Table of Contents
The Wiki has more information about this topic.
The following are the officially supported architectures for Debian 10:
32-bit PC (i386
) and 64-bit PC (amd64
)
64-bit ARM (arm64
)
ARM EABI (armel
)
ARMv7 (EABI hard-float ABI, armhf
)
MIPS (mips
(big-endian) and mipsel
(little-endian))
64-bit little-endian MIPS (mips64el
)
64-bit little-endian PowerPC (ppc64el
)
IBM System z (s390x
)
You can read more about port status, and port-specific information for your architecture at the Debian port web pages.
This new release of Debian again comes with a lot more software than its predecessor stretch; the distribution includes over 13370 new packages, for a total of over 57703 packages. Most of the software in the distribution has been updated: over 35532 software packages (this is 62% of all packages in stretch). Also, a significant number of packages (over 7278, 13% of the packages in stretch) have for various reasons been removed from the distribution. You will not see any updates for these packages and they will be marked as "obsolete" in package management front-ends; see Secció 4.8, «Paquets obsolets».
Debian again ships with several desktop applications and environments. Among others it now includes the desktop environments GNOME 3.30, KDE Plasma 5.14, LXDE 10, LXQt 0.14, MATE 1.20, and Xfce 4.12.
Productivity applications have also been upgraded, including the office suites:
With buster, Debian for the first time brings a mandatory access control framework enabled per default. New installations of Debian buster will have AppArmor installed and enabled per default. See below for more information.
Besides, buster is the first Debian release to ship with Rust based programs such as Firefox, ripgrep, fd, exa, etc. and a significant number of Rust based libraries (more than 450). Buster ships with Rustc 1.34.
Updates of other desktop applications include the upgrade to Evolution 3.30.
Among many others, this release also includes the following software updates:
Secure Boot is a feature enabled on most PCs that prevents loading unsigned code, protecting against some kinds of bootkit and rootkit.
Debian can now be installed and run on most PCs with Secure Boot enabled.
It is possible to enable Secure Boot on a system that has an existing Debian
installation, if it already boots using UEFI. Before doing this, it's
necessary to install shim-signed
,
grub-efi-amd64-signed
or grub-efi-ia32-signed
, and a Linux kernel package
from buster.
Some features of GRUB and Linux are restricted in Secure Boot mode, to prevent modifications to their code.
More information can be found on the Debian wiki at SecureBoot.
Debian buster has AppArmor
enabled per
default. AppArmor
is a mandatory access control framework
for restricting programs' capabilities (such as mount, ptrace, and signal
permissions, or file read, write, and execute access) by defining
per-program profiles.
The apparmor
package ships with
AppArmor profiles for several programs. Some other packages, such as
evince
, include profiles for the
programs they ship. More profiles can be found in the apparmor-profiles-extra
package.
AppArmor
is pulled in due to a
Recommends
by the buster Linux kernel package. On
systems that are configured to not install recommended packages by default,
the apparmor
package can be
installed manually in order to enable AppArmor
.
All methods provided by APT (e.g. http, and https) except for cdrom, gpgv,
and rsh can make use of seccomp-BPF sandboxing as supplied by the Linux
kernel to restrict the list of allowed system calls, and trap all others
with a SIGSYS
signal. This sandboxing is currently opt-in
and needs to be enabled with:
APT::Sandbox::Seccomp is a boolean to turn it on/off
Two options can be used to configure this further:
APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
Previous versions of unattended-upgrades
defaulted to installing only
upgrades that came from the security suite. In buster it now also automates
upgrading to the latest stable point release. For details, see the package's
NEWS.Debian file.
The documentation (man
-pages) for several projects like
systemd
, util-linux
and mutt
has been substantially extended. Please
install manpages-de
to benefit from
the improvements. During the lifetime of buster further new/improved
translations will be provided within the backports
archive.
Starting with iptables
v1.8.2 the
binary package includes iptables-nft
and
iptables-legacy
, two variants of the
iptables
command line interface. The nftables-based
variant, using the nf_tables
Linux kernel subsystem, is
the default in buster. The legacy variant uses the
x_tables
Linux kernel subsystem. The
update-alternatives
system can be used to select one
variant or the other.
This applies to all related tools and utilities:
iptables
iptables-save
iptables-restore
ip6tables
ip6tables-save
ip6tables-restore
arptables
arptables-save
arptables-restore
ebtables
ebtables-save
ebtables-restore
All these have also gained -nft
and
-legacy
variants. The -nft
option is
for users who can't or don't want to migrate to the native
nftables
command line interface. However, users are
strongly enouraged to switch to the nftables
interface
rather than using iptables
.
nftables
provides a full replacement for
iptables
, with much better performance, a refreshed
syntax, better support for IPv4/IPv6 dual-stack firewalls, full atomic
operations for dynamic ruleset updates, a Netlink API for third party
applications, faster packet classification through enhanced generic set and
map infrastructures, and many other
improvements.
This change is in line with what other major Linux distributions are doing,
such as RedHat, which now uses nftables
as its default
firewalling tool.
Also, please note that all iptables
binaries are now
installed in /usr/sbin
instead of
/sbin
. A compatibility symlink is in place, but will be
dropped after the buster release cycle. Hardcoded paths to the binaries in
scripts will need to be corrected and are worth avoiding.
