Table of Contents
/usr
” is now required
libcrypt1
Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.
This section covers items related to the upgrade from bullseye to bookworm.
As described in Section 2.2, “Archive areas”, non-free
firmware packages are now served from a dedicated archive
component, called non-free-firmware
. To
ensure installed non-free firmware packages receive proper
upgrades, changes to the APT configuration are
required. Assuming the non-free
component
was only added to the APT sources-list to install firmware,
the updated APT source-list entry could look like:
deb https://deb.debian.org/debian bookworm main non-free-firmware
If you were pointed to this chapter by apt
you can prevent it from continuously notifying you about this
change by creating an apt.conf(5)
file named
/etc/apt/apt.conf.d/no-bookworm-firmware.conf
with the following content:
APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";
The ntp
package, which
used to be the default way to set the system clock from a
Network Time Protocol (NTP) server, has been replaced by
ntpsec
.
Most users will not need to take any specific action to
transition from ntp
to
ntpsec
.
In bookworm there are also several other packages that provide
a similar service. The Debian default is now systemd-timesyncd
, which may be
adequate for users who only need an ntp
client to set their clock. bookworm also includes
chrony
and openntpd
which support more
advanced features, such as operating your own NTP server.
Puppet has been upgraded from 5 to 7, skipping the Puppet 6 series altogether. This introduces major changes to the Puppet ecosystem.
The classic Ruby-based Puppet Master 5.5.x application has
been deprecated upstream and is no longer available in Debian.
It is replaced by Puppet Server 7.x, provided by the
puppetserver
package. The
package is automatically installed as a dependency of the
transitional puppet-master
package.
In some cases, Puppet Server is a drop-in replacement for
Puppet Master, but you should review the configuration files
available under /etc/puppet/puppetserver
to
ensure the new defaults are suitable for your deployment. In
particular the legacy format for the
auth.conf
file is deprecated, see the
auth.conf
documentation for details.
The recommended approach is to upgrade the server before clients. The Puppet 7 Server is backwards compatible with older clients; a Puppet 5 Server can still handle upgraded agents but cannot register new Puppet 7 agents. So if you deploy new Puppet 7 agents before upgrading the server, you will not be able to add them to the fleet.
The puppet
package has been replaced by the puppet-agent
package and is now a
transitional package to ensure a smooth upgrade.
Finally, the puppetdb
package was removed in bullseye but is reintroduced in
bookworm.
The popular tool youtube-dl
,
which can download videos from
a large variety of websites (including, but not limited to, YouTube)
is no longer included in Debian. Instead,
it has been replaced with an empty transitional package that pulls in the
yt-dlp
package instead.
yt-dlp
is a fork of
youtube-dl
where new development
is currently happening.
There are no compatibility wrappers provided, so you'll need to modify your scripts and personal behavior to call yt-dlp instead of youtube-dl. The functionality should be mostly the same, although some options and behavioral details have changed. Be sure to check yt-dlp's man page for details, and in particular the Differences in default behavior section.
The packages fcitx
and
fcitx5
provide version 4 and
version 5 of the popular Fcitx Input Method Framework. Following
upstream's recommendation, they can no longer be co-installed
on the same operating system. Users should determine which version of
Fcitx is to be kept if they had co-installed fcitx
and fcitx5
previously.
Before the upgrade, users are strongly encouraged to purge all related
packages for the unwanted Fcitx version (fcitx-*
for
Fcitx 4, and fcitx5-*
for Fcitx 5). When the upgrade
is finished, consider executing the im-config again
to select the desired input method framework to be used in the system.
You can read more background information in the announcement posted in the mailing list (text written in Simplified Chinese).
Unlike bullseye that had the MariaDB version in package names (e.g.
mariadb-server-10.5
and
mariadb-client-10.5
), in
bookworm the equivalent MariaDB 10.11 package names are fully
versionless (e.g. mariadb-server
or mariadb-client
). The MariaDB
version is still visible in the package version metadata.
