Capítulo 5. Problemas a serem considerados para a bookworm

Como descrito em Seção 2.2, “Áreas do repositório”, pacotes de firmware não-livre agora são servidos a partir de um componente dedicado do repositório, chamado non-free-firmware. Para assegurar que pacotes de firmware não-livre instalados recebam as devidas atualizações, são necessárias mudanças na configuração do APT. Assumindo que o componente non-free somente foi adicionado ao sources-list do APT para instalar firmware, a entrada source-list atualizada do APT poderia se parecer com:

deb https://deb.debian.org/debian bookworm main non-free-firmware

Caso você tenha sido direcionado a este capítulo pelo apt, você pode evitar que ele notifique você continuamente sobre essa mudança criando um arquivo apt.conf(5) nomeado /etc/apt/apt.conf.d/no-bookworm-firmware.conf com o seguinte conteúdo:

APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";

The ntp package, which used to be the default way to set the system clock from a Network Time Protocol (NTP) server, has been replaced by ntpsec.

Most users will not need to take any specific action to transition from ntp to ntpsec.

In bookworm there are also several other packages that provide a similar service. The Debian default is now systemd-timesyncd, which may be adequate for users who only need an ntp client to set their clock. bookworm also includes chrony and openntpd which support more advanced features, such as operating your own NTP server.

O Puppet foi atualizado de 5 para 7, pulando a série Puppet 6 completamente. Isso introduz mudanças significativas para o ecossistema Puppet.

A aplicação clássica Puppet Master 5.5.x baseada em Ruby se tornou obsoleta pelo autor original e não está mais disponível no Debian. Ela foi substituída pelo Puppet Server 7.x, fornecido pelo pacote puppetserver. O pacote é instalado automaticamente como uma dependência do pacote transitório puppet-master.

Em alguns casos, o Puppet Server é um perfeito substituto para o Puppet Master, mas você deve revisar os arquivos de configuração disponíveis sob /etc/puppet/puppetserver para assegurar que os novos valores padrão são apropriados para a sua instalação. Em particular, o formato legado para o arquivo auth.conf está obsoleto, veja a documentação do auth.conf para detalhes.

A abordagem recomendada é atualizar o servidor antes dos clientes. O Puppet 7 Server é compatível retroativamente com clientes antigos; um Puppet 5 Server ainda consegue lidar com agentes atualizados, mas não pode registrar novos agentes Puppet 7. Assim, se você instalar novos agentes Puppet 7 antes de atualizar o servidor, você não será capaz de adicioná-los à frota.

O pacote puppet foi substituído pelo pacote puppet-agent e agora é um pacote transitório para assegurar uma atualização suave.

Por último, o pacote puppetdb foi removido na bullseye, mas foi reintroduzido na bookworm.

The popular tool youtube-dl, which can download videos from a large variety of websites (including, but not limited to, YouTube) is no longer included in Debian. Instead, it has been replaced with an empty transitional package that pulls in the yt-dlp package instead. yt-dlp is a fork of youtube-dl where new development is currently happening.

There are no compatibility wrappers provided, so you'll need to modify your scripts and personal behavior to call yt-dlp instead of youtube-dl. The functionality should be mostly the same, although some options and behavioral details have changed. Be sure to check yt-dlp's man page for details, and in particular the Differences in default behavior section.

The packages fcitx and fcitx5 provide version 4 and version 5 of the popular Fcitx Input Method Framework. Following upstream's recommendation, they can no longer be co-installed on the same operating system. Users should determine which version of Fcitx is to be kept if they had co-installed fcitx and fcitx5 previously.

Before the upgrade, users are strongly encouraged to purge all related packages for the unwanted Fcitx version (fcitx-* for Fcitx 4, and fcitx5-* for Fcitx 5). When the upgrade is finished, consider executing the im-config again to select the desired input method framework to be used in the system.

You can read more background information in the announcement posted in the mailing list (text written in Simplified Chinese).

