.. _ch-information: Issues to be aware of for |RELEASENAME| ========================================================================== Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in :ref:`morereading`. .. _upgrade-specific-issues: Upgrade specific items for |RELEASENAME| ---------------------------------------------------------------------------- This section covers items related to the upgrade from |OLDRELEASENAME| to |RELEASENAME|. .. _i386_reduced_support: Reduced support for i386 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From trixie, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Fewer packages are available for i386 because many projects no longer support it. The architecture's sole remaining purpose is to support running legacy code, for example, by way of `multiarch `__ or a chroot. Users running i386 systems should not upgrade to trixie. Instead, Debian recommends either reinstalling them as amd64, where possible, or retiring the hardware. `Cross-grading `__ without a reinstall is a technically possible, but risky, alternative. .. _openssh-pam-environment-removed: openssh-server no longer reads ~/.pam_environment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Secure Shell (SSH) daemon provided in the **openssh-server** package, which allows logins from remote systems, no longer reads the user's ``~/.pam_environment`` file by default; this feature has a `history of security problems `__ and has been deprecated in current versions of the Pluggable Authentication Modules (PAM) library. If you used this feature, you should switch from setting variables in ``~/.pam_environment`` to setting them in your shell initialization files (e.g. ``~/.bash_profile`` or ``~/.bashrc``) or some other similar mechanism instead. Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see :ref:`recovery`. .. _openssh-dsa-removal: OpenSSH no longer supports DSA keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell (SSH) protocol, are inherently weak: they are limited to 160-bit private keys and the SHA-1 digest. The SSH implementation provided by the **openssh-client** and **openssh-server** packages has disabled support for DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9 ("stretch"), although it could still be enabled using the ``HostKeyAlgorithms`` and ``PubkeyAcceptedAlgorithms`` configuration options for host and user keys respectively. The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior. As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with the above configuration options. If you have a device that you can only connect to using DSA, then you can use the ``ssh1`` command provided by the **openssh-client-ssh1** package to do so. In the unlikely event that you are still using DSA keys to connect to a Debian server (if you are unsure, you can check by adding the ``-v`` option to the ``ssh`` command line you use to connect to that server and looking for the "Server accepts key:" line), then you must generate replacement keys before upgrading. For example, to generate a new Ed25519 key and enable logins to a server using it, run this on the client, replacing ``username@server`` with the appropriate user and host names: .. code-block:: console $ ssh-keygen -t ed25519 $ ssh-copy-id username@server .. _last_lastb_and_lastlog_are_replaced: The last, lastb and lastlog commands have been replaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The **util-linux** package no longer provides the ``last`` or ``lastb`` commands, and the **login** package no longer provides ``lastlog``. These commands provided information about previous login attempts using ``/var/log/wtmp``, ``/var/log/btmp``, ``/var/run/utmp`` and ``/var/log/lastlog``, but these files will not be usable after 2038 because they do not allocate enough space to store the login time (the `Year 2038 Problem `__), and the upstream developers do not want to change the file formats. Most users will not need to replace these commands with anything, but the **util-linux** package provides a ``lslogins`` command which can tell you when accounts were last used. There are two direct replacements available: ``last`` can be replaced by ``wtmpdb`` from the **wtmpdb** package (the **libpam-wtmpdb** package also needs to be installed) and ``lastlog`` can be replaced by ``lastlog2`` from the **lastlog2** package (**libpam-lastlog2** also needs to be installed). If you want to use these, you will need to install the new packages after the upgrade, see the `util-linux NEWS.Debian `__ for further information. The command ``lslogins --failed`` provides similar information to ``lastb``. If you do not install **wtmpdb** then we recommend you remove old log files ``/var/log/wtmp*``. If you do install **wtmpdb** it will upgrade ``/var/log/wtmp`` and you can read older wtmp files with ``wtmpdb import -f ``. There is no tool to read ``/var/log/lastlog*`` or ``/var/log/btmp*`` files: they can be deleted after the upgrade. .. _rabbitmq-no-ha-queues: RabbitMQ no longer supports HA queues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ High-availability (HA) queues are no longer supported by **rabbitmq-server** starting in trixie. To continue with an HA setup, these queues need to be switched to "quorum queues". If you have an OpenStack deployment, please switch the queues to quorum before upgrading. Please also note that beginning with OpenStack's "Caracal" release in trixie, OpenStack supports only quorum queues. .. _rabbitmq-no-direct-upgrade: RabbitMQ cannot be directly upgraded from bookworm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is no direct, easy upgrade path for RabbitMQ from bookworm to trixie. Details about this issue can be found in `bug 1100165 `__. The recommended upgrade path is to completely wipe the rabbitmq database and restart