There is at least one known upgrade scenario (Bug #1035949) where the transition to versionless package names fails: running
apt-get install default-mysql-server
may fail when mariadb-client-10.5
and the file /usr/bin/mariadb-admin
in it is removed before
the MariaDB server SysV init service has issued a shutdown, which uses
mariadb-admin. The workaround is to run
apt upgrade
before running
apt full-upgrade
.
For more information about the package name changes in MariaDB, see
/usr/share/doc/mariadb-server/NEWS.Debian.gz
.
The rsyslog
package is
no longer needed on most systems and you may be able to remove
it.
Many programs produce log messages to inform the user of what
they are doing. These messages can be managed by systemd's
“journal” or by a “syslog daemon”
such as rsyslog
.
In bullseye, rsyslog
was installed by default
and the systemd journal was configured to forward log messages
to rsyslog, which writes messages into various text files such
as /var/log/syslog
.
From bookworm, rsyslog
is no longer installed by
default. If you do not want to continue using
rsyslog
, after the upgrade you can mark it
as automatically installed with
apt-mark auto rsyslog
and then an
apt autoremove
will remove it, if possible. If you have upgraded from older Debian releases, and not accepted the default configuration settings, the journal may not have been configured to save messages to persistent storage: instructions for enabling this are in journald.conf(5).
If you decide to switch away from rsyslog
you can use the
journalctl command to read log messages,
which are stored in a binary format under
/var/log/journal
. For example,
journalctl -e
shows the most recent log messages in the journal and
journalctl -ef
shows new messages as they are written (similar to running
tail -f /var/log/syslog
).
rsyslog
now
defaults to “high precision timestamps” which may
affect other programs that analyze the system logs. There is
further information about how to customize this setting in
rsyslog.conf(5).
The change in timestamps may require locally-created
logcheck
rules to be
updated. logcheck
checks messages in the
system log (produced by systemd-journald
or
rsyslog
) against a customizable database of
regular expressions known as rules. Rules that match the time
the message was produced will need to be updated to match the
new rsyslog
format. The default rules, which are provided by the
logcheck-database
package, have been updated, but other rules, including those
created locally, may require updating to recognize the new
format. See /usr/share/doc/logcheck-database/NEWS.Debian.gz
for a script to help update local logcheck
rules.
rsyslog
has changed which log files it
creates, and some files in /var/log
can be
deleted.
If you are continuing to use rsyslog
(see Section 5.1.7, “Changes to system logging”), some log
files in /var/log
will no longer be created
by default. The messages that were written to these files are
also in /var/log/syslog
but are no longer
created by default. Everything that used to be written to
these files will still be available in
/var/log/syslog
.
The files that are no longer created are:
/var/log/mail.{info,warn,err}
These files contained messages from the local mail transport agent (MTA), split up by priority.
As /var/log/mail.log
contains all
mail related messages, these files (and their rotated
counterparts) can be deleted safely. If you were using
those files to monitor anomalies, a suitable alternative
might be something like logcheck.
/var/log/lpr.log
This file contained log messages relating to
printing. The default print system in debian is
cups
which does
not use this file, so unless you installed a different
printing system this file (and its rotated counterparts)
can be deleted.
/var/log/{messages,debug,daemon.log}
These files (and their rotated counterparts) can be
deleted. Everything that used to be written to these
files will still be in
/var/log/syslog
.
OpenLDAP 2.5 is a major new release and includes several
incompatible changes as described in
the upstream release announcement.
Depending on the configuration, the slapd
service
might remain stopped after the upgrade, until necessary
configuration updates are completed.
The following are some of the known incompatible changes:
The slapd-bdb(5) and slapd-hdb(5) database backends have been removed. If you are using one of these backends under bullseye, it is strongly recommended to migrate to the slapd-mdb(5) backend before upgrading to bookworm.
The slapd-shell(5) database backend has been removed.
The slapo-ppolicy(5) overlay now includes its schema compiled into the module. The old external schema, if present, conflicts with the new built-in one.