Unlike bullseye that had the MariaDB version in package names (e.g. mariadb-server-10.5 and mariadb-client-10.5), in bookworm the equivalent MariaDB 10.11 package names are fully versionless (e.g. mariadb-server or mariadb-client). The MariaDB version is still visible in the package version metadata.

There is at least one known upgrade scenario (Bug #1035949) where the transition to versionless package names fails: running

apt-get install default-mysql-server

may fail when mariadb-client-10.5 and the file /usr/bin/mariadb-admin in it is removed before the MariaDB server SysV init service has issued a shutdown, which uses mariadb-admin. The workaround is to run

apt upgrade

before running

apt full-upgrade

.

For more information about the package name changes in MariaDB, see /usr/share/doc/mariadb-server/NEWS.Debian.gz.

The rsyslog package is no longer needed on most systems and you may be able to remove it.

Many programs produce log messages to inform the user of what they are doing. These messages can be managed by systemd's “journal” or by a “syslog daemon” such as rsyslog.

In bullseye, rsyslog was installed by default and the systemd journal was configured to forward log messages to rsyslog, which writes messages into various text files such as /var/log/syslog.

From bookworm, rsyslog is no longer installed by default. If you do not want to continue using rsyslog, after the upgrade you can mark it as automatically installed with

apt-mark auto rsyslog

and then an

apt autoremove

will remove it, if possible. If you have upgraded from older Debian releases, and not accepted the default configuration settings, the journal may not have been configured to save messages to persistent storage: instructions for enabling this are in journald.conf(5).

If you decide to switch away from rsyslog you can use the journalctl command to read log messages, which are stored in a binary format under /var/log/journal. For example,

journalctl -e

shows the most recent log messages in the journal and

journalctl -ef

shows new messages as they are written (similar to running

tail -f /var/log/syslog

).

rsyslog now defaults to “high precision timestamps” which may affect other programs that analyze the system logs. There is further information about how to customize this setting in rsyslog.conf(5).

The change in timestamps may require locally-created logcheck rules to be updated. logcheck checks messages in the system log (produced by systemd-journald or rsyslog) against a customizable database of regular expressions known as rules. Rules that match the time the message was produced will need to be updated to match the new rsyslog format. The default rules, which are provided by the logcheck-database package, have been updated, but other rules, including those created locally, may require updating to recognize the new format. See /usr/share/doc/logcheck-database/NEWS.Debian.gz for a script to help update local logcheck rules.

rsyslog has changed which log files it creates, and some files in /var/log can be deleted.

If you are continuing to use rsyslog (see Seção 5.1.7, “Changes to system logging”), some log files in /var/log will no longer be created by default. The messages that were written to these files are also in /var/log/syslog but are no longer created by default. Everything that used to be written to these files will still be available in /var/log/syslog.

The files that are no longer created are:

OpenLDAP 2.5 is a major new release and includes several incompatible changes as described in the upstream release announcement. Depending on the configuration, the slapd service might remain stopped after the upgrade, until necessary configuration updates are completed.

The following are some of the known incompatible changes:

Instructions for completing the upgrade and resuming the slapd service can be found in /usr/share/doc/slapd/README.Debian.gz. You should also consult the upstream upgrade notes.

For a long time, grub has used the os-prober package to detect other operating systems installed on a computer so that it can add them to the boot menu. Unfortunately, that can be problematic in certain cases (e.g. where guest virtual machines are running), so this has now been disabled by default in the latest upstream release.

If you are using GRUB to boot your system and want to continue to have other operating systems listed on the boot menu, you can change this. Either edit the file /etc/default/grub, ensure you have the setting GRUB_DISABLE_OS_PROBER=false and re-run update-grub, or run

dpkg-reconfigure <GRUB_PACKAGE>

to change this and other GRUB settings in a more user-friendly way.

Many GNOME apps have switched from the GTK3 graphics toolkit to GTK4. Sadly, this has made many apps much less usable with screen readers such as orca.

If you depend on a screen reader you should consider switching to a different desktop such as Mate, which has better accessibility support. You can do this by installing the mate-desktop-environment package. Information about how to use Orca under Mate is available at here.

