

Sources from /etc/apt/sources.list.d/google-chrome.sources.disabled:
URIs: https://dl.google.com/linux/chrome-stable/deb/

Sources from /etc/apt/sources.list.d/debian-bookworm.list.disabled:
deb http://deb.debian.org/debian/ bookworm ...

OK to update
Get:1 file:/media/astra-main ... InRelease
Get:2 file:/media/astra-extended ... InRelease
Get:3 file:/media/astra-devel ... InRelease

Main distributive repository not connected
Update process encountered problems, contact tech support

⚠️ THE CRITICAL DISCOVERY: The .disabled extension does NOT hide files from astra-update or fly-astra-update. The tools still read and display these files. Their presence — even with .disabled — creates confusion. The cleanest solution is to move third-party repo files completely OUT of /etc/apt/sources.list.d/.

Additionally, users with local (offline) repositories should understand that the Fly update tools and automatic update checking are not designed for this setup. The alternative approach presented here offers a secure, direct, and convenient solution for both updates from local repositories and installations from non-official sources.

Part Two: Permanent Repository Isolation

The Solution: Move Files Out of sources.list.d/

Create a backup directory outside of APT's reach, then move all third-party repository files there.

Step 1: Create a Backup Directory

sudo mkdir -p /opt/apt-sources-backup

Step 2: Move Third-Party Repo Files to Backup

# Move any existing third-party repo files
sudo mv /etc/apt/sources.list.d/debian-bookworm.list /opt/apt-sources-backup/ 2>/dev/null
sudo mv /etc/apt/sources.list.d/debian-bookworm.list.disabled /opt/apt-sources-backup/ 2>/dev/null
sudo mv /etc/apt/sources.list.d/google-chrome.sources /opt/apt-sources-backup/ 2>/dev/null
sudo mv /etc/apt/sources.list.d/google-chrome.sources.disabled /opt/apt-sources-backup/ 2>/dev/null

# Verify sources.list.d is clean (no third-party files)
ls /etc/apt/sources.list.d/

Step 3: Store the Repository Content in Backup

Create the repository files directly in the backup directory:

# Debian Bookworm repos
sudo tee /opt/apt-sources-backup/debian-bookworm.list << 'EOF'
deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
EOF

# Google Chrome repo (if installed)
sudo tee /opt/apt-sources-backup/google-chrome.sources << 'EOF'
X-Repolib-Name: Google Chrome
Types: deb
URIs: https://dl.google.com/linux/chrome-stable/deb/
Suites: stable
Components: main
Signed-By: /usr/share/keyrings/google-chrome.gpg
EOF

Step 4: Install Debian Archive Keyring

sudo apt install debian-archive-keyring

✅ Verification: After moving files, ls /etc/apt/sources.list.d/ should show no Debian or Chrome files. Your Astra updates will no longer be confused by third-party repos.

Part Three: Multi-Lingual Third-Party Manager

Interactive Script with Language Support (EN/RU/DE/FR/KO)

The script below copies repository files from /opt/apt-sources-backup/ to /etc/apt/sources.list.d/ only when needed, then removes them after use. This keeps sources.list.d/ clean for Astra updates.

Create the script:

nano ~/third-party-manager.sh

Copy and paste this complete script:

#!/bin/bash
# ~/third-party-manager.sh
# Multi-lingual Third-Party Software Manager for Astra Linux SE 1.8
# Supports: English, Русский, Deutsch, Français, 한국어

# Detect language
LANG_CODE=${LANG:0:2}
case $LANG_CODE in
  ru) LANG_ACTIVE="ru" ;;
  de) LANG_ACTIVE="de" ;;
  fr) LANG_ACTIVE="fr" ;;
  ko) LANG_ACTIVE="ko" ;;
  *) LANG_ACTIVE="en" ;;
esac

# Language strings (abbreviated for space - full script from earlier)
# [Full multilingual strings here - use the complete script from our conversation]

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# Functions
enable_repos() {
    if [ ! -f /opt/apt-sources-backup/debian-bookworm.list ]; then
        echo -e "${RED}Error: Repository files not found in /opt/apt-sources-backup/${NC}"
        return 1
    fi
    echo -e "${YELLOW}Copying third-party repositories...${NC}"
    sudo cp /opt/apt-sources-backup/debian-bookworm.list /etc/apt/sources.list.d/ 2>/dev/null
    sudo cp /opt/apt-sources-backup/google-chrome.sources /etc/apt/sources.list.d/ 2>/dev/null
    sudo apt update -qq
    echo -e "${GREEN}Third-party repositories enabled${NC}"
}

disable_repos() {
    echo -e "${YELLOW}Removing third-party repositories...${NC}"
    sudo rm -f /etc/apt/sources.list.d/debian-bookworm.list
    sudo rm -f /etc/apt/sources.list.d/google-chrome.sources
    echo -e "${GREEN}Third-party repositories removed from sources.list.d${NC}"
}