The pw-argon2 contrib password module has been renamed to argon2.
Instructions for completing the upgrade and resuming the
slapd
service can be found in
/usr/share/doc/slapd/README.Debian.gz.
You should also consult
the upstream upgrade notes.
For a long time, grub
has used the os-prober
package to detect
other operating systems installed on a computer so that it can
add them to the boot menu. Unfortunately, that can be
problematic in certain cases (e.g. where guest virtual machines are
running), so this has now been disabled by default in the
latest upstream release.
If you are using GRUB to boot your system and want to continue
to have other operating systems listed on the boot menu, you
can change this. Either edit the file
/etc/default/grub
, ensure you have the
setting GRUB_DISABLE_OS_PROBER=false
and
re-run update-grub, or run
dpkg-reconfigure <GRUB_PACKAGE>
to change this and other GRUB settings in a more user-friendly way.
Many GNOME
apps have switched from the
GTK3
graphics toolkit to
GTK4
. Sadly, this has made many apps much
less usable with screen readers such as
orca
.
If you depend on a screen reader you should consider switching
to a different desktop such as Mate, which has better
accessibility support. You can do this by installing the
mate-desktop-environment
package. Information about how to use Orca under Mate is
available at here.
Debian's support for 32-bit PC (known as the Debian architecture i386) now no longer covers any i586 processor. The new minimum requirement is i686. What this means that the i386 architecture now requires the "long NOP" (NOPL) instruction, while bullseye still supported some i586 processors without that instruction (e.g. the "AMD Geode").
If your machine is not compatible with this requirement, it is recommended that you stay with bullseye for the remainder of its support cycle.
For consistency with upstream and other distributions, the
polkit
(formerly PolicyKit
)
service, which allows unprivileged programs to access privileged system
services, has changed the syntax and location for local policy rules.
You should now write local rules for customizing the security
policy in JavaScript,
and place them at
/etc/polkit-1/rules.d/
.
Example rules using the new format can be found in
*
.rules/usr/share/doc/polkitd/examples/
, and
polkit(8)
has further information.
Previously, rules could be written in pkla
format, and placed in subdirectories of
/etc/polkit-1/localauthority
or
/var/lib/polkit-1/localauthority
. However,
.pkla
files should now be considered deprecated, and
will only continue to work if the
polkitd-pkla
package is installed.
This package will usually be installed automatically when you upgrade to
bookworm, but it is likely not to be included in future Debian releases,
so any local policy overrides will need to be migrated to the JavaScript
format.
Debian has adopted a filesystem layout, referred to as
“merged-/usr
”, which no
longer includes the legacy directories
/bin
, /sbin
,
/lib
, or optional variants such as
/lib64
. In the new layout, the legacy
directories are replaced with symlinks to the corresponding
locations /usr/bin
,
/usr/sbin
, /usr/lib
,
and /usr/lib64
. This means that, for
example, both /bin/bash
and
/usr/bin/bash
will launch
bash.
For systems installed as buster or bullseye there will be no change, as the new filesystem layout was already the default in these releases. However, the older layout is no longer supported, and systems using it will be converted to the new layout when they are upgraded to bookworm.
The conversion to the new layout should have no impact on most
users. All files are automatically moved to their new
locations even if they were installed locally or come from
packages not provided by Debian, and hardcoded paths such as
/bin/sh
continue to work. There are,
however, some potential issues:
dpkg --search
will give wrong answers for files moved to the new locations:
dpkg --search /usr/bin/bash
will not identify that bash came from a package. (But
dpkg --search /bin/bash
still works as expected.)
Local software not provided by Debian may not support
the new layout and may, for example, rely on
/usr/bin/name
and
/bin/name
being two different
files. This is not supported on merged systems
(including new installations since buster), so any such
software must be fixed or removed before the upgrade.
Systems that rely on a “base layer” that is not directly writable (such as WSL1 images or container systems using multi-layer overlayfs filesystems) cannot be safely converted and should either be replaced (e.g., by installing a new WSL1 image from the store) or have each individual layer upgraded (e.g., by upgrading the base Debian layer of the overlayfs independently) rather than dist-upgraded.
