5. Problèmes à connaître pour trixie

Parfois, des changements ont des effets de bord que nous ne pouvons pas raisonnablement éviter sans nous exposer à des bogues à un autre endroit. Cette section documente les problèmes que nous connaissons. Veuillez également lire l'errata, la documentation des paquets concernés, les rapports de bogues et les autres sources d'informations mentionnées dans la Lectures pour aller plus loin.

5.1. Mise à niveau d'éléments spécifiques pour trixie

Cette section concerne les éléments liés à la mise à niveau de bookworm vers trixie

5.1.1. Reduced support for i386

From trixie, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Fewer packages are available for i386 because many projects no longer support it. The architecture's sole remaining purpose is to support running legacy code, for example, by way of multiarch or a chroot.

Users running i386 systems should not upgrade to trixie. Instead, Debian recommends either reinstalling them as amd64, where possible, or retiring the hardware. Cross-grading without a reinstall is a technically possible, but risky, alternative.

5.1.2. openssh-server no longer reads ~/.pam_environment

The Secure Shell (SSH) daemon provided in the openssh-server package, which allows logins from remote systems, no longer reads the user's ~/.pam_environment file by default; this feature has a history of security problems and has been deprecated in current versions of the Pluggable Authentication Modules (PAM) library. If you used this feature, you should switch from setting variables in ~/.pam_environment to setting them in your shell initialization files (e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism instead.

Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see Soyez prêts à récupérer le système.

5.1.3. OpenSSH no longer supports DSA keys

Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell (SSH) protocol, are inherently weak: they are limited to 160-bit private keys and the SHA-1 digest. The SSH implementation provided by the openssh-client and openssh-server packages has disabled support for DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9 ("stretch"), although it could still be enabled using the HostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options for host and user keys respectively.

The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.

As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with the above configuration options. If you have a device that you can only connect to using DSA, then you can use the ssh1 command provided by the openssh-client-ssh1 package to do so.

In the unlikely event that you are still using DSA keys to connect to a Debian server (if you are unsure, you can check by adding the -v option to the ssh command line you use to connect to that server and looking for the "Server accepts key:" line), then you must generate replacement keys before upgrading. For example, to generate a new Ed25519 key and enable logins to a server using it, run this on the client, replacing username@server with the appropriate user and host names:

$ ssh-keygen -t ed25519
$ ssh-copy-id username@server

5.1.4. The last, lastb and lastlog commands have been replaced

The util-linux package no longer provides the last or lastb commands, and the login package no longer provides lastlog. These commands provided information about previous login attempts using /var/log/wtmp, /var/log/btmp, /var/run/utmp and /var/log/lastlog, but these files will not be usable after 2038 because they do not allocate enough space to store the login time (the Year 2038 Problem), and the upstream developers do not want to change the file formats. Most users will not need to replace these commands with anything, but the util-linux package provides a lslogins command which can tell you when accounts were last used.

There are two direct replacements available: last can be replaced by wtmpdb from the wtmpdb package (the libpam-wtmpdb package also needs to be installed) and lastlog can be replaced by lastlog2 from the lastlog2 package (libpam-lastlog2 also needs to be installed). If you want to use these, you will need to install the new packages after the upgrade, see the util-linux NEWS.Debian for further information. The command lslogins --failed provides similar information to lastb.

If you do not install wtmpdb then we recommend you remove old log files /var/log/wtmp*. If you do install wtmpdb it will upgrade /var/log/wtmp and you can read older wtmp files with wtmpdb import -f <dest>. There is no tool to read /var/log/lastlog* or /var/log/btmp* files: they can be deleted after the upgrade.

5.1.5. RabbitMQ no longer supports HA queues

High-availability (HA) queues are no longer supported by rabbitmq-server starting in trixie. To continue with an HA setup, these queues need to be switched to "quorum queues".

If you have an OpenStack deployment, please switch the queues to quorum before upgrading. Please also note that beginning with OpenStack's "Caracal" release in trixie, OpenStack supports only quorum queues.

5.1.6. RabbitMQ cannot be directly upgraded from bookworm

There is no direct, easy upgrade path for RabbitMQ from bookworm to trixie. Details about this issue can be found in bug 1100165.

The recommended upgrade path is to completely wipe the rabbitmq database and restart the service (after the trixie upgrade). This may be done by deleting /var/lib/rabbitmq/mnesia and all of its contents.

