Tabla de contenidos
/usr
” is now required
libcrypt1
Algunas veces los cambios tienen efectos colaterales que no podemos evitar, o aparecen fallos en otro lugar. A continuación se documentan los problemas que conocemos. Puede leer también la fe de erratas, la documentación de los paquetes relevantes, los informes de fallos y otra información mencionada en Sección 6.1, “Para leer más”.
Esta sección cubre los elementos relacionados con la actualización de bullseye a bookworm
As described in Sección 2.2, “Archive areas”, non-free firmware packages
are now served from a dedicated archive component, called
non-free-firmware
. To ensure installed non-free firmware
packages receive proper upgrades, changes to the APT configuration are
required. Assuming the non-free
component was only added
to the APT sources-list to install firmware, the updated APT source-list
entry could look like:
deb https://deb.debian.org/debian bookworm main non-free-firmware
If you were pointed to this chapter by apt you can
prevent it from continuously notifying you about this change by creating an
apt.conf(5)
file named
/etc/apt/apt.conf.d/no-bookworm-firmware.conf
with the
following content:
APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";
The ntp
package, which used to be
the default way to set the system clock from a Network Time Protocol (NTP)
server, has been replaced by ntpsec
.
Most users will not need to take any specific action to transition from
ntp
to ntpsec
.
In bookworm there are also several other packages that provide a similar
service. The Debian default is now systemd-timesyncd
, which may be adequate for
users who only need an ntp
client to set their
clock. bookworm also includes chrony
and openntpd
which support more
advanced features, such as operating your own NTP server.
Puppet has been upgraded from 5 to 7, skipping the Puppet 6 series altogether. This introduces major changes to the Puppet ecosystem.
The classic Ruby-based Puppet Master 5.5.x application has been deprecated
upstream and is no longer available in Debian. It is replaced by Puppet
Server 7.x, provided by the puppetserver
package. The package is
automatically installed as a dependency of the transitional puppet-master
package.
In some cases, Puppet Server is a drop-in replacement for Puppet Master, but
you should review the configuration files available under
/etc/puppet/puppetserver
to ensure the new defaults are
suitable for your deployment. In particular the legacy format for the
auth.conf
file is deprecated, see the auth.conf
documentation for details.
The recommended approach is to upgrade the server before clients. The Puppet 7 Server is backwards compatible with older clients; a Puppet 5 Server can still handle upgraded agents but cannot register new Puppet 7 agents. So if you deploy new Puppet 7 agents before upgrading the server, you will not be able to add them to the fleet.
The puppet
package has been replaced
by the puppet-agent
package and is
now a transitional package to ensure a smooth upgrade.
Finally, the puppetdb
package was
removed in bullseye but is reintroduced in bookworm.
The popular tool youtube-dl
, which
can download videos from a large variety of websites (including, but not
limited to, YouTube) is no longer included in Debian. Instead, it has
been replaced with an empty transitional package that pulls in the
yt-dlp
package instead. yt-dlp
is a fork of youtube-dl
where new development is currently
happening.
There are no compatibility wrappers provided, so you'll need to modify your scripts and personal behavior to call yt-dlp instead of youtube-dl. The functionality should be mostly the same, although some options and behavioral details have changed. Be sure to check yt-dlp's man page for details, and in particular the Differences in default behavior section.
The packages fcitx
and fcitx5
provide version 4 and version 5 of the
popular Fcitx Input Method Framework. Following upstream's recommendation,
they can no longer be co-installed on the same operating system. Users
should determine which version of Fcitx is to be kept if they had
co-installed fcitx
and fcitx5
previously.
Before the upgrade, users are strongly encouraged to purge all related
packages for the unwanted Fcitx version (fcitx-*
for
Fcitx 4, and fcitx5-*
for Fcitx 5). When the upgrade is
finished, consider executing the im-config again to
select the desired input method framework to be used in the system.
You can read more background information in the announcement posted in the mailing list (text written in Simplified Chinese).