For further information, see The Case for the /usr merge and the Debian Technical Committee resolution.
Debian officially supports upgrades only from one stable release to the next, e.g. from bullseye to bookworm. Upgrades from buster to bookworm are not supported, and will fail due to Bug #993755 with the following error:
Setting up libc6:i386 (2.36-9) ... /usr/bin/perl: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory dpkg: error processing package libc6:i386 (--configure): installed libc6:i386 package post-installation script subprocess returned error exit status 127
It is however possible to manually recover from this particular situation by forcibly
installing the new libcrypt1
:
# cd $(mktemp -d) # apt download libcrypt1 # dpkg-deb -x libcrypt1_*.deb . # cp -ra lib/* /lib/ # apt --fix-broken install
There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.
Note | |
---|---|
The package |
Debian 12 includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of
vulnerabilities and partial lack of upstream support in the form of long
term branches make it very difficult to support these browsers and
engines with backported security fixes. Additionally, library
interdependencies make it extremely difficult to update to newer upstream
releases. Applications using the webkit2gtk
source package (e.g. epiphany
) are covered by security support, but applications using
qtwebkit (source package qtwebkit-opensource-src
) are not.
For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.
Once a release becomes oldstable
, officially supported
browsers may not continue to receive updates for the standard period of
coverage. For example, Chromium will only receive 6 months of security
support in oldstable
rather than the typical
12 months.
The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. With the growth of the Go and Rust ecosystems it means that these packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.
In most cases if updates are warranted for Go or Rust development libraries, they will only be released via regular point releases.
The Debian provided python3 interpreter packages
(python3.11
and
pypy3
)
are now marked as being externally-managed, following
PEP-668.
The version of python3-pip
provided in Debian follows this, and will refuse to manually install
packages on Debian's python interpreters, unless the
--break-system-packages
option is specified.
If you need to install a Python application (or version) that isn't
packaged in Debian, we recommend that you install it with
pipx (in the
pipx
Debian package).
pipx will set up an environment isolated from other
applications and system Python modules, and install the application and
its dependencies into that.
If you need to install a Python library module (or version) that isn't
packaged in Debian, we recommend installing it into a virtualenv, where
possible. You can create virtualenvs with the venv
Python stdlib module (in the
python3-venv
Debian package) or
the virtualenv Python 3rd-party tool (in the
virtualenv
Debian package). For
example, instead of running
pip install --user foo
, run:
mkdir -p ~/.venvs &&
python3 -m venv ~/.venvs/foo
&&
~/.venvs/foo
/bin/python -m pip install foo
to install it in a dedicated virtualenv.
See /usr/share/doc/python3.11/README.venv
for more
details.
The VLC video player supports hardware-accelerated video decoding and encoding via VA-API and VDPAU. However, VLC's support for VA-API is tightly related to the version of FFmpeg. Because FFmpeg was upgraded to the 5.x branch, VLC's VA-API support has been disabled. Users of GPUs with native VA-API support (e.g., Intel and AMD GPUs) may experience high CPU usage during video playback and encoding.
Users of GPUs offering native VDPAU support (e.g., NVIDIA with non-free drivers) are not affected by this issue.
Support for VA-API and VDPAU can be checked with vainfo and vdpauinfo (each provided in a Debian package of the same name).
The new systemd-resolved
package
will not be installed automatically on upgrades. If you were using the
systemd-resolved system service, please install the
new package manually after the upgrade, and note that until it has been
installed, DNS resolution might no longer work since the service will
not be present on the system. Installing this package will automatically
give systemd-resolved control of /etc/resolv.conf
.
For more information about systemd-resolved, consult the official
documentation.
Note that systemd-resolved was not, and still is not, the default DNS
resolver in Debian. If you have not configured your machine to use
systemd-resolved as the DNS resolver, no action is required.
