.. _ch-information:
Issues to be aware of for |RELEASENAME|
==========================================================================
Sometimes, changes introduced in a new release have side-effects we
cannot reasonably avoid, or they expose bugs somewhere else. This
section documents issues we are aware of. Please also read the errata,
the relevant packages' documentation, bug reports, and other information
mentioned in :ref:`morereading`.
.. _upgrade-specific-issues:
Upgrade specific items for |RELEASENAME|
----------------------------------------------------------------------------
This section covers items related to the upgrade from |OLDRELEASENAME| to
|RELEASENAME|.
.. _openssh-pam-environment-removed:
openssh-server no longer reads ~/.pam_environment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Secure Shell (SSH) daemon provided in the **openssh-server** package,
which allows logins from remote systems, no longer reads the user's
``~/.pam_environment`` file by default; this feature has a `history of
security problems <https://bugs.debian.org/1030119>`__ and has been
deprecated in current versions of the Pluggable Authentication Modules (PAM)
library. If you used this feature, you should switch from setting variables
in ``~/.pam_environment`` to setting them in your shell initialization files
(e.g. ``~/.bash_profile`` or ``~/.bashrc``) or some other similar mechanism
instead.
Existing SSH connections will not be affected, but new connections may
behave differently after the upgrade. If you are upgrading remotely, it is
normally a good idea to ensure that you have some other way to log into the
system before starting the upgrade; see :ref:`recovery`.
.. _openssh-dsa-removal:
OpenSSH no longer supports DSA keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell
(SSH) protocol, are inherently weak: they are limited to 160-bit private
keys and the SHA-1 digest. The SSH implementation provided by the
**openssh-client** and **openssh-server** packages has disabled support for
DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9
("stretch"), although it could still be enabled using the
``HostKeyAlgorithms`` and ``PubkeyAcceptedAlgorithms`` configuration options
for host and user keys respectively.
The only remaining uses of DSA at this point should be connecting to some
very old devices. For all other purposes, the other key types supported by
OpenSSH (RSA, ECDSA, and Ed25519) are superior.
As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with
the above configuration options. If you have a device that you can only
connect to using DSA, then you can use the ``ssh1`` command provided by the
**openssh-client-ssh1** package to do so.
In the unlikely event that you are still using DSA keys to connect to a
Debian server (if you are unsure, you can check by adding the ``-v`` option
to the ``ssh`` command line you use to connect to that server and looking
for the "Server accepts key:" line), then you must generate replacement keys
before upgrading. For example, to generate a new Ed25519 key and enable
logins to a server using it, run this on the client, replacing
``username@server`` with the appropriate user and host names:
.. code-block:: console
$ ssh-keygen -t ed25519
$ ssh-copy-id username@server
.. _before-first-reboot:
Things to do post upgrade before rebooting
--------------------------------------------------------------------------------
When ``apt full-upgrade`` has finished, the "formal" upgrade is
complete. For the upgrade to |RELEASENAME|, there are no special actions
needed before performing a reboot.
.. only:: fixme
When ``apt full-upgrade`` has finished, the "formal" upgrade is
complete, but there are some other things that should be taken care of
*before* the next reboot.
::
add list of items here
.. _not-upgrade-only:
Items not limited to the upgrade process
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. _limited-security-support:
Limitations in security support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are some packages where Debian cannot promise to provide minimal
backports for security issues. These are covered in the following
subsections.
.. note::
The package **debian-security-support** helps to track the security
support status of installed packages.
.. _browser-security:
Security status of web browsers and their rendering engines
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Debian |RELEASE| includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of
vulnerabilities and partial lack of upstream support in the form of long
term branches make it very difficult to support these browsers and
engines with backported security fixes. Additionally, library
interdependencies make it extremely difficult to update to newer
upstream releases. Applications using the **webkit2gtk** source package
(e.g. **epiphany**) are covered by security support, but applications using
qtwebkit (source package **qtwebkit-opensource-src**) are not.
For general web browser use we recommend Firefox or Chromium. They will
be kept up-to-date by rebuilding the current ESR releases for stable.
The same strategy will be applied for Thunderbird.
Once a release becomes ``oldstable``, officially supported browsers may
not continue to receive updates for the standard period of coverage. For
example, Chromium will only receive 6 months of security support in
``oldstable`` rather than the typical 12 months.
.. _golang-static-linking:
Go- and Rust-based packages
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The Debian infrastructure currently has problems with rebuilding
packages of types that systematically use static linking. With the
growth of the Go and Rust ecosystems it means that these packages will
be covered by limited security support until the infrastructure is
improved to deal with them maintainably.
In most cases if updates are warranted for Go or Rust development
libraries, they will only be released via regular point releases.
.. _obsolescense-and-deprecation:
Obsolescence and deprecation
--------------------------------------------------------
.. _noteworthy-obsolete-packages:
Noteworthy obsolete packages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of known and noteworthy obsolete packages (see
:ref:`obsolete` for a description).
The list of obsolete packages includes:
- The **libnss-gw-name** package has been removed from |RELEASENAME|.