Unlike bullseye that had the MariaDB version in package names (e.g.
mariadb-server-10.5
and mariadb-client-10.5
), in bookworm the equivalent
MariaDB 10.11 package names are fully versionless (e.g. mariadb-server
or mariadb-client
). The MariaDB version is still
visible in the package version metadata.
There is at least one known upgrade scenario (Bug #1035949) where the transition to versionless package names fails: running
apt-get install default-mysql-server
may fail when mariadb-client-10.5
and the file /usr/bin/mariadb-admin
in it is removed
before the MariaDB server SysV init service has issued a shutdown, which
uses mariadb-admin. The workaround is to run
apt upgrade
before running
apt full-upgrade
.
For more information about the package name changes in MariaDB, see /usr/share/doc/mariadb-server/NEWS.Debian.gz
.
The rsyslog
package is no longer
needed on most systems and you may be able to remove it.
Many programs produce log messages to inform the user of what they are
doing. These messages can be managed by systemd's “journal” or
by a “syslog daemon” such as rsyslog
.
In bullseye, rsyslog
was
installed by default and the systemd journal was configured to forward log
messages to rsyslog, which writes messages into various text files such as
/var/log/syslog
.
From bookworm, rsyslog
is no
longer installed by default. If you do not want to continue using
rsyslog
, after the upgrade you can mark it as
automatically installed with
apt-mark auto rsyslog
and then an
apt autoremove
will remove it, if possible. If you have upgraded from older Debian releases, and not accepted the default configuration settings, the journal may not have been configured to save messages to persistent storage: instructions for enabling this are in journald.conf(5).
If you decide to switch away from rsyslog
you can use the
journalctl command to read log messages, which are stored
in a binary format under /var/log/journal
. For
example,
journalctl -e
shows the most recent log messages in the journal and
journalctl -ef
shows new messages as they are written (similar to running
tail -f /var/log/syslog
).
rsyslog
now defaults to “high
precision timestamps” which may affect other programs that analyze
the system logs. There is further information about how to customize this
setting in rsyslog.conf(5).
The change in timestamps may require locally-created logcheck
rules to be
updated. logcheck
checks messages in the system log
(produced by systemd-journald
or
rsyslog
) against a customizable database of regular
expressions known as rules. Rules that match the time the message was
produced will need to be updated to match the new rsyslog
format. The default rules, which are provided by the logcheck-database
package, have been updated,
but other rules, including those created locally, may require updating to
recognize the new format. See /usr/share/doc/logcheck-database/NEWS.Debian.gz
for a script to help update local logcheck
rules.
rsyslog
has changed which log files
it creates, and some files in /var/log
can be deleted.
If you are continuing to use rsyslog
(see Sección 5.1.7, “Changes to system logging”), some log files in
/var/log
will no longer be created by default. The
messages that were written to these files are also in
/var/log/syslog
but are no longer created by
default. Everything that used to be written to these files will still be
available in /var/log/syslog
.
The files that are no longer created are:
/var/log/mail.{info,warn,err}
These files contained messages from the local mail transport agent (MTA), split up by priority.
As /var/log/mail.log
contains all mail related
messages, these files (and their rotated counterparts) can be deleted
safely. If you were using those files to monitor anomalies, a suitable
alternative might be something like logcheck.
/var/log/lpr.log
This file contained log messages relating to printing. The default print
system in debian is cups
which does
not use this file, so unless you installed a different printing system this
file (and its rotated counterparts) can be deleted.
/var/log/{messages,debug,daemon.log}
These files (and their rotated counterparts) can be deleted. Everything that
used to be written to these files will still be in
/var/log/syslog
.
OpenLDAP 2.5 is a major new release and includes several incompatible
changes as described in the
upstream release announcement. Depending on the configuration, the
slapd
service might remain stopped after the upgrade,
until necessary configuration updates are completed.
The following are some of the known incompatible changes:
The slapd-bdb(5) and slapd-hdb(5) database backends have been removed. If you are using one of these backends under bullseye, it is strongly recommended to migrate to the slapd-mdb(5) backend before upgrading to bookworm.