Debian's support for PC 32 bits (known as the Debian architecture i386) now no longer covers any i586 processor. The new minimum requirement is i686. What this means that the i386 architecture now requires the "long NOP" (NOPL) instruction, while bullseye still supported some i586 processors without that instruction (e.g. the "AMD Geode").

If your machine is not compatible with this requirement, it is recommended that you stay with bullseye for the remainder of its support cycle.

For consistency with upstream and other distributions, the polkit (formerly PolicyKit) service, which allows unprivileged programs to access privileged system services, has changed the syntax and location for local policy rules. You should now write local rules for customizing the security policy in JavaScript, and place them at /etc/polkit-1/rules.d/*.rules. Example rules using the new format can be found in /usr/share/doc/polkitd/examples/, and polkit(8) has further information.

Previously, rules could be written in pkla format, and placed in subdirectories of /etc/polkit-1/localauthority or /var/lib/polkit-1/localauthority. However, .pkla files should now be considered deprecated, and will only continue to work if the polkitd-pkla package is installed. This package will usually be installed automatically when you upgrade to bookworm, but it is likely not to be included in future Debian releases, so any local policy overrides will need to be migrated to the JavaScript format.

Debian has adopted a filesystem layout, referred to as “merged-/usr”, which no longer includes the legacy directories /bin, /sbin, /lib, or optional variants such as /lib64. In the new layout, the legacy directories are replaced with symlinks to the corresponding locations /usr/bin, /usr/sbin, /usr/lib, and /usr/lib64. This means that, for example, both /bin/bash and /usr/bin/bash will launch bash.

For systems installed as buster or bullseye there will be no change, as the new filesystem layout was already the default in these releases. However, the older layout is no longer supported, and systems using it will be converted to the new layout when they are upgraded to bookworm.

The conversion to the new layout should have no impact on most users. All files are automatically moved to their new locations even if they were installed locally or come from packages not provided by Debian, and hardcoded paths such as /bin/sh continue to work. There are, however, some potential issues:

For further information, see The Case for the /usr merge and the Debian Technical Committee resolution.

Debian officially supports upgrades only from one stable release to the next, e.g. from bullseye to bookworm. Upgrades from buster to bookworm are not supported, and will fail due to Bug #993755 with the following error:

Setting up libc6:i386 (2.36-9) ...
/usr/bin/perl: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory
dpkg: error processing package libc6:i386 (--configure):
installed libc6:i386 package post-installation script subprocess returned error exit status 127
        

It is however possible to manually recover from this particular situation by forcibly installing the new libcrypt1:

# cd $(mktemp -d)
# apt download libcrypt1
# dpkg-deb -x libcrypt1_*.deb .
# cp -ra lib/* /lib/
# apt --fix-broken install
        

Quando o apt full-upgrade terminar, a atualização “formal” estará completa. Para a atualização da bookworm, não é necessária nenhuma ação especial antes de executar uma reinicialização.

Há alguns pacotes onde o Debian não pode prometer fornecer portes retroativos mínimos para problemas de segurança. Esses são abordados nas subseções a seguir.

	Nota
	O pacote debian-security-support ajuda a acompanhar a situação do suporte de segurança dos pacotes instalados.

Os pacotes do interpretador python3 fornecidos pelo Debian (python3.11 e pypy3) agora são marcados como sendo gerenciados externamente, seguindo a PEP-668. A versão de python3-pip fornecida pelo Debian segue isso, e se recusará a instalar manualmente pacotes nos interpretadores python do Debian, a menos que a opção --break-system-packages seja especificada.

Se você precisar instalar um aplicativo (ou versão) que não esteja empacotado no Debian, nós recomendamos que você o instale com pipx (no pacote Debian pipx). O pipx configurará um ambiente isolado de outros aplicativos e módulos Python do sistema, e instalará o aplicativo e suas dependências nesse ambiente.

