Indholdsfortegnelse
Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Afsnit 6.1, “Yderligere læsning”.
This section covers items related to the upgrade from stretch to buster.
Using the hidepid
mount option for
/proc
is known to cause problems with current versions
of systemd, and is considered by systemd upstream to be an unsupported
configuration. Users who have modified /etc/fstab
to
enable this option are advised to disable it before the upgrade, to ensure
login sessions work on buster. (A possible route to re-enabling it is
outlined on the wiki's Hardening
page.)
The default options of ypbind
have
changed. However, if you have modified this file the old default will not be
updated and you must make sure that the YPBINDARGS=
option in /etc/default/nis
does not include
-no-dbus
. With -no-dbus
present,
ypbind will fail to start, and you may not be able to log
in. For more info see bug #906436.
The default behavior of rpcbind
has
changed to no longer answer remote calls from NIS clients. On NIS servers
you will need to add the (Debian-specific) -r
flag to the
command line options of rpcbind, otherwise users will not
be able to log into your NIS client machines. For more info see bug #935492.
The semantics of PubkeyAcceptedKeyTypes
and the similar
HostbasedAcceptedKeyTypes
options for sshd
have changed. These now specify signature
algorithms that are accepted for their respective authentication mechanism,
where previously they specified accepted key types. This distinction matters
when using the RSA/SHA2 signature algorithms
rsa-sha2-256
, rsa-sha2-512
and their
certificate counterparts. Configurations that override these options but
omit these algorithm names may cause unexpected authentication failures.
No action is required for configurations that accept the default for these options.
Due to systemd
needing entropy
during boot and the kernel treating such calls as blocking when available
entropy is low, the system may hang for minutes to hours until the
randomness subsystem is sufficiently initialized (random: crng init
done
). For amd64
systems supporting the
RDRAND
instruction this issue is avoided by the Debian
kernel using this instruction by default
(CONFIG_RANDOM_TRUST_CPU
).
Non-amd64
systems and some types of virtual machines need
to provide a different source of entropy to continue fast booting.
haveged
has been chosen for this
within the Debian Installer project and may be a valid option if hardware
entropy is not available on the system. On virtual machines consider
forwarding entropy from the host to the VMs via
virtio_rng
.
If you read this after upgrading a remote system to buster, ping the system on the network continuously as this adds entropy to the randomness pool and the system will eventually be reachable by ssh again.
See the wiki and DLange's overview of the issue for other options.
If your system was upgraded from an earlier release, and still uses the
old-style network interface names that were deprecated with stretch (such as
eth0
or wlan0
), you should be aware
that the mechanism of defining their names via
/etc/udev/rules.d/70-persistent-net.rules
is officially
not supported by udev
in buster
(while it may still work in some cases). To avoid the danger of your machine
losing networking after the upgrade to buster, it is recommended that you
migrate in advance to the new naming scheme (usually meaning names like
enp0s1
or wlp2s5
, which incorporate
PCI bus- and slot-numbers). Take care to update any interface names
hard-coded in configuration for firewalls, ifupdown
, and so on.
The alternative is to switch to a supported mechanism for enforcing the old
naming scheme, such as a systemd .link
file (see systemd.link(5)). The
net.ifnames=0
kernel commandline option might also work
for systems with only one network interface (of a given type).
To find the new-style names that will be used, first find the current names of the relevant interfaces:
$ echo /sys/class/net/[ew]*
For each of these names, check whether it is used in configuration files,
and what name udev
would prefer to
use for it:
$ sudo rgrep -weth0
/etc $ udevadm test-builtin net_id /sys/class/net/eth0
2>/dev/null
This should give enough information to devise a migration plan. (If the
udevadm
output includes an “onboard” or
“slot” name, that takes priority; MAC-based names are normally
treated as a fallback, but may be needed for USB network hardware.)
Once you are ready to carry out the switch, disable
70-persistent-net.rules
either by renaming it or by
commenting out individual lines. On virtual machines you will need to remove
the files /etc/systemd/network/99-default.link
and (if
using virtio network devices)
/etc/systemd/network/50-virtio-kernel-names.link
. Then
rebuild the initrd
:
$ sudo update-initramfs -u
and reboot. Your system should now have new-style network interface names. Adjust any remaining configuration files, and test your system.
See the wiki, upstream
documentation, and the udev
README.Debian
for further information.
Systems using channel bonding and/or dummy interfaces, for instance to
configure a machine as a router, may encounter problems upgrading to
buster. New versions of systemd
install a file /lib/modprobe.d/systemd.conf
(intended
to simplify configuration via systemd-networkd) which
contains the lines
options bonding max_bonds=0 options dummy numdummies=0
Admins who were depending on different values will need to ensure they are
set in the correct way to take precedence. A file in
/etc/modprobe.d
will override one with the same name
under /lib/modprobe.d
, but the names are processed in
alphabetical order, so /lib/modprobe.d/systemd.conf
follows and overrides (for instance)
/etc/modprobe.d/dummy.conf
. Make sure that any local
configuration file has a name that sorts after
“systemd.conf
”, such as
“/etc/modprobe.d/zz-local.conf
”.
