5. Probleme în trixie de care ar trebui să știți
Uneori, modificările introduse într-o versiune nouă au efecte secundare pe care nu le putem evita în mod rezonabil sau schimbările expun probleme în altă parte. Aceasta secțiune documentează problemele cunoscute. Vă rugăm să citiți și erata, documentația pachetelor relevante, rapoartele de probleme precum și alte informații menționate în Referințe suplimentare.
5.1. Elemente specifice actualizării la trixie
Această secțiune tratează elemente legate de actualizarea de la bookworm la trixie.
5.1.1. openssh-server no longer reads ~/.pam_environment
The Secure Shell (SSH) daemon provided in the openssh-server package,
which allows logins from remote systems, no longer reads the user's
~/.pam_environment file by default; this feature has a history of
security problems and has been
deprecated in current versions of the Pluggable Authentication Modules (PAM)
library. If you used this feature, you should switch from setting variables
in ~/.pam_environment to setting them in your shell initialization files
(e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism
instead.
Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see Pregătiri pentru recuperare.
5.1.2. OpenSSH no longer supports DSA keys
Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell
(SSH) protocol, are inherently weak: they are limited to 160-bit private
keys and the SHA-1 digest. The SSH implementation provided by the
openssh-client and openssh-server packages has disabled support for
DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9
("stretch"), although it could still be enabled using the
HostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options
for host and user keys respectively.
The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.
As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with
the above configuration options. If you have a device that you can only
connect to using DSA, then you can use the ssh1 command provided by the
openssh-client-ssh1 package to do so.
In the unlikely event that you are still using DSA keys to connect to a
Debian server (if you are unsure, you can check by adding the -v option
to the ssh command line you use to connect to that server and looking
for the "Server accepts key:" line), then you must generate replacement keys
before upgrading. For example, to generate a new Ed25519 key and enable
logins to a server using it, run this on the client, replacing
username@server with the appropriate user and host names:
$ ssh-keygen -t ed25519
$ ssh-copy-id username@server
5.2. Operațiuni de executat după actualizare și înainte de repornire.
When apt full-upgrade has finished, the "formal" upgrade is
complete. For the upgrade to trixie, there are no special actions
needed before performing a reboot.
5.2.1. Items not limited to the upgrade process
5.2.2. Limitări în suportul de securitate
Există anumite pachete pentru care Debian nu poate promite furnizarea actualizărilor de securitate. Acestea sunt menționate în sub-secțiunile de mai jos.
Notă
Pachetul debian-security-support ajută la urmărirea stadiului suportului de securitate al pachetelor instalate.
5.2.2.1. Starea securității navigatoarelor web și a motoarelor de randare
Debian 13 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Applications using the webkit2gtk source package (e.g. epiphany) are covered by security support, but applications using qtwebkit (source package qtwebkit-opensource-src) are not.
Pentru navigare generală recomandăm Firefox sau Chromium. Acestea vor fi ținute la zi prin recompilarea versiunilor ESR (n. trad. „Extended Support Release”, adică versiunea cu suport extins) pentru distribuția stabilă. Aceiași strategie va fi aplicată și pentru Thunderbird.
Once a release becomes oldstable, officially supported browsers may
not continue to receive updates for the standard period of coverage. For
example, Chromium will only receive 6 months of security support in
oldstable rather than the typical 12 months.
5.2.2.2. Go- and Rust-based packages
The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. With the growth of the Go and Rust ecosystems it means that these packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.
In most cases if updates are warranted for Go or Rust development libraries, they will only be released via regular point releases.
5.3. Obsolescence and deprecation
5.3.1. Pachete notabile învechite
Mai jos urmează o listă de pachete învechite cunoscute și notabile (consultați Pachete învechite pentru descriere).
Lista pachetelor învechite include:
To be added, as below:
The libnss-ldap package has been removed from trixie. Its functionalities are now covered by libnss-ldapd and libnss-sss.
5.3.2. Componente depășite din trixie
Odată cu următoarea lansare de Debian 14 (cu nume de cod forky) anumite funcții vor fi declarate învechite (n. trad. „deprecated”). Pentru a preveni probleme la actualizarea la Debian 14 utilizatorii ar trebui să migreze la soluții alternative.
Următoarele funcții sunt afectate:
To be added, as below:
Development of the NSS service
gw_namestopped in 2015. The associated package libnss-gw-name may be removed in future Debian releases. The upstream developer suggests using libnss-myhostname instead.The openssh-client and openssh-server packages currently support GSS-API authentication and key exchange, which is usually used to authenticate to Kerberos services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian's main OpenSSH packages will therefore stop supporting it starting with forky.
If you are using GSS-API authentication or key exchange (look for options starting with
GSSAPIin your OpenSSH configuration files) then you should install the openssh-client-gssapi (on clients) or openssh-server-gssapi (on servers) package now. On trixie, these are empty packages depending on openssh-client and openssh-server respectively; on forky, they will be built separately.
5.4. Known severe bugs
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing trixie can be found in the Debian Bug Tracking System. The following bugs were affecting trixie at the time of the release and worth mentioning in this document:
Bug number |
Package (source or binary) |
Description |
|---|---|---|
akonadi-backend-mysql |
akonadi server fails to start since it cannot connect to mysql database |
|
faketime |
faketime doesn't fake time (on i386) |
|
src:fuse3 |
provide upgrade path fuse -> fuse3 for bookworm |
|
g++-12 |
tree-vectorize: Wrong code at O2 level (-fno-tree-vectorize is working) |
|
git-daemon-run |
fails to purge: deluser -f: Unknown option: f |
|
git-daemon-run |
fails with 'warning: git-daemon: unable to open supervise/ok: file does not exist' |
|
src:gluegen2 |
embeds non-free headers |