The slapd-shell(5) database backend has been removed.
The slapo-ppolicy(5) overlay now includes its schema compiled into the module. The old external schema, if present, conflicts with the new built-in one.
The pw-argon2 contrib password module has been renamed to argon2.
Instructions for completing the upgrade and resuming the
slapd
service can be found in /usr/share/doc/slapd/README.Debian.gz.
You should also consult the upstream
upgrade notes.
For a long time, grub
has used the
os-prober
package to detect other
operating systems installed on a computer so that it can add them to the
boot menu. Unfortunately, that can be problematic in certain cases
(e.g. where guest virtual machines are running), so this has now been
disabled by default in the latest upstream release.
If you are using GRUB to boot your system and want to continue to have other
operating systems listed on the boot menu, you can change this. Either edit
the file /etc/default/grub
, ensure you have the setting
GRUB_DISABLE_OS_PROBER=false
and re-run
update-grub, or run
dpkg-reconfigure <GRUB_PACKAGE>
to change this and other GRUB settings in a more user-friendly way.
Many GNOME
apps have switched from the
GTK3
graphics toolkit to GTK4
. Sadly,
this has made many apps much less usable with screen readers such as
orca
.
If you depend on a screen reader you should consider switching to a
different desktop such as Mate, which has better accessibility
support. You can do this by installing the mate-desktop-environment
package. Information
about how to use Orca under Mate is available at here.
For consistency with upstream and other distributions, the
polkit
(formerly PolicyKit
) service,
which allows unprivileged programs to access privileged system services, has
changed the syntax and location for local policy rules. You should now
write local rules for customizing the security policy in JavaScript, and place
them at
/etc/polkit-1/rules.d/
.
Example rules using the new format can be found in
*
.rules/usr/share/doc/polkitd/examples/
, and polkit(8)
has further information.
Previously, rules could be written in pkla
format, and
placed in subdirectories of
/etc/polkit-1/localauthority
or
/var/lib/polkit-1/localauthority
. However,
.pkla
files should now be considered deprecated, and will
only continue to work if the polkitd-pkla
package is installed. This package
will usually be installed automatically when you upgrade to bookworm, but it
is likely not to be included in future Debian releases, so any local policy
overrides will need to be migrated to the JavaScript format.
Debian has adopted a filesystem layout, referred to as
“merged-/usr
”, which no longer includes
the legacy directories /bin
,
/sbin
, /lib
, or optional variants
such as /lib64
. In the new layout, the legacy
directories are replaced with symlinks to the corresponding locations
/usr/bin
, /usr/sbin
,
/usr/lib
, and /usr/lib64
. This
means that, for example, both /bin/bash
and
/usr/bin/bash
will launch bash.
For systems installed as buster or bullseye there will be no change, as the new filesystem layout was already the default in these releases. However, the older layout is no longer supported, and systems using it will be converted to the new layout when they are upgraded to bookworm.
The conversion to the new layout should have no impact on most users. All
files are automatically moved to their new locations even if they were
installed locally or come from packages not provided by Debian, and
hardcoded paths such as /bin/sh
continue to work. There
are, however, some potential issues:
dpkg --search
will give wrong answers for files moved to the new locations:
dpkg --search /usr/bin/bash
will not identify that bash came from a package. (But
dpkg --search /bin/bash
still works as expected.)
Local software not provided by Debian may not support the new layout and
may, for example, rely on /usr/bin/name
and
/bin/name
being two different files. This is not
supported on merged systems (including new installations since buster), so
any such software must be fixed or removed before the upgrade.
Systems that rely on a “base layer” that is not directly writable (such as WSL1 images or container systems using multi-layer overlayfs filesystems) cannot be safely converted and should either be replaced (e.g., by installing a new WSL1 image from the store) or have each individual layer upgraded (e.g., by upgrading the base Debian layer of the overlayfs independently) rather than dist-upgraded.
For further information, see The Case for the /usr merge and the Debian Technical Committee resolution.