Following various security recommendations, the default minimum TLS version has been changed from TLSv1 to TLSv1.2.
The default security level for TLS connections has also been increased from level 1 to level 2. This moves from the 80 bit security level to the 112 bit security level and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger ECC keys, and SHA-2.
The system wide settings can be changed in
/etc/ssl/openssl.cnf
. Applications might also have an
application specific way to override the defaults.
In the default /etc/ssl/openssl.cnf
there is a
MinProtocol
and CipherString
line. The
CipherString
can also set the security level. Information
about the security levels can be found in the SSL_CTX_set_security_level(3ssl)
manpage. The list of valid strings for the minimum protocol version can be
found in SSL_CONF_cmd(3ssl). Other
information can be found in ciphers(1ssl) and config(5ssl).
Changing the system wide defaults in
/etc/ssl/openssl.cnf
back to their previous values can
be done by setting:
MinProtocol = None CipherString = DEFAULT
It's recommended that you contact the remote site if the defaults cause problems.
GNOME in buster has changed its default display server from Xorg to Wayland
(see Afsnit 2.2.11, “GNOME defaults to Wayland”). Some applications,
including the popular package manager synaptic
, the default Simplified Chinese input
method, fcitx
, and most screen
recording applications, have not been updated to work properly under
Wayland. In order to use these packages, one needs to log in with a
GNOME on Xorg
session.
Den følgende liste viser kendte og værd at bemærke forældede pakker (se Afsnit 4.8, “Forældede pakker” for en beskrivelse).
Listen over forældede pakker inkluderer:
The package mcelog
is no longer
supported with kernel versions above 4.12. rasdaemon
can be used as its replacement.
The package revelation
, which is
used to store passwords, is not included in buster. keepass2
can import previously exported password
XML files from revelation
. Please
make sure you export your data from revelation before upgrading, to avoid
losing access to your passwords.
ipsec-tools
and racoon
have been removed from buster as their
source has been lagging behind in adapting to new threats.
Users are encouraged to migrate to libreswan
, which has broader protocol
compatibility and is being actively maintained upstream.
libreswan
should be fully compatible
in terms of communication protocols since it implements a superset of
racoon
's supported protocols.
The simple MTA ssmtp
has been
dropped for buster. This is due to it currently not validating TLS
certs; see bug #662960.
The ecryptfs-utils
package is not
part of buster due to an unfixed serious bug (#765854). At the time of writing this
paragraph, there was no clear advice for users of eCryptfs, except not to
upgrade.
With the next release of Debian 11 (codenamed bullseye) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 11.
Dette inkluderer de følgende funktioner:
Python 2 will stop being supported by its upstream on January 1,
2020. Debian hopes to drop python-2.7
for Debian 11. If users
have functionality that relies on python, they should
prepare to migrate to python3.
Icinga 1.x is EOL upstream since 2018-12-31; while the icinga
package is still present, users should
use the buster lifetime to migrate to Icinga 2 (icinga2
package) and Icinga Web 2 (icingaweb2
package). The icinga2-classicui
package is still present to
use the Icinga 1.x CGI web interface with Icinga 2, but the support for it
will be removed in Icinga 2.11. Icinga Web 2 should be used instead.
The Mailman mailing list manager suite version 3 is newly available in this
release. Mailman has been split up into various components; the core is
available in the package mailman3
and the full suite can be obtained via the mailman3-full
metapackage.
The legacy Mailman version 2.1 remains available in this release in the
package mailman
, so you can migrate
any existing installations at your own pace. The Mailman 2.1 package will
be kept in working order for the foreseeable future, but will not see any
major changes or improvements. It will be removed from the first Debian
release after Mailman upstream has stopped support for this branch.
Everyone is encouraged to upgrade to Mailman 3, the modern release under active development.
The packages spf-milter-python
and
dkim-milter-python
are no longer
actively developed upstream, but their more feature-rich replacements,
pyspf-milter
and dkimpy-milter
, are available in buster. Users
should migrate to the new packages before the old ones are removed in
bullseye.
When apt full-upgrade
has finished, the
“formal” upgrade is complete. For the upgrade to
buster, there are no special actions needed before performing a
reboot.
![]() | Bemærk |
---|---|
This section does not apply if you have decided to stick with sysvinit-core. |
After the switch to systemd as default init system in Jessie and further refinements in Stretch, various SysV related packages are no longer required and can now be purged safely via
apt purge initscripts sysv-rc insserv startpar
Der er nogle pakker hvor Debian ikke kan love at tilbyde minimale tilbageporteringer for sikkerhedsmæssige problemstillinger. Disse dækkes i de følgende underafsnit.