The new systemd-boot
package
will not be installed automatically on upgrades. If you were using
systemd-boot, please install this new package
manually, and note that until you do so, the older version of
systemd-boot will be used as the bootloader. Installing this package
will automatically configure systemd-boot as the machine's bootloader.
The default boot loader in Debian is still GRUB. If you have not
configured the machine to use systemd-boot as the bootloader, no action
is required.
The optional
systemd-journal-gatewayd
and
systemd-journal-remote
services are now built without GnuTLS support, which means the
--trust
option is no longer provided by either program,
and an error will be raised if it is specified.
There have been several changes in adduser
. The most prominent change
is that --disabled-password
and
--disabled-login
are now functionally
identical. For further details, please read the
/usr/share/doc/adduser/NEWS.Debian.gz
.
The predictable naming logic in systemd
for network interfaces has
been extended to generate stable names from Xen netfront
device information. This means that instead of the former
system of names assigned by the kernel, interfaces now have
stable names of the form
enX
. Please
adapt your system before rebooting after the upgrade. Some
more information can be found on the NetworkInterfaceNames
wiki page.
#
dash, which by default provides the system
shell /bin/sh
in Debian, has switched
to treating the circumflex (^
) as a literal
character, as was always the intended POSIX-compliant
behavior. This means that in bookworm
[^0-9]
no longer means “not 0 to
9” but “0 to 9 and ^
”.
The netcat
utility for reading and writing
data across network connections supports abstract
sockets, and uses them by default in some
circumstances.
By default, netcat
is provided by
netcat-traditional
. However, if
netcat
is provided by the netcat-openbsd
package and you are
using an AF_UNIX
socket, then this new
default applies. In this case the -U
option
to nc will now interpret an argument
starting with an @
as requesting an
abstract socket rather than as a filename beginning with an
@
in the current directory. This can have
security implications because filesystem permissions can no
longer be used to control access to an abstract socket. You
can continue to use a filename starting with an
@
by prefixing the name with
./
or by specifying an absolute path.
The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).
The list of obsolete packages includes:
The libnss-ldap
package
has been removed from bookworm. Its functionalities are
now covered by libnss-ldapd
and libnss-sss
.
The libpam-ldap
package
has been removed from bookworm. Its replacement is
libpam-ldapd
.
The fdflush
package
has been removed from bookworm. In its stead, please
use blockdev --flushbufs from
util-linux
.
The libgdal-perl
package has been removed from bookworm, because the
Perl binding for GDAL is no longer supported
upstream. If you need Perl support for GDAL, you can
migrate to the FFI interface provided by the
Geo::GDAL::FFI package, available on CPAN. You will have
to build your own binaries as documented on the BookwormGdalPerl Wiki
page.
With the next release of Debian 13 (codenamed trixie) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 13.
This includes the following features:
Development of the NSS service gw_name
stopped in 2015. The associated package
libnss-gw-name
may be removed in future Debian releases.
The upstream developer suggests using
libnss-myhostname
instead.
dmraid
has not
seen upstream activity since end 2010 and has been on life
support in Debian. bookworm will be the last release to
ship it, so please plan accordingly if you're using
dmraid
.
request-tracker4
has been superseded by request-tracker5
in this release,
and will be removed in future releases. We recommend that
you plan to migrate from request-tracker4 to request-tracker5
during the lifetime of this release.
The isc-dhcp
suite
has been deprecated
by the ISC. The
Debian Wiki has a list of
alternative implementations, see DHCP Client
and DHCP Server
pages for the latest. If you are using NetworkManager
or systemd-networkd
,
you can safely remove the isc-dhcp-client
package as they both ship their own implementation. If
you are using the ifupdown
package, you can experiment with udhcpc
as a replacement. The ISC recommends the Kea
package as a replacement for DHCP servers.
The security team will support the isc-dhcp
package during the bookworm lifetime, but the package will
likely be unsupported in the next stable release, see
bug #1035972 (isc-dhcp EOL'ed)
for more details.