the service (after the trixie upgrade). This may be done by deleting ``/var/lib/rabbitmq/mnesia`` and all of its contents. .. _mariadb-needs-clean-shutdown: MariaDB major version upgrades only work reliably after a clean shutdown ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MariaDB does not support error recovery across major versions. For example if a MariaDB 10.11 server experienced an abrupt shutdown due to power loss or software defect, the database needs to be restarted with the same MariaDB 10.11 binaries so it can do successful error recovery and reconcile the data files and log files to roll-forward or revert transactions that got interrupted. If you attempt to do crash recovery with MariaDB 11.8 using the data directory from a crashed MariaDB 10.11 instance, the newer MariaDB server will refuse to start. To ensure a MariaDB Server is shut down cleanly before going into major version upgrade, stop the service with .. code-block:: console # service mariadb stop followed by checking server logs for ``Shutdown complete`` to confirm that flushing all data and buffers to disk completed successfully. If it didn't shut down cleanly, restart it to trigger crash recovery, wait, stop again and verify that second stop was clean. For additional information about how to make backups and other relevant information for system administrators, please see `/usr/share/doc/mariadb-server/README.Debian.gz `__. .. _iputils-sockets: Ping no longer runs with elevated privileges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The default version of ping (provided by **iputils-ping**) is no longer installed with access to the `CAP_NET_RAW` linux capability, but instead uses ``ICMP_PROTO`` datagram sockets for network communication. Access to these sockets is controlled based on the user's Unix group membership using the ``net.ipv4.ping_group_range`` sysctl. In normal installations, the **linux-sysctl-defaults** package will set this value to a broadly permissive value, allowing unprivileged users to use ping as expected, but some upgrade scenarios may not automatically install this package. See ``/usr/lib/sysctl.d/50-default.conf`` and `the kernel documentation `__ for more information on the semantics of this variable. .. _libvirt-packaging-changes: Significant changes to libvirt packaging ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The **libvirt-daemon** package, which provides an API and toolkit for managing virtualization platforms, has been overhauled in trixie. Each driver and storage backend now comes in a separate binary package, which enables much greater flexibility. Care is taken during upgrades from bookworm to retain the existing set of components, but in some cases functionality might end up being temporarily lost. We recommend that you carefully review the list of installed binary packages after upgrading to ensure that all the expected ones are present; this is also a great time to consider uninstalling unwanted components. In addition, some conffiles might end up marked as "obsolete" after the upgrade. The ``/usr/share/doc/libvirt-common/NEWS.Debian.gz`` file contains additional information on how to verify whether your system is affected by this issue and how to address it. .. _before-first-reboot: Things to do post upgrade before rebooting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When ``apt full-upgrade`` has finished, the "formal" upgrade is complete. For the upgrade to |RELEASENAME|, there are no special actions needed before performing a reboot. .. only:: fixme When ``apt full-upgrade`` has finished, the "formal" upgrade is complete, but there are some other things that should be taken care of *before* the next reboot. :: add list of items here .. _not-upgrade-only: Items not limited to the upgrade process -------------------------------------------------------------------------------- .. _limited-security-support: Limitations in security support ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections. .. note:: The package **debian-security-support** helps to track the security support status of installed packages. .. _browser-security: Security status of web browsers and their rendering engines ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Debian |RELEASE| includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Applications using the **webkit2gtk** source package (e.g. **epiphany**) are covered by security support, but applications using qtwebkit (source package **qtwebkit-opensource-src**) are not. For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird. Once a release becomes ``oldstable``, officially supported browsers may not continue to receive updates for the standard period of coverage. For example, Chromium will only receive 6 months of security support in ``oldstable`` rather than the typical 12 months. .. _golang-static-linking: Go- and Rust-based packages ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. With the growth of the Go and Rust ecosystems it means that these packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably. In most cases if updates are warranted for Go or Rust development libraries, they will only be released via regular point releases. .. _obsolescense-and-deprecation: Obsolescence and deprecation -------------------------------------------------------- .. _noteworthy-obsolete-packages: Noteworthy obsolete packages ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a list of known and noteworthy obsolete packages (see :ref:`obsolete` for a description). The list of obsolete packages includes: - The **libnss-gw-name** package has been removed from |RELEASENAME|. The upstream developer suggests using **libnss-myhostname** instead. - The **pcregrep** package has been removed from |RELEASENAME|. It can be replaced with ``grep -P`` (``--perl-regexp``) or ``pcre2grep`` (from **pcre2-utils**). .. _deprecated-components: Deprecated components for |RELEASENAME| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With the next release of Debian |NEXTRELEASE| (codenamed |NEXTRELEASENAME|) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian |NEXTRELEASE|. This includes the following features: - The **sudo-ldap** package will be removed in forky. The Debian sudo team has decided to discontinue it due to maintenance difficulties and limited use. New and existing systems should use **libsss-sudo** instead. Upgrading Debian trixie to forky without completing this migration may result in the loss of intended privilege escalation. For further details, please refer to `bug 1033728 `__ and to the NEWS file in the **sudo** package. - The **sudo_logsrvd** feature, used for sudo input/output logging, may be removed in Debian forky unless a maintainer steps forward. This component is of limited use within the Debian context, and maintaining it adds unnecessary complexity to the basic sudo package. For ongoing discussions, see `bug 1101451 `__ and the NEWS file in the **sudo** package. - The **libnss-docker** package is no longer developed upstream and requires version 1.21 of the Docker API. That deprecated API version is still supported by Docker Engine v26 (shipped by Debian trixie) but will be removed in Docker Engine v27+ (shipped by Debian forky). Unless upstream development resumes, the package will be removed in Debian forky. - The **openssh-client** and **openssh-server** packages currently support `GSS-API `__ authentication and key exchange, which is usually used to authenticate to `Kerberos `__ services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian's main OpenSSH packages will therefore stop supporting it starting with |NEXTRELEASENAME|. If you are using GSS-API authentication or key exchange (look for options starting with ``GSSAPI`` in your OpenSSH configuration files) then you should install the **openssh-client-gssapi** (on clients) or **openssh-server-gssapi** (on servers) package now. On |RELEASENAME|, these are empty packages depending on **openssh-client** and **openssh-server** respectively; on |NEXTRELEASENAME|, they will be built separately. - sbuild-debian-developer-setup has been deprecated in favor of sbuild+unshare **sbuild**, the tool to build Debian packages in a minimal environment, has had a major upgrade and should work out of the box now. As a result the package **sbuild-debian-developer-setup** is no longer needed and has been deprecated. You can try the new version with: .. code-block:: console $ sbuild --chroot-mode=unshare --dist=unstable hello - The **fcitx** packages have been deprecated in favor of **fcitx5** The **fcitx** input method framework, also known as **fcitx4** or **fcitx 4.x**, is no longer maintained upstream. As a result, all related input method packages are now deprecated. The package **fcitx** and packages with names beginning with **fcitx-** will be removed in Debian |NEXTRELEASENAME|. Existing **fcitx** users are encouraged to switch to **fcitx5** following the `fcitx upstream migration guide `__ and `Debian Wiki page `__. .. only:: fixme No-longer-supported hardware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For a number of \`arch`-based devices that were supported in |OLDRELEASENAME|, it is no longer viable for Debian to build the required ``Linux`` kernel, due to hardware limitations. The unsupported devices are: - foo Users of these platforms who wish to upgrade to |RELEASENAME| nevertheless should keep the |OLDRELEASENAME| APT sources enabled. Before upgrading they should add an APT preferences file containing: .. parsed-literal:: Package: linux-image-marvell Pin: release n= |OLDRELEASENAME| Pin-Priority: 900 The security support for this configuration will only last until |OLDRELEASENAME|'s End Of Life. .. _rc-bugs: Known severe bugs --------------------------------------------------- Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an `overview of those bugs `__ that were tagged to be ignored in the last part of releasing |RELEASENAME| can be found in the `Debian Bug Tracking System `__. The following bugs were affecting |RELEASENAME| at the time of the release and worth mentioning in this document: +----------------------+---------------------------+------------------------------+ | Bug number | Package (source or | Description | | | binary) | | +======================+===========================+==============================+ | `1032240`_ | **akonadi-backend-mysql** | akonadi server fails | | | | to start since it | | | | cannot connect to | | | | mysql database | +----------------------+---------------------------+------------------------------+ | `1032177`_ | **faketime** | faketime doesn't | | | | fake time (on i386) | +----------------------+---------------------------+------------------------------+ | `918984`_ | **src:fuse3** | provide upgrade path | | | | fuse -> fuse3 for | | | | bookworm | +----------------------+---------------------------+------------------------------+ | `1016903`_ | **g++-12** | tree-vectorize: | | | | Wrong code at O2 | | | | level | | | | (-fno-tree-vectorize | | | | is working) | +----------------------+---------------------------+------------------------------+ | `1034752`_ | **src:gluegen2** | embeds non-free headers | +----------------------+---------------------------+------------------------------+ .. _1032240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032240 .. _1032177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032177 .. _918984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984 .. _1016903: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016903 .. _1034752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034752