5. trixie 中需要注意的问题

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in 扩展阅读.

5.1. 升级到 trixie 时可能出现的问题

本节介绍从 bookworm 升级到 trixie 的相关问题。

5.1.1. openssh-server no longer reads ~/.pam_environment

The Secure Shell (SSH) daemon provided in the openssh-server package, which allows logins from remote systems, no longer reads the user's ~/.pam_environment file by default; this feature has a history of security problems and has been deprecated in current versions of the Pluggable Authentication Modules (PAM) library. If you used this feature, you should switch from setting variables in ~/.pam_environment to setting them in your shell initialization files (e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism instead.

Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see 准备故障恢复.

5.1.2. OpenSSH no longer supports DSA keys

Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell (SSH) protocol, are inherently weak: they are limited to 160-bit private keys and the SHA-1 digest. The SSH implementation provided by the openssh-client and openssh-server packages has disabled support for DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9 ("stretch"), although it could still be enabled using the HostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options for host and user keys respectively.

The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.

As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with the above configuration options. If you have a device that you can only connect to using DSA, then you can use the ssh1 command provided by the openssh-client-ssh1 package to do so.

In the unlikely event that you are still using DSA keys to connect to a Debian server (if you are unsure, you can check by adding the -v option to the ssh command line you use to connect to that server and looking for the "Server accepts key:" line), then you must generate replacement keys before upgrading. For example, to generate a new Ed25519 key and enable logins to a server using it, run this on the client, replacing username@server with the appropriate user and host names:

$ ssh-keygen -t ed25519
$ ssh-copy-id username@server

5.2. 升级后在重启前需要做的事

apt full-upgrade 完成时,"形式上的"升级就完成了。对于向 trixie 的升级而言,重启前没有什么特别的操作需要完成。

5.2.1. 升级过程之外的注意事项

5.2.2. 安全支持上的局限性

有一些软件包,Debian 不能保证针对安全漏洞提供最小的向后移植。这些将在以下小节中介绍。

备注

debian-security-support 软件包可帮助跟踪已安装软件包的安全支持状态。

5.2.2.1. 网页浏览器及其渲染引擎的安全支持状态

Debian 13 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Applications using the webkit2gtk source package (e.g. epiphany) are covered by security support, but applications using qtwebkit (source package qtwebkit-opensource-src) are not.

对于通用网页浏览器,我们推荐 Firefox 和 Chromium。这些软件将使用最新的 ESR 版本持续在 stable 中予以更新。这同样适用于 Thunderbird。

一旦一个发布版本成为 oldstable,官方支持的浏览器的支持周期可能短于发布版本的标准支持周期。例如,Chromium 在 oldstable 中只会获得 6 个月的安全支持,而不是通常的 12 个月。

5.2.2.2. 基于 Go 和 Rust 的软件包

Debian 当前的基础架构在重新构建系统化使用静态链接的软件包时存在一些问题。随着 Go 和 Rust 生态系统的成长,这些软件包将只能得到有限的安全支持,直到基础架构得到改进使得这些软件包更加易于维护。

大多数情况下,如果 Go 或 Rust 开发库需要更新,这些更新只能通过定期的小版本更新提供。

5.3. 过时与废弃内容

5.3.1. 值得注意的过时软件包

以下是已知的和值得注意的过时软件包的列表(有关过时软件包的描述,请参阅 过时的软件包)。

过时的软件包包括:

  • To be added, as below:

  • libnss-ldap 软件包已从 trixie 移除。它的功能已由 libnss-ldapdlibnss-sss 代替。

5.3.2. trixie 的废弃组件

随着下一个版本 Debian 14 (代号为 forky) 的发布,某些功能将被弃用。用户需要迁移到其他替代方案,以防止在更新到 Debian 14 时出现问题。

这包括以下特性:

  • To be added, as below:

  • NSS 服务 gw_name 的开发已于 2015 年停止。与之对应的软件包 libnss-gw-name 可能在未来的 Debian 发布版本中被移除。上游开发者建议使用 libnss-myhostname 代替它。

  • The openssh-client and openssh-server packages currently support GSS-API authentication and key exchange, which is usually used to authenticate to Kerberos services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian's main OpenSSH packages will therefore stop supporting it starting with forky.

    If you are using GSS-API authentication or key exchange (look for options starting with GSSAPI in your OpenSSH configuration files) then you should install the openssh-client-gssapi (on clients) or openssh-server-gssapi (on servers) package now. On trixie, these are empty packages depending on openssh-client and openssh-server respectively; on forky, they will be built separately.

5.4. 已知的严重缺陷

Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing trixie can be found in the Debian Bug Tracking System. The following bugs were affecting trixie at the time of the release and worth mentioning in this document:

缺陷编号

软件包(源码包或二进制包)

描述

1032240

akonadi-backend-mysql

akonadi server fails to start since it cannot connect to mysql database

1032177

faketime

faketime doesn't fake time (on i386)

918984

src:fuse3

provide upgrade path fuse -> fuse3 for bookworm

1016903

g++-12

tree-vectorize: Wrong code at O2 level (-fno-tree-vectorize is working)

1020284

git-daemon-run

fails to purge: deluser -f: Unknown option: f

919296

git-daemon-run

fails with 'warning: git-daemon: unable to open supervise/ok: file does not exist'

1034752

src:gluegen2

embeds non-free headers