5. Ζητήματα που θα πρέπει να έχετε υπόψιν για την έκδοση trixie

Μερικές φορές, αλλαγές που εισάγονται σε μια καινούρια έκδοση έχουν παρενέργειες που αναμενόμενα δεν μπορούμε να αποφύγουμε ή εκθέτουν σφάλματα κάπου αλλού. Αυτή η ενότητα τεκμηριώνει τα προβλήματα των οποίων έχουν γνώση. Παρακαλούμε, διαβάστε επίσης τα παροράματα, τη σχετική τεκμηρίωση των πακέτων, τις αναφορές σφαλμάτων και άλλες πληροφορίες που αναφέρονται στην ενότητα Περαιτέρω διάβασμα.

5.1. Συγκεκριμένα αντικείμενα της αναβάθμισης για την έκδοση trixie

Αυτή η ενότητα καλύπτει ζητήματα που σχετίζονται με την αναβάθμιση από την προηγούμενη έκδοση bookworm στην έκδοση trixie.

5.1.1. openssh-server no longer reads ~/.pam_environment

The Secure Shell (SSH) daemon provided in the openssh-server package, which allows logins from remote systems, no longer reads the user's ~/.pam_environment file by default; this feature has a history of security problems and has been deprecated in current versions of the Pluggable Authentication Modules (PAM) library. If you used this feature, you should switch from setting variables in ~/.pam_environment to setting them in your shell initialization files (e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism instead.

Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see Προετοιμαστείτε για επανάκτηση.

5.1.2. OpenSSH no longer supports DSA keys

Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell (SSH) protocol, are inherently weak: they are limited to 160-bit private keys and the SHA-1 digest. The SSH implementation provided by the openssh-client and openssh-server packages has disabled support for DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9 ("stretch"), although it could still be enabled using the HostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options for host and user keys respectively.

The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.

As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with the above configuration options. If you have a device that you can only connect to using DSA, then you can use the ssh1 command provided by the openssh-client-ssh1 package to do so.

In the unlikely event that you are still using DSA keys to connect to a Debian server (if you are unsure, you can check by adding the -v option to the ssh command line you use to connect to that server and looking for the "Server accepts key:" line), then you must generate replacement keys before upgrading. For example, to generate a new Ed25519 key and enable logins to a server using it, run this on the client, replacing username@server with the appropriate user and host names:

$ ssh-keygen -t ed25519
$ ssh-copy-id username@server

5.2. Πράγματα που πρέπει να κάνετε μετά τη αναβάθμιση και πριν την επανεκκίνηση

When apt full-upgrade has finished, the "formal" upgrade is complete. For the upgrade to trixie, there are no special actions needed before performing a reboot.

5.2.1. Πράγματα που δεν περιορίζονται στη διαδικασία αναβάθμισης

5.2.2. Περιορισμοί στην υποστήριξη ασφάλειας

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

Σημείωση

The package debian-security-support helps to track the security support status of installed packages.

5.2.2.1. Κατάσταση ασφαλείας των φυλλομετρητών web και των μηχανών τους για απεικόνιση (rendering)

Debian 13 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Applications using the webkit2gtk source package (e.g. epiphany) are covered by security support, but applications using qtwebkit (source package qtwebkit-opensource-src) are not.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.

Once a release becomes oldstable, officially supported browsers may not continue to receive updates for the standard period of coverage. For example, Chromium will only receive 6 months of security support in oldstable rather than the typical 12 months.

5.2.2.2. Πακέτα βασισμένα στις γλώσσες Go και Rust

Προς το παρόν, η υποδομή του Debian αντιμετωπίζει προβλήματα με το ξαναχτίσιμο τύπων πακέτων που χρησιμοποιούν συστηματικά στατικό linking. Πριν από την έκδοση buster αυτό δεν ήταν πρόβλημα στην πράξη, αλλά με την αύξηση του οικοσυστήματος της γλώσσας Go και της γλώσσας Rust, αυτό σημαίνει ότι αυτά τα πακέτα θα έχουν περιορισμένη κάλυψη ασφάλειας μέχρι η υποδομή του Debian να βελτιωθεί ώστε να τα χειρίζεται με αποτελεσματκό, από άποψη συντήρησης τρόπο.

Αν οι επικαιροποιήσεις είναι εγγυημένες για τις βιβλιοθήκες ανάπτυξης της Go ή της Rust, τότε μπορούν να γίνονται μόνο μέσω τακτικών σημειακών εκδόσεων, οι οποίες ενδέχεται να καθυστερούν να βγουν.

5.3. Παλαίωση και κατάργηση

5.3.1. Αξιοσημείωτα παρωχημένα πακέτα

The following is a list of known and noteworthy obsolete packages (see Παρωχημένα πακέτα for a description).

Η λίστα των παρωχημένων πακέτων περιλαμβάνει:

  • To be added, as below:

  • The libnss-ldap package has been removed from trixie. Its functionalities are now covered by libnss-ldapd and libnss-sss.

5.3.2. Deprecated components for trixie

With the next release of Debian 14 (codenamed forky) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 14.

Αυτό περιλαμβάνει τα ακόλουθα χαρακτηριστικά:

  • To be added, as below:

  • Η ανάπτυξη της υπηρεσίας NSS gw_name σταμάτησε το 2015. Το σχετικό πακέτο libnss-gw-name ίσως αφαιρεθεί σε μελλοντικές εκδόσεις του Debian. Ο προγραμματιστής της upstream προτείνει την χρήση του libnss-myhostname αντί για αυτήν.

  • The openssh-client and openssh-server packages currently support GSS-API authentication and key exchange, which is usually used to authenticate to Kerberos services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian's main OpenSSH packages will therefore stop supporting it starting with forky.

    If you are using GSS-API authentication or key exchange (look for options starting with GSSAPI in your OpenSSH configuration files) then you should install the openssh-client-gssapi (on clients) or openssh-server-gssapi (on servers) package now. On trixie, these are empty packages depending on openssh-client and openssh-server respectively; on forky, they will be built separately.

5.4. Γνωστά εξαιρετικά σοβαρά σφάλματα

Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing trixie can be found in the Debian Bug Tracking System. The following bugs were affecting trixie at the time of the release and worth mentioning in this document:

Αριθμός σφάλματος

Πακέτο (πηγαίου κώδικα ή μεταγλωττισμένο - binary)

Περιγραφή

1032240

akonadi-backend-mysql

akonadi server fails to start since it cannot connect to mysql database

1032177

faketime

faketime doesn't fake time (on i386)

918984

src:fuse3

provide upgrade path fuse -> fuse3 for bookworm

1016903

g++-12

tree-vectorize: Wrong code at O2 level (-fno-tree-vectorize is working)

1020284

git-daemon-run

fails to purge: deluser -f: Unknown option: f

919296

git-daemon-run

fails with 'warning: git-daemon: unable to open supervise/ok: file does not exist'

1034752

src:gluegen2

embeds non-free headers