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bookworm can be found in the Debian Bug Tracking System. The following bugs were affecting bookworm at the time of the release and worth mentioning in this document:
Bug number | Package (source or binary) | Description |
---|---|---|
1032240 | akonadi-backend-mysql | akonadi server fails to start since it cannot connect to mysql database |
1032177 | faketime | faketime doesn't fake time (on i386) |
918984 | src:fuse3 | provide upgrade path fuse -> fuse3 for bookworm |
1016903 | g++-12 | tree-vectorize: Wrong code at O2 level (-fno-tree-vectorize is working) |
1020284 | git-daemon-run | fails to purge: deluser -f: Unknown option: f |
919296 | git-daemon-run | fails with 'warning: git-daemon: unable to open supervise/ok: file does not exist' |
1034752 | src:gluegen2 | embeds non-free headers |
1036256 | src:golang-github-pin-tftp | FTBFS in testing: dh_auto_test: error: cd _build && go test -vet=off -v -p 8 github.com/pin/tftp github.com/pin/tftp/netascii returned exit code 1 |
1036575 | groonga-bin | missing Depends: libjs-jquery-flot, libjs-jquery-ui |
1036041 | src:grub2 | upgrade-reports: Dell XPS 9550 fails to boot after bullseye to bookworm upgrade - grub/bios interaction bug? |
558422 | grub-pc | upgrade hangs |
913916 | grub-efi-amd64 | UEFI boot option removed after update to grub2 2.02~beta3-5+deb9u1 |
924151 | grub2-common | wrong grub.cfg for efi boot and fully encrypted disk |
925134 | grub-efi-amd64 | grub-efi-amd64-signed: doesn't mount cryptodisk |
945001 | grub-efi-amd64 | GRUB-EFI messes up boot variables |
965026 | grub-emu | grub-emu hangs linux console when run as root |
984760 | grub-efi-amd64 | upgrade works, boot fails (error: symbol `grub_is_lockdown` not found) |
1036263 | src:guestfs-tools | FTBFS in testing: make[6]: *** [Makefile:1716: test-suite.log] Error 1 |
916596 | iptables | iptables.postinst failure on link creation |
919058 | itstool | its-tools: crashes when freeing xmlDocs |
1028416 | kexec-tools | systemctl kexec doesn't shutdown system properly and corrupts mounted filesystems |
935182 | libreoffice-core | Concurrent file open on the same host results file deletion |
994510 | libunwind8 | libunwind8 abuses setcontext() causing SIGSEGV on i386 with glibc >= 2.32 |
1036755 | src:linux | 6.1.26 <= x < 6.1.30 breaks applications using mmap(MAP_32BIT) [affects ganeti ] |
1036580 | src:llvm-defaults | please add some Breaks for smoother upgrades from bullseye |
1036359 | elpa-markdown-toc | crashes with (wrong-type-argument consp nil) |
1032647 | nvidia-driver | Intermittent black screen after updating to 525.89.02-1 |
1029342 | openjdk-17-jre-headless | jexec: can't locate java: No such file or directory |
1035798 | libphp8.2-embed | does not ship SONAME link /usr/lib/libphp.so -> libphp8.2.so |
1034993 | software-properties-qt | missing Breaks+Replaces for software-properties-kde when upgrading from bullseye |
1036388 | sylpheed | account reset when mail is checked |
1036424 | sylpheed | replying to an email you sent doesn't set account accordingly |
994274 | src:syslinux | FTBFS with gnu-efi 3.0.13 |
1031152 | system-config-printer | unlock button in system-config-printer provides no elevated permissions dialog |
975490 | u-boot-sunxi | A64-Olinuxino-eMMC boot stuck at "Starting kernel ..." |
1034995 | python-is-python3 | missing Breaks+Replaces for python-dev-is-python2 when upgrading from bullseye |
1036881 | whitedune | segfaults |
1036601 | xenstore-utils | missing Depends: xen-utils-common |
1036578 | python3-yade | does not ship a python module |