5.1.7. MariaDB major version upgrades only work reliably after a clean shutdown

MariaDB does not support error recovery across major versions. For example if a MariaDB 10.11 server experienced an abrupt shutdown due to power loss or software defect, the database needs to be restarted with the same MariaDB 10.11 binaries so it can do successful error recovery and reconcile the data files and log files to roll-forward or revert transactions that got interrupted.

If you attempt to do crash recovery with MariaDB 11.8 using the data directory from a crashed MariaDB 10.11 instance, the newer MariaDB server will refuse to start.

To ensure a MariaDB Server is shut down cleanly before going into major version upgrade, stop the service with

# service mariadb stop

followed by checking server logs for Shutdown complete to confirm that flushing all data and buffers to disk completed successfully.

If it didn't shut down cleanly, restart it to trigger crash recovery, wait, stop again and verify that second stop was clean.

For additional information about how to make backups and other relevant information for system administrators, please see /usr/share/doc/mariadb-server/README.Debian.gz.

5.1.8. Ping no longer runs with elevated privileges

The default version of ping (provided by iputils-ping) is no longer installed with access to the CAP_NET_RAW linux capability, but instead uses ICMP_PROTO datagram sockets for network communication. Access to these sockets is controlled based on the user's Unix group membership using the net.ipv4.ping_group_range sysctl. In normal installations, the linux-sysctl-defaults package will set this value to a broadly permissive value, allowing unprivileged users to use ping as expected, but some upgrade scenarios may not automatically install this package. See /usr/lib/sysctl.d/50-default.conf and the kernel documentation for more information on the semantics of this variable.

5.1.9. Significant changes to libvirt packaging

The libvirt-daemon package, which provides an API and toolkit for managing virtualization platforms, has been overhauled in trixie. Each driver and storage backend now comes in a separate binary package, which enables much greater flexibility.

Care is taken during upgrades from bookworm to retain the existing set of components, but in some cases functionality might end up being temporarily lost. We recommend that you carefully review the list of installed binary packages after upgrading to ensure that all the expected ones are present; this is also a great time to consider uninstalling unwanted components.

In addition, some conffiles might end up marked as "obsolete" after the upgrade. The /usr/share/doc/libvirt-common/NEWS.Debian.gz file contains additional information on how to verify whether your system is affected by this issue and how to address it.

5.1.10. Choses à faire avant de redémarrer après la mise à niveau

Lorsque apt full-upgrade a terminé, la mise à niveau "formelle" est terminée. Pour la mise à niveau vers trixie il n'y a rien de particulier à faire avant de redémarrer.

5.2. Éléments non limités au processus de mise à niveau

5.2.1. Limitations de la prise en charge de sécurité

Il existe certains paquets pour lesquels Debian ne peut pas garantir de rétroportages minimaux pour les problèmes de sécurité. Cela est développé dans les sous-sections suivantes.

Note

Le paquet debian-security-support aide à suivre l’état de la prise en charge du suivi de sécurité des paquets installés.

5.2.1.1. État de sécurité des navigateurs web et de leurs moteurs de rendu

Debian 13 inclut plusieurs moteurs de navigateur web qui sont affectés par un flot continu de vulnérabilités de sécurité. Ce taux élevé de vulnérabilités ainsi que le manque partiel de prise en charge amont sous la forme de branches maintenues à long terme rendent difficiles les corrections de sécurité rétroportées. De plus, les interdépendances des bibliothèques rendent extrêmement difficile la mise à niveau vers une nouvelle version. Les applications utilisant le paquet source webkit2gtk (par exemple, epiphany) sont couvertes par la prise en charge de sécurité, mais les applications utilisant qtwebkit (paquet source qtwebkit-opensource-src) ne les sont pas.

Pour une utilisation classique, nous recommandons les navigateurs Firefox ou Chromium. Ceux-ci seront maintenus à jour en recompilant les versions ESR actuelles pour stable. La même stratégie sera appliquée pour Thunderbird.

Une fois qu'une version devient oldstable, les navigateurs pris en charge officiellement ne continuent pas à recevoir des mises à jour durant la période normale de couverture. Par exemple, Chromium ne recevra que pendant six mois une prise en charge de sécurité dans Oldstable au lieu des douze mois habituels.

5.2.1.2. Paquets basés sur Go et Rust

L’infrastructure de Debian a actuellement des problèmes pour recompiler correctement les types de paquets qui ont systématiquement recours aux liens statiques. Avec la croissance de l’écosystème de Go et de Rust cela signifie que ces paquets seront couverts par une prise en charge de sécurité limitée jusqu’à ce que l’infrastructure soit améliorée pour pouvoir les gérer durablement.