Debian officially supports upgrades only from one stable release to the next, e.g. from bullseye to bookworm. Upgrades from buster to bookworm are not supported, and will fail due to Bug #993755 with the following error:
Setting up libc6:armel (2.36-9) ... /usr/bin/perl: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory dpkg: error processing package libc6:armel (--configure): installed libc6:armel package post-installation script subprocess returned error exit status 127
It is however possible to manually recover from this particular situation by
forcibly installing the new libcrypt1
:
# cd $(mktemp -d) # apt download libcrypt1 # dpkg-deb -x libcrypt1_*.deb . # cp -ra lib/* /lib/ # apt --fix-broken install
Hay algunos paquetes para los que Debian no puede comprometerse a proporcionar versiones actualizadas resolviendo problemas de seguridad. La información de estos paquetes se cubre en las siguientes subsecciones.
Nota | |
---|---|
El paquete |
Debian 12 includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of vulnerabilities
and partial lack of upstream support in the form of long term branches make
it very difficult to support these browsers and engines with backported
security fixes. Additionally, library interdependencies make it extremely
difficult to update to newer upstream releases. Applications using the
webkit2gtk
source package
(e.g. epiphany
) are covered by
security support, but applications using qtwebkit (source package
qtwebkit-opensource-src
) are not.
Para la navegación web general se recomienda utilizar Firefox o Chromium. Se mantendrá actualizadas recompilando las versiones ESR más recientes para estable. La misma estrategia se aplicará a Thunderbird.
Once a release becomes oldstable
, officially supported
browsers may not continue to receive updates for the standard period of
coverage. For example, Chromium will only receive 6 months of security
support in oldstable
rather than the typical 12 months.
The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. With the growth of the Go and Rust ecosystems it means that these packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.
In most cases if updates are warranted for Go or Rust development libraries, they will only be released via regular point releases.
The Debian provided python3 interpreter packages (python3.11
and pypy3
) are now marked as being
externally-managed, following PEP-668. The version of
python3-pip
provided in Debian
follows this, and will refuse to manually install packages on Debian's
python interpreters, unless the --break-system-packages
option is specified.
If you need to install a Python application (or version) that isn't packaged
in Debian, we recommend that you install it with pipx (in
the pipx
Debian package).
pipx will set up an environment isolated from other
applications and system Python modules, and install the application and its
dependencies into that.
If you need to install a Python library module (or version) that isn't
packaged in Debian, we recommend installing it into a virtualenv, where
possible. You can create virtualenvs with the venv
Python
stdlib module (in the python3-venv
Debian package) or the virtualenv Python 3rd-party tool
(in the virtualenv
Debian
package). For example, instead of running pip install --user
foo
, run: mkdir -p ~/.venvs
&& python3 -m venv ~/.venvs/foo
&& ~/.venvs/foo
/bin/python -m pip install
foo
to install it in a dedicated
virtualenv.
See /usr/share/doc/python3.11/README.venv
for more
details.
The VLC video player supports hardware-accelerated video decoding and encoding via VA-API and VDPAU. However, VLC's support for VA-API is tightly related to the version of FFmpeg. Because FFmpeg was upgraded to the 5.x branch, VLC's VA-API support has been disabled. Users of GPUs with native VA-API support (e.g., Intel and AMD GPUs) may experience high CPU usage during video playback and encoding.
Users of GPUs offering native VDPAU support (e.g., NVIDIA with non-free drivers) are not affected by this issue.
Support for VA-API and VDPAU can be checked with vainfo and vdpauinfo (each provided in a Debian package of the same name).
The new systemd-resolved
package
will not be installed automatically on upgrades. If you were using the
systemd-resolved system service, please install the new
package manually after the upgrade, and note that until it has been
installed, DNS resolution might no longer work since the service will not be
present on the system. Installing this package will automatically give
systemd-resolved control of /etc/resolv.conf
. For more
information about systemd-resolved, consult the official documentation.
Note that systemd-resolved was not, and still is not, the default DNS
resolver in Debian. If you have not configured your machine to use
systemd-resolved as the DNS resolver, no action is required.