![]() | Bemærk |
---|---|
The package |
Debian 10 includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of vulnerabilities
and partial lack of upstream support in the form of long term branches make
it very difficult to support these browsers and engines with backported
security fixes. Additionally, library interdependencies make it extremely
difficult to update to newer upstream releases. Therefore, browsers built
upon e.g. the webkit and khtml engines[6]
are included in buster, but not covered by security support. These
browsers should not be used against untrusted websites. The webkit2gtk
source package is covered by security
support.
For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.
The Debian infrastructure currently doesn't properly enable rebuilding packages that statically link parts of other packages on a large scale. Until buster that hasn't been a problem in practice, but with the growth of the Go ecosystem it means that Go based packages won't be covered by regular security support until the infrastructure is improved to deal with them maintainably.
If updates are warranted, they can only come via regular point releases, which may be slow in arriving.
In most cases, packages should upgrade smoothly between stretch and buster. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.
Starting with glibc
2.26, Linux
kernel 3.2 or later is required. To avoid completely breaking the system,
the preinst for libc6
performs a
check. If this fails, it will abort the package installation, which will
leave the upgrade unfinished. If the system is running a kernel older than
3.2, please update it before starting the distribution upgrade.
su
has changed semantics in buster and no longer
preserves the user environment variables DISPLAY
and
XAUTHORITY
. If you need to run graphical applications
with su
, you will have to explicitly set them to allow
access to your display. See bug #905409
for an extensive discussion.
When upgrading from stretch to buster, the glibc
locale data is upgraded. Specifically,
this changes how PostgreSQL sorts data in text indexes. To avoid
corruption, such indexes need to be REINDEX
ed immediately
after upgrading the locales
or
locales-all
packages, before putting
the database back into production.
Suggested command:
sudo -u postgres reindexdb --all
Alternatively, upgrade the databases to PostgreSQL 11 using
pg_upgradecluster. (This uses pg_dump
by default which will rebuild all indexes. Using -m
upgrade
or pg_upgrade is
not safe because it preserves the now-wrong index
ordering.)
Refer to the PostgreSQL Wiki for more information.
In stretch, the package mutt
had
patches applied from the sources at https://neomutt.org. Starting from buster,
the package providing /usr/bin/mutt
will instead be
purely based on the original sources from http://www.mutt.org, and a separate
neomutt
package is available
providing /usr/bin/neomutt
.
This means that some of the features that were previously provided by
mutt
are no longer available. If
this breaks your configuration you can install neomutt
instead.
Without a pointing device, there is no direct way to change settings in the
GNOME Settings app provided by gnome-control-center
. As a work-around, you can
navigate from the sidebar to the main content by pressing the Right
Arrow twice. To get back to the sidebar, you can start a search
with Ctrl+F, type
something, then hit Esc to cancel the search. Now you can
use the Up Arrow and Down Arrow to
navigate the sidebar. It is not possible to select search results with the
keyboard.
Users of the initial buster release images should not change the LUKS
password of encrypted disks with the GNOME graphical interface for disk
management. The gnome-disk-utility
package in buster had a very nasty bug
(#928893) when used to change the LUKS password: it deleted the old
password but failed to correctly set the new one, making all data on the
disk inaccessible. This has been fixed in the first point release.
Users using evolution
as their email
client and connecting to a server running Exchange, Office365 or Outlook
using the evolution-ews
plugin
should not upgrade to buster without backing up data and finding an
alternative solution beforehand, as evolution-ews has been dropped due to
bug #926712 and their email inboxes,
calendar, contact lists and tasks will be removed and will no longer be
accessible with Evolution.
The evolution-ews
package has been
reintroduced via buster-backports. Users upgrading from stretch to buster
can enable buster-backports after the upgrade and then they will be able to
reinstall evolution-ews
.
When installing Debian from live media using the Calamares installer (Afsnit 2.2.13, “News from Debian Live team”) and selecting the full disk encryption feature, the disk's unlock key is stored in the initramfs which is world readable. This allows users with local filesystem access to read the private key and gain access to the filesystem again in the future.
This can be worked around by adding UMASK=0077
to
/etc/initramfs-tools/conf.d/initramfs-permissions
and
running update-initramfs -u. This will recreate the
initramfs without world-readable permissions.
A fix for the installer is being planned (see bug #931373) and will be uploaded to debian-security. In the meantime users of full disk encryption should apply the above workaround.
When using s3ql
with Amazon S3
buckets, the configuration needs updating for a change in the URL. The new
format is:
s3://<region>/<bucket>/<prefix>
The shipped configurations for /var/log/btmp
and
/var/log/wtmp
have been split from the main
configuration file (/etc/logrotate.conf
) into separate
standalone files (/etc/logrotate.d/btmp
and
/etc/logrotate.d/wtmp
).
If you have modified /etc/logrotate.conf
in this
regard, make sure to re-adjust the two new files to your needs and drop any
references to (b|w)tmp from the main file, since duplicate definitions can
cause errors.
[6] These engines are shipped in a number of different source packages and the
concern applies to all packages shipping them. The concern also extends to
web rendering engines not explicitly mentioned here, with the exception of
webkit2gtk
.