Dans la plupart des cas, si les mises à jour sont justifiées pour les bibliothèques de développement de Go ou de Rust, elles ne viendront que des mises à jour intermédiaires normales.

5.3. Obsolescence et dépréciation

5.3.1. Paquets obsolètes

La liste suivante contient des paquets connus et obsolètes (voir Paquets obsolètes pour une description).

La liste des paquets obsolètes contient :

  • The libnss-gw-name package has been removed from trixie. The upstream developer suggests using libnss-myhostname instead.

  • The pcregrep package has been removed from trixie. It can be replaced with grep -P (--perl-regexp) or pcre2grep (from pcre2-utils).

5.3.2. Composants dépréciés pour trixie

Avec la prochaine publication de Debian 14 (nom de code forky), certaines fonctionnalités seront déconseillées. Les utilisateurs devront migrer vers des alternatives pour éviter les problèmes lors de la mise à jour vers Debian 14.

Cela comprend les fonctionnalités suivantes :

  • The sudo-ldap package will be removed in forky. The Debian sudo team has decided to discontinue it due to maintenance difficulties and limited use. New and existing systems should use libsss-sudo instead.

    Upgrading Debian trixie to forky without completing this migration may result in the loss of intended privilege escalation.

    For further details, please refer to bug 1033728 and to the NEWS file in the sudo package.

  • The sudo_logsrvd feature, used for sudo input/output logging, may be removed in Debian forky unless a maintainer steps forward. This component is of limited use within the Debian context, and maintaining it adds unnecessary complexity to the basic sudo package.

    For ongoing discussions, see bug 1101451 and the NEWS file in the sudo package.

  • The libnss-docker package is no longer developed upstream and requires version 1.21 of the Docker API. That deprecated API version is still supported by Docker Engine v26 (shipped by Debian trixie) but will be removed in Docker Engine v27+ (shipped by Debian forky). Unless upstream development resumes, the package will be removed in Debian forky.

  • The openssh-client and openssh-server packages currently support GSS-API authentication and key exchange, which is usually used to authenticate to Kerberos services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian's main OpenSSH packages will therefore stop supporting it starting with forky.

    If you are using GSS-API authentication or key exchange (look for options starting with GSSAPI in your OpenSSH configuration files) then you should install the openssh-client-gssapi (on clients) or openssh-server-gssapi (on servers) package now. On trixie, these are empty packages depending on openssh-client and openssh-server respectively; on forky, they will be built separately.

  • sbuild-debian-developer-setup has been deprecated in favor of sbuild+unshare

    sbuild, the tool to build Debian packages in a minimal environment, has had a major upgrade and should work out of the box now. As a result the package sbuild-debian-developer-setup is no longer needed and has been deprecated. You can try the new version with:

    $ sbuild --chroot-mode=unshare --dist=unstable hello

  • The fcitx packages have been deprecated in favor of fcitx5

    The fcitx input method framework, also known as fcitx4 or fcitx 4.x, is no longer maintained upstream. As a result, all related input method packages are now deprecated. The package fcitx and packages with names beginning with fcitx- will be removed in Debian forky.

    Existing fcitx users are encouraged to switch to fcitx5 following the fcitx upstream migration guide and Debian Wiki page.

5.4. Bogues sévères connus

Bien que Debian ne publie que quand elle est prête, cela ne signifie pas malheureusement qu'il n'y a pas de bogues connus. Dans le cadre du processus de publication, tous les bogues de sévérité sérieuse ou plus élevée sont activement suivis par l'équipe de publication, aussi une vue d'ensemble de ces bogues qui ont été marqués comme devant être ignorés dans la partie finale du processus de publication de trixie est disponible dans le système de suivi de bogues de Debian. Les bogues suivants affectent trixie au moment de la publication et méritent d'être mentionnés dans ce document :

Numéro de bogue

Paquet (source ou binaire)

Description

1032240

akonadi-backend-mysql

le serveur akonadi échoue à démarrer puisqu'il ne peut pas se connecter à la base de données mysql

1032177

faketime

faketime ne produit pas de fausses dates (sur i386)

918984

src:fuse3

provide upgrade path fuse -> fuse3 for bookworm

1016903

g++-12

tree-vectorize : code erroné au niveau 02 (-fno-tree-vectorize fonctionne)

1034752

src:gluegen2

intègre des en-têtes non-libres