The upstream developer suggests using **libnss-myhostname** instead.
- The **pcregrep** package has been removed from |RELEASENAME|. It can
be replaced with ``grep -P`` (``--perl-regexp``) or ``pcre2grep``
(from **pcre2-utils**).
.. _deprecated-components:
Deprecated components for |RELEASENAME|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the next release of Debian |NEXTRELEASE| (codenamed |NEXTRELEASENAME|)
some features will be deprecated. Users will need to migrate to other
alternatives to prevent trouble when updating to Debian |NEXTRELEASE|.
This includes the following features:
- The **libnss-docker** package is no longer developed upstream and requires
version 1.21 of the Docker API. That deprecated API version is still
supported by Docker Engine v26 (shipped by Debian trixie) but will
be removed in Docker Engine v27+ (shipped by Debian forky).
Unless upstream development resumes, the package will be removed
in Debian forky.
- The **openssh-client** and **openssh-server** packages currently support
`GSS-API
<https://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface>`__
authentication and key exchange, which is usually used to authenticate to
`Kerberos <https://en.wikipedia.org/wiki/Kerberos_(protocol)>`__ services.
This has caused some problems, especially on the server side where it
adds new pre-authentication attack surface, and Debian's main OpenSSH
packages will therefore stop supporting it starting with
|NEXTRELEASENAME|.
If you are using GSS-API authentication or key exchange (look for options
starting with ``GSSAPI`` in your OpenSSH configuration files) then you
should install the **openssh-client-gssapi** (on clients) or
**openssh-server-gssapi** (on servers) package now. On |RELEASENAME|,
these are empty packages depending on **openssh-client** and
**openssh-server** respectively; on |NEXTRELEASENAME|, they will be built
separately.
- sbuild-debian-developer-setup has been deprecated in favor of sbuild+unshare
**sbuild**, the tool to build Debian packages in a minimal environment, has had
a major upgrade and should work out of the box now. As a result the package
**sbuild-debian-developer-setup** is no longer needed and has been deprecated.
You can try the new version with:
.. code-block:: console
$ sbuild --chroot-mode=unshare --dist=unstable hello
.. only:: fixme
No-longer-supported hardware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For a number of \`arch`-based devices that were supported in
|OLDRELEASENAME|, it is no longer viable for Debian to build the required
``Linux`` kernel, due to hardware limitations. The unsupported devices
are:
- foo
Users of these platforms who wish to upgrade to |RELEASENAME| nevertheless
should keep the |OLDRELEASENAME| APT sources enabled. Before upgrading
they should add an APT preferences file containing:
.. parsed-literal::
Package: linux-image-marvell
Pin: release n= |OLDRELEASENAME|
Pin-Priority: 900
The security support for this configuration will only last until
|OLDRELEASENAME|'s End Of Life.
.. _rc-bugs:
Known severe bugs
---------------------------------------------------
Although Debian releases when it's ready, that unfortunately doesn't
mean there are no known bugs. As part of the release process all the
bugs of severity serious or higher are actively tracked by the Release
Team, so an `overview of those
bugs <https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian.org@packages.debian.org;tag=&releasename;-can-defer>`__
that were tagged to be ignored in the last part of releasing |RELEASENAME|
can be found in the `Debian Bug Tracking System <https://bugs.debian.org/>`__. The
following bugs were affecting |RELEASENAME| at the time of the release and
worth mentioning in this document:
+----------------------+---------------------------+------------------------------+
| Bug number | Package (source or | Description |
| | binary) | |
+======================+===========================+==============================+
| `1032240`_ | **akonadi-backend-mysql** | akonadi server fails |
| | | to start since it |
| | | cannot connect to |
| | | mysql database |
+----------------------+---------------------------+------------------------------+
| `1032177`_ | **faketime** | faketime doesn't |
| | | fake time (on i386) |
+----------------------+---------------------------+------------------------------+
| `918984`_ | **src:fuse3** | provide upgrade path |
| | | fuse -> fuse3 for |
| | | bookworm |
+----------------------+---------------------------+------------------------------+
| `1016903`_ | **g++-12** | tree-vectorize: |
| | | Wrong code at O2 |
| | | level |
| | | (-fno-tree-vectorize |
| | | is working) |
+----------------------+---------------------------+------------------------------+
| `1020284`_ | **git-daemon-run** | fails to purge: |
| | | deluser -f: Unknown |
| | | option: f |
+----------------------+---------------------------+------------------------------+
| `919296`_ | **git-daemon-run** | fails with 'warning: |
| | | git-daemon: unable |
| | | to open |
| | | supervise/ok: file |
| | | does not exist' |
+----------------------+---------------------------+------------------------------+
| `1034752`_ | **src:gluegen2** | embeds non-free headers |
+----------------------+---------------------------+------------------------------+
.. _1032240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032240
.. _1032177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032177
.. _918984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984
.. _1016903: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016903
.. _1020284: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020284
.. _919296: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919296
.. _1034752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034752