The new systemd-boot
package will
not be installed automatically on upgrades. If you were using
systemd-boot, please install this new package manually,
and note that until you do so, the older version of systemd-boot will be
used as the bootloader. Installing this package will automatically configure
systemd-boot as the machine's bootloader. The default boot loader in Debian
is still GRUB. If you have not configured the machine to use systemd-boot as
the bootloader, no action is required.
The optional systemd-journal-gatewayd
and systemd-journal-remote
services are now built without GnuTLS support, which means the
--trust
option is no longer provided by either program,
and an error will be raised if it is specified.
There have been several changes in adduser
. The most prominent change is that
--disabled-password
and
--disabled-login
are now functionally identical. For
further details, please read the
/usr/share/doc/adduser/NEWS.Debian.gz
.
The predictable naming logic in systemd
for network interfaces has been extended
to generate stable names from Xen netfront device information. This means
that instead of the former system of names assigned by the kernel,
interfaces now have stable names of the form
enX
. Please adapt your system
before rebooting after the upgrade. Some more information can be found on
the NetworkInterfaceNames
wiki page.
#
dash, which by default provides the system shell
/bin/sh
in Debian, has switched to treating the
circumflex (^
) as a literal character, as was always the
intended POSIX-compliant behavior. This means that in bookworm
[^0-9]
no longer means “not 0 to 9” but
“0 to 9 and ^
”.
The netcat
utility for reading and writing data across
network connections supports abstract
sockets, and uses them by default in some circumstances.
By default, netcat
is provided by netcat-traditional
. However, if
netcat
is provided by the netcat-openbsd
package and you are using an
AF_UNIX
socket, then this new default applies. In this
case the -U
option to nc will now
interpret an argument starting with an @
as requesting an
abstract socket rather than as a filename beginning with an
@
in the current directory. This can have security
implications because filesystem permissions can no longer be used to control
access to an abstract socket. You can continue to use a filename starting
with an @
by prefixing the name with
./
or by specifying an absolute path.
A continuación se muestra una lista de los paquetes conocidos y notables que ahora están obsoletos (consulte Sección 4.8, “Paquetes obsoletos” para obtener una descripción).
La lista de paquetes obsoletos incluye:
The libnss-ldap
package has been
removed from bookworm. Its functionalities are now covered by
libnss-ldapd
and libnss-sss
.
The libpam-ldap
package has been
removed from bookworm. Its replacement is libpam-ldapd
.
The fdflush
package has been removed
from bookworm. In its stead, please use blockdev
--flushbufs from util-linux
.
The libgdal-perl
package has been
removed from bookworm, because the Perl binding for GDAL is no longer
supported upstream. If you need Perl support for GDAL, you can migrate to
the FFI interface provided by the Geo::GDAL::FFI package, available on
CPAN. You will have to build your own binaries as documented on the BookwormGdalPerl Wiki page.
Con la publicación de Debian 13 (nombre en clave trixie) algunas funcionalidades estarán obsoletas. Los usuarios deben migrar a otras alternativas para evitar problemas al actualizar a Debian 13.
Esto incluye las siguientes funcionalidades:
Development of the NSS service gw_name
stopped in
2015. The associated package libnss-gw-name
may be removed in future Debian
releases. The upstream developer suggests using libnss-myhostname
instead.
dmraid
has not seen upstream
activity since end 2010 and has been on life support in Debian. bookworm
will be the last release to ship it, so please plan accordingly if you're
using dmraid
.
request-tracker4
has been superseded
by request-tracker5
in this release,
and will be removed in future releases. We recommend that you plan to
migrate from request-tracker4 to request-tracker5 during the lifetime of
this release.
The isc-dhcp
suite has been deprecated by the
ISC. The Debian Wiki has a list of alternative
implementations, see DHCP Client
and DHCP Server pages for the
latest. If you are using NetworkManager
or systemd-networkd
, you can safely remove the
isc-dhcp-client
package as they both
ship their own implementation. If you are using the ifupdown
package, you can experiment with
udhcpc
as a replacement. The ISC
recommends the Kea
package as a
replacement for DHCP servers.
