diff --git a/CHANGELOG.md b/CHANGELOG.md
index eeb319b5..1bfbbb1c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 * apache: add server status suffix in VHost (and default site) if missing
+* apt: add a script to manage packages with "hold" mark
 * nginx: add server status suffix in VHost (and default site) if missing
 * redmine: enable gzip compression in nginx vhost
 
diff --git a/apt/README.md b/apt/README.md
index f3a8b13f..0db1eae2 100644
--- a/apt/README.md
+++ b/apt/README.md
@@ -7,7 +7,8 @@ A few APT related operations, like easily install backports of change components
 Tasks are extracted in several files, included in `tasks/main.yml` :
 
 * `backports.yml` : add a sources list for backports ;
-* `basics_components.yml` : replace components for the basic sources.
+* `basics_components.yml` : replace components for the basic sources ;
+* `hold_packages.yml` : install script to automatically hold packages.
 
 ## Available variables
 
@@ -16,7 +17,10 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 * `apt_basics_components` : basic sources components (default: `main`) ;
 * `apt_install_backports` : install backports sources (default: `False`) ;
 * `apt_backports_components` : backports sources (default: `main`) ;
-* `apt_install_evolix_public` : install Evolix public repositories (default: `True`).
+* `apt_install_evolix_public` : install Evolix public repositories (default: `True`) ;
+* `apt_install_hold_packages` : install script to automatically hold packages (default: `True`).
+* `apt_hold_packages`: list of packages that must have a "hold" mark (default: `[]`)
+* `apt_unhold_packages`: list of packages that must not have a "hold" mark (default: `[]`)
 
 ## Examples
 
diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml
index 0960fd16..e5093c6e 100644
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@@ -14,3 +14,14 @@ apt_backports_components: "main"
 apt_install_evolix_public: True
 
 apt_clean_gandi_sourceslist: False
+
+apt_install_hold_packages: True
+
+apt_hold_packages: []
+apt_unhold_packages: []
+
+apt_check_hold_cron_minute: "45"
+apt_check_hold_cron_hour: "*/4"
+apt_check_hold_cron_weekday: "*"
+apt_check_hold_cron_day: "*"
+apt_check_hold_cron_month: "*"
diff --git a/apt/files/check_held_packages.sh b/apt/files/check_held_packages.sh
new file mode 100644
index 00000000..b0cd9c23
--- /dev/null
+++ b/apt/files/check_held_packages.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+is_held() {
+    package=$1
+
+    apt-mark showhold ${package} | grep --silent ${package}
+}
+
+config_file="/etc/evolinux/apt_hold_packages.cf"
+return_code=0
+
+if [ -f ${config_file} ]; then
+    packages="$(cat ${config_file})"
+
+    if [ -n "${packages}" ]; then
+        for package in ${packages}; do
+            if [ -n "${package}" ]; then
+                if ! is_held ${package}; then
+                    apt-mark hold ${package}
+                    >&2 echo "Package \`${package}' has been marked \`hold'."
+                    return_code=1
+                fi
+            fi
+        done
+    fi
+fi
+
+exit ${return_code}
diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml
new file mode 100644
index 00000000..65507e76
--- /dev/null
+++ b/apt/tasks/hold_packages.yml
@@ -0,0 +1,49 @@
+---
+
+- name: "hold packages (apt)"
+  shell: "(apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }}"
+  register: apt_mark
+  changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
+  with_items: "{{ apt_hold_packages }}"
+
+- name: "hold packages (config)"
+  lineinfile:
+    dest: /etc/evolinux/apt_hold_packages.cf
+    line: "{{ item }}"
+    create: True
+    state: present
+  with_items: "{{ apt_hold_packages }}"
+
+- name: "unhold packages (apt)"
+  shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
+  register: apt_mark
+  changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
+  with_items: "{{ apt_unhold_packages }}"
+
+- name: "unhold packages (config)"
+  lineinfile:
+    dest: /etc/evolinux/apt_hold_packages.cf
+    line: "{{ item }}"
+    create: True
+    state: absent
+  with_items: "{{ apt_unhold_packages }}"
+
+- name: Check scripts is installed
+  copy:
+    src: check_held_packages.sh
+    dest: /usr/share/scripts/check_held_packages.sh
+    force: yes
+    mode: "0755"
+
+- name: Check for held packages (script)
+  cron:
+    cron_file: apt-hold-packages
+    name: check_held_packages
+    job: "/usr/share/scripts/check_held_packages.sh"
+    user: root
+    minute: "{{ apt_check_hold_cron_minute }}"
+    hour: "{{ apt_check_hold_cron_hour }}"
+    weekday: "{{ apt_check_hold_cron_weekday }}"
+    day: "{{ apt_check_hold_cron_day }}"
+    month: "{{ apt_check_hold_cron_month }}"
+    state: "present"
diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml
index c052aa31..b02e779f 100644
--- a/apt/tasks/main.yml
+++ b/apt/tasks/main.yml
@@ -31,3 +31,9 @@
   when: apt_install_evolix_public
   tags:
   - apt
+
+- name: Install check for packages marked hold
+  include: hold_packages.yml
+  when: apt_install_hold_packages
+  tags:
+  - apt