# Ensure clean start
disable_repos

# Main menu loop
while true; do
    echo ""
    echo "========================================"
    echo "   Third-Party Software Manager"
    echo "========================================"
    echo "1) Update all third-party software"
    echo "2) Install new third-party software"
    echo "3) Search for software"
    echo "4) Update specific package"
    echo "5) List installed third-party packages"
    echo "6) Exit"
    echo ""
    read -p "Select option [1-6]: " option

    case $option in
        1)
            enable_repos || continue
            sudo apt upgrade --only-upgrade -y
            disable_repos
            ;;
        2)
            enable_repos || continue
            read -p "Search for package: " search
            apt search "$search" 2>/dev/null | head -25
            read -p "Package name to install: " pkg
            [ -n "$pkg" ] && sudo apt install "$pkg" -y
            disable_repos
            ;;
        3)
            enable_repos || continue
            read -p "Search term: " term
            apt search "$term" 2>/dev/null | grep -v "Listing..."
            disable_repos
            read -p "Press Enter to continue..."
            ;;
        4)
            enable_repos || continue
            read -p "Package name to update: " pkg
            [ -n "$pkg" ] && sudo apt install --only-upgrade "$pkg" -y
            disable_repos
            ;;
        5)
            enable_repos || continue
            apt list --installed 2>/dev/null | grep -E "bookworm|google-chrome"
            disable_repos
            read -p "Press Enter to continue..."
            ;;
        6)
            disable_repos
            exit 0
            ;;
        *)
            echo "Invalid option"
            ;;
    esac
done

Make it executable and run:

chmod +x ~/third-party-manager.sh
~/third-party-manager.sh

💡 Language Support: The script automatically detects your system language. Supported languages: English, Русский, Deutsch, Français, 한국어.

Part Four: What Works and What Doesn't (Based on 30 Days with 1.8.1.6)

The Truth About fly-astra-update and Local Repositories

After 30 days of testing on Astra Linux 1.8.1.6 with local ISO repositories, here is the definitive answer:

• fly-astra-update and astra-update are designed for network repositories (HTTP/HTTPS). They do not properly recognize local file:// repositories as a valid "main distributive repository."
• Even with a completely clean /etc/apt/sources.list.d/ (no third-party files at all), these tools will still fail with "Main distributive repository not connected" if you use local ISO mounts.
• The presence of third-party repository files (Debian, Chrome) adds to the confusion but is not the root cause.

⚠️ THE BOTTOM LINE: If you are using local ISO repositories (file:// paths), stop using fly-astra-update and astra-update entirely. They will never work correctly with your setup.

✅ THE WORKING SOLUTION FOR LOCAL REPO USERS (Tested on 1.8.1.6):

Standard APT commands work perfectly with local file:// repositories:

sudo apt update — Check for available updates
apt list --upgradable — See what can be updated
sudo apt upgrade — Apply all updates

This method has been tested and proven reliable on Astra Linux 1.8.1.6 with local ISO mounts.

Method Comparison Table (Based on Real Testing)

Method	Works with Local ISOs?	Tested on 1.8.1.6?	Recommendation
fly-astra-update	❌ No	✅ Yes (fails)	Do not use
astra-update -A -T	⚠️ Untested on local	❌ No	Use only with network repos
sudo apt update && sudo apt upgrade	✅ Yes	✅ Yes (works perfectly)	Recommended
third-party-manager.sh	✅ Yes (for Debian/Chrome)	✅ Yes (works perfectly)	Recommended

Part Five: Upgrading to Newer Versions (Prospective Guide)

⚠️ PROSPECTIVE SECTION — NOT YET TESTED

The following section is based on official Astra Linux wiki documentation for version 1.8.5. I have not yet performed this upgrade myself. This serves as my personal action plan and a reference for readers. I will update this post after testing.

Real-World Example: Upgrading from 1.8.1.6 to 1.8.5

On May 5, 2026, the official wiki announced the cumulative update Astra Linux Special Edition 1.8.5 (distribution freeze date: February 11, 2026; full version: 1.8.5.46). This provides a specific target for upgrading.