The security team will support the isc-dhcp
package during the bookworm lifetime,
but the package will likely be unsupported in the next stable release, see
bug #1035972 (isc-dhcp EOL'ed) for
more details.
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bookworm can be found in the Debian Bug Tracking System. The following bugs were affecting bookworm at the time of the release and worth mentioning in this document:
Bug number | Package (source or binary) | Description |
---|---|---|
1032240 | akonadi-backend-mysql | akonadi server fails to start since it cannot connect to mysql database |
918984 | src:fuse3 | provide upgrade path fuse -> fuse3 for bookworm |
1016903 | g++-12 | tree-vectorize: Wrong code at O2 level (-fno-tree-vectorize is working) |
1020284 | git-daemon-run | fails to purge: deluser -f: Unknown option: f |
919296 | git-daemon-run | fails with 'warning: git-daemon: unable to open supervise/ok: file does not exist' |
1034752 | src:gluegen2 | embeds non-free headers |
1036256 | src:golang-github-pin-tftp | FTBFS in testing: dh_auto_test: error: cd _build && go test -vet=off -v -p 8 github.com/pin/tftp github.com/pin/tftp/netascii returned exit code 1 |
1036575 | groonga-bin | missing Depends: libjs-jquery-flot, libjs-jquery-ui |
1036041 | src:grub2 | upgrade-reports: Dell XPS 9550 fails to boot after bullseye to bookworm upgrade - grub/bios interaction bug? |
558422 | grub-pc | upgrade hangs |
913916 | grub-efi-amd64 | UEFI boot option removed after update to grub2 2.02~beta3-5+deb9u1 |
924151 | grub2-common | wrong grub.cfg for efi boot and fully encrypted disk |
925134 | grub-efi-amd64 | grub-efi-amd64-signed: doesn't mount cryptodisk |
945001 | grub-efi-amd64 | GRUB-EFI messes up boot variables |
965026 | grub-emu | grub-emu hangs linux console when run as root |
984760 | grub-efi-amd64 | upgrade works, boot fails (error: symbol `grub_is_lockdown` not found) |
1036263 | src:guestfs-tools | FTBFS in testing: make[6]: *** [Makefile:1716: test-suite.log] Error 1 |
916596 | iptables | iptables.postinst failure on link creation |
919058 | itstool | its-tools: crashes when freeing xmlDocs |
1028416 | kexec-tools | systemctl kexec doesn't shutdown system properly and corrupts mounted filesystems |
935182 | libreoffice-core | Concurrent file open on the same host results file deletion |
1036755 | src:linux | 6.1.26 <= x < 6.1.30 breaks applications using mmap(MAP_32BIT)
[affects ganeti ] |
1036580 | src:llvm-defaults | please add some Breaks for smoother upgrades from bullseye |
1036359 | elpa-markdown-toc | crashes with (wrong-type-argument consp nil) |
1032647 | nvidia-driver | Intermittent black screen after updating to 525.89.02-1 |
1029342 | openjdk-17-jre-headless | jexec: can't locate java: No such file or directory |
1035798 | libphp8.2-embed | does not ship SONAME link /usr/lib/libphp.so -> libphp8.2.so |
1034993 | software-properties-qt | missing Breaks+Replaces for software-properties-kde when upgrading from bullseye |
1036388 | sylpheed | account reset when mail is checked |
1036424 | sylpheed | replying to an email you sent doesn't set account accordingly |
994274 | src:syslinux | FTBFS with gnu-efi 3.0.13 |
1031152 | system-config-printer | unlock button in system-config-printer provides no elevated permissions dialog |
975490 | u-boot-sunxi | A64-Olinuxino-eMMC boot stuck at "Starting kernel ..." |
1034995 | python-is-python3 | missing Breaks+Replaces for python-dev-is-python2 when upgrading from bullseye |
1036881 | whitedune | segfaults |
1036601 | xenstore-utils | missing Depends: xen-utils-common |
1036578 | python3-yade | does not ship a python module |