Extensive documentation is available in the package's README and NEWS files and on the Debian Wiki.
The cryptsetup
version shipped with
Debian buster uses the new on-disk LUKS2
format. New
LUKS
volumes will use this format by default.
Unlike the previous LUKS1
format,
LUKS2
provides redundancy of metadata, detection of
metadata corruption, and configurable PBKDF
algorithms.
Authenticated encryption is supported as well, but still marked as
experimental.
Existing LUKS1
volumes will not be updated
automatically. They can be converted, but not all LUKS2
features will be available due to header size incompatibilities. See the
cryptsetup manpage for more
information.
Please note that the GNU GRUB bootloader doesn't support the
LUKS2
format yet. See the corresponding
documentation for further information on how to install Debian
10 with encrypted boot.
Debian 10 provides CUPS 2.2.10 and cups-filters
1.21.6. Together these give a user
everything that is needed to take advantage of driverless printing. The
principal requirement is that a network print queue or printer offers an
AirPrint service. A modern IPP printer is highly likely to be
AirPrint-capable; a Debian CUPS print queue is always AirPrint-enabled.
In essence, the DNS-SD (Bonjour) broadcasts from a CUPS server advertising a queue, or those from IPP printers, are capable of being displayed in the print dialogs of applications without any action being required on the part of a user. An additional benefit is that the use of non-free vendor printing drivers and plugins can be dispensed with.
A default installation of the cups
package also installs the package cups-browsed
; print queues and IPP printers will
now be automatically set up and managed by this utility. This is the recommended way for a user to
experience seamless and trouble-free driverless printing.
Thanks to the efforts of the linux-sunxi community Debian buster will have basic suport for many devices based on the Allwinner A64 SoC. This includes FriendlyARM NanoPi A64; Olimex A64-OLinuXino and TERES-A64; PINE64 PINE A64/A64+/A64-LTS, SOPINE, and Pinebook; SINOVOIP Banana Pi BPI-M64; and Xunlong Orange Pi Win(Plus).
The essential features of these devices (e.g. serial console, ethernet, USB ports and basic video output) should work with the kernel from buster. More advanced features (e.g. audio or accelerated video) are included or scheduled to be included in later kernels, which will be made available as usual through the backports archive. See also the status page for the Linux mainlining effort.
The Debian Med team has added several new packages and updates for software targeting life sciences and medicine. The effort to add Continuous Integration support for the packages in this field was (and will be) continued.
To install packages maintained by the Debian Med team, install the
metapackages named med-*
, which are at version 3.3 for
Debian buster. Feel free to visit the Debian Med tasks pages to
see the full range of biological and medical software available in Debian.
Following upstream, GNOME in buster defaults to using the Wayland display server instead of Xorg. Wayland has a simpler and more modern design, which has advantages for security.
The Xorg display server is still installed by default and the default display manager still allows you to choose it as the display server for the next session, which may be needed if you want to use some applications (see Secció 5.1.9, «Some applications don't work in GNOME on Wayland»).
People requiring accessibility features of the display server, e.g. global keyboard shortcuts, are recommended to use Xorg instead of Wayland.
On fresh installs, the content of /bin
,
/sbin
and /lib
will be installed
into their /usr
counterpart by
default. /bin
, /sbin
and
/lib
will be soft-links pointing at their directory
counterpart under /usr/
. In graphical form:
/bin → /usr/bin /sbin → /usr/sbin /lib → /usr/lib
When upgrading to buster, systems are left as they are, although the
usrmerge
package exists to do the
conversion if desired. The freedesktop.org project hosts
a
Wiki with most of the rationale.
This change shouldn't impact normal users that only run packages provided by Debian, but it may be something that people that use or build third party software want to be aware of.
The Debian Live team is proud to introduce LXQt live ISOs as a new flavor. LXQt is a lightweight Qt desktop environment. It will not get in your way. It will not hang or slow down your system. It is focused on being a classic desktop with a modern look and feel.
The LXQt desktop environment offered in the Debian Live LXQt project is pure, unmodified, so you will get the standard desktop experience that the LXQt developers created for their popular operating system. Users are presented with the standard LXQt layout comprised of a single panel (taskbar) located on the bottom edge of the screen, which includes various useful applets, such as the Main Menu, task manager, app launcher, system tray area, and integrated calendar.
The buster live images come with something new that a bunch of other distributions have also adopted, which is the Calamares installer. Calamares is an independent installer project (they call it “The universal installer framework”) which offers a Qt based interface for installing a system. It doesn't replace debian-installer on the live images; rather, it serves a different audience.
Calamares is really easy to use, with friendly guided partitioning and really simple full-disk encryption setup. It doesn't cover all the advanced features of debian-installer (although it very recently got RAID support) and it doesn't have an unattended install mode either. However, for 95%+ of desktop and laptop users, Calamares is a much easier way to get a system installed, which makes it very appropriate for live systems. For anyone who needs anything more complicated, or who's doing a mass-install, debian-installer is still available in both text and GUI forms.
Debian Live Buster re-introduces the standard live image. This is a basic Debian image that contains a base Debian system without any graphical user interface. Because it installs from a squashfs image rather than installing the system files using dpkg, installation times are a lot faster than installing from a minimal Debian installation image.