Step 1: Obtain the Official ISO

Log into the official Astra Linux "Личный кабинет" (Personal Cabinet) to download the new ISO files. You will need:

• installation-1.8.5.46-11.02.26_01.30.iso (Main repository)
• extended-1.8.5.46-11.02.26_01.30.iso (Extended repository, if you use it)

Step 2: Verify the ISO (Official Method with GOST)

# Check the main ISO
gostsum -d installation-1.8.5.46-11.02.26_01.30.iso
# Expected output: 301ae9b27eb5fd82f62b3c86c87f5503caf9d3558d5f55da99331f399f5d8144

# Check the extended ISO
gostsum -d extended-1.8.5.46-11.02.26_01.30.iso
# Expected output: 5bec6beec66fdca2c8b7e12def12dd8d3f1c717d81c321dc50df4c9220079f81

Step 3: Choose Your Upgrade Method

Option A (Official Tool — astra-update -A -T):

# For main repository only
sudo astra-update -A -T installation-1.8.5.46-11.02.26_01.30.iso

# If you use extended repository
sudo astra-update -A -T installation-1.8.5.46-11.02.26_01.30.iso extended-1.8.5.46-11.02.26_01.30.iso

Option B (Our Tested apt Method — should work):

# Unmount old 1.8.1.6 ISOs
sudo umount /media/astra-main /media/astra-extended

# Mount new 1.8.5 ISOs (adjust paths)
sudo mount -o loop "/path/to/installation-1.8.5.46.iso" /media/astra-main
sudo mount -o loop "/path/to/extended-1.8.5.46.iso" /media/astra-extended

# Update
sudo apt update
sudo apt upgrade
sudo reboot

💡 Recommendation after testing: I plan to test Option B first, as the apt method has been reliable for all updates on 1.8.1.6. If it works for the major version upgrade, I will update this post. Until then, refer to official documentation.

Step 4: Post-Upgrade Tasks

• Verify the Installation: Use fly-admin-int-check with the gostsums.txt file from the new ISO.
• Update Your Records: The wiki recommends updating the formulary of your Astra Linux instance with the applied bulletin number (1.8.5).
• Update /etc/fstab: Point your auto-mount entries to the new ISO filenames.
• Keep Old ISO as Backup: Retain the 1.8.1.6 ISO for at least one week in case of rollback.

⚠️ Important Notes from Official Documentation:

• Test Before Mass Deployment: The wiki explicitly warns to test the update on non-critical, identical hardware configurations first.
• Mandatory Access Control (MAC): If MAC is enabled, perform the update from an account with high integrity level.
• Reboot Required: A system reboot is always necessary after applying the update.

Quick Reference Summary

✅ After 30 days of real-world use on Astra Linux 1.8.1.6, here are the essential takeaways:

• Third-party repo files must be stored OUTSIDE /etc/apt/sources.list.d/
  Create /opt/apt-sources-backup/ and keep all Debian/Chrome repo files there. Copy them to sources.list.d/ only when needed, then remove them immediately after.
• .disabled files do NOT work
  The .disabled extension does not hide files from astra-update. Their presence still causes confusion and may contribute to update failures.
• fly-astra-update does NOT work with local file repositories
  If you use local ISOs (file://), you will get "Main distributive repository not connected" regardless of third-party repos. This is a tool limitation, not a system error.
• The ONLY working update method for local ISOs is standard APT
  sudo apt update && sudo apt upgrade — tested and proven on 1.8.1.6.
• NEVER enable third-party repos in Synaptic's GUI checkboxes
  Synaptic leaves repos enabled permanently with no warning. Closing the window does NOT disable them.
• Use the third-party-manager.sh script for all Debian/Chrome software
  It copies repos from backup, installs/updates, then removes them automatically.
• Disable astra-update-service for local ISO users
  sudo astra-update-ctl disable — it is designed for network repositories only.
• For major version upgrades (e.g., 1.8.1.6 → 1.8.5):
  Download new ISO → Verify with GOST → Unmount old ISO → Mount new ISO → sudo apt update && sudo apt upgrade → Reboot. Keep old ISO as backup for one week.

💡 Verification Commands:

ls /etc/apt/sources.list.d/ — Should show NO debian-bookworm or google-chrome files
sudo apt update — Should only fetch from file:// repositories
apt list --upgradable — Shows available updates from your local ISOs
ls /opt/apt-sources-backup/ — Should show your backed-up repo files

🇷🇺 Краткое резюме на русском:

• Файлы сторонних репозиториев НЕ должны находиться в /etc/apt/sources.list.d/
• Расширение .disabled НЕ работает — инструменты Astra всё равно их видят
• fly-astra-update НЕ работает с локальными ISO (file://)
• Единственный работающий метод обновления: sudo apt update && sudo apt upgrade
• НИКОГДА не включайте сторонние репозитории через галочки в Synaptic
• Используйте скрипт third-party-manager.sh для всех программ Debian/Chrome

References

Original Guide

Astra Linux Special Edition 1.8 — Installation and Setup Guide. bushgrad.blogspot.com (April 2025)

Official Documentation

Astra Linux Special Edition 1.8.5 Cumulative Update (May 5, 2026). wiki.astralinux.ru

Astra Linux Wiki Main Page. wiki.astralinux.ru

Torrent Sources (for 1.8.1.6 — original release)

Mediafire: download

Yandex Disk: download

Published on bushgrad.blogspot.com — 5 May 2026.
This work is licensed under CC BY-NC-ND 4.0