Se você precisar instalar um módulo de biblioteca Python (ou versão) que não esteja empacotado no Debian, nós recomendamos instalá-lo em um “virtualenv”, quando possível. Você pode criar “virtualenvs” com o módulo da stdlib do Python venv (no pacote Debian python3-venv) ou com a ferramenta Python de terceiros virtualenv (no pacote Debian virtualenv). Por exemplo, em vez de executar pip install --user foo, execute: mkdir -p ~/.venvs && python3 -m venv ~/.venvs/foo && ~/.venvs/foo/bin/python -m pip install foo para instalá-lo em um “virtualenv” dedicado.

Veja /usr/share/doc/python3.11/README.venv para mais detalhes.

The VLC video player supports hardware-accelerated video decoding and encoding via VA-API and VDPAU. However, VLC's support for VA-API is tightly related to the version of FFmpeg. Because FFmpeg was upgraded to the 5.x branch, VLC's VA-API support has been disabled. Users of GPUs with native VA-API support (e.g., Intel and AMD GPUs) may experience high CPU usage during video playback and encoding.

Users of GPUs offering native VDPAU support (e.g., NVIDIA with non-free drivers) are not affected by this issue.

Support for VA-API and VDPAU can be checked with vainfo and vdpauinfo (each provided in a Debian package of the same name).

The new systemd-resolved package will not be installed automatically on upgrades. If you were using the systemd-resolved system service, please install the new package manually after the upgrade, and note that until it has been installed, DNS resolution might no longer work since the service will not be present on the system. Installing this package will automatically give systemd-resolved control of /etc/resolv.conf. For more information about systemd-resolved, consult the official documentation. Note that systemd-resolved was not, and still is not, the default DNS resolver in Debian. If you have not configured your machine to use systemd-resolved as the DNS resolver, no action is required.

The new systemd-boot package will not be installed automatically on upgrades. If you were using systemd-boot, please install this new package manually, and note that until you do so, the older version of systemd-boot will be used as the bootloader. Installing this package will automatically configure systemd-boot as the machine's bootloader. The default boot loader in Debian is still GRUB. If you have not configured the machine to use systemd-boot as the bootloader, no action is required.

The optional systemd-journal-gatewayd and systemd-journal-remote services are now built without GnuTLS support, which means the --trust option is no longer provided by either program, and an error will be raised if it is specified.

There have been several changes in adduser. The most prominent change is that --disabled-password and --disabled-login are now functionally identical. For further details, please read the /usr/share/doc/adduser/NEWS.Debian.gz.

The predictable naming logic in systemd for network interfaces has been extended to generate stable names from Xen netfront device information. This means that instead of the former system of names assigned by the kernel, interfaces now have stable names of the form enX#. Please adapt your system before rebooting after the upgrade. Some more information can be found on the NetworkInterfaceNames wiki page.

dash, which by default provides the system shell /bin/sh in Debian, has switched to treating the circumflex (^) as a literal character, as was always the intended POSIX-compliant behavior. This means that in bookworm [^0-9] no longer means “not 0 to 9” but “0 to 9 and ^”.

The netcat utility for reading and writing data across network connections supports abstract sockets, and uses them by default in some circumstances.

By default, netcat is provided by netcat-traditional. However, if netcat is provided by the netcat-openbsd package and you are using an AF_UNIX socket, then this new default applies. In this case the -U option to nc will now interpret an argument starting with an @ as requesting an abstract socket rather than as a filename beginning with an @ in the current directory. This can have security implications because filesystem permissions can no longer be used to control access to an abstract socket. You can continue to use a filename starting with an @ by prefixing the name with ./ or by specifying an absolute path.

A seguinte lista é de pacotes conhecidos e obsoletos dignos de nota (veja Seção 4.8, “Pacotes obsoletos” para uma descrição).

A lista de pacotes obsoletos inclui:

Com a próxima versão do Debian 13 (codinome trixie), alguns recursos ficarão obsoletos. Os usuários precisarão migrar para outras alternativas para evitar problemas quando atualizarem para o Debian 13.

Isso inclui os seguintes recursos: