5. Problemas a tener en cuenta para trixie

Algunas veces los cambios tienen efectos colaterales que no podemos evitar, o aparecen fallos en otro lugar. A continuación se documentan los problemas que conocemos. Puede leer también la fe de erratas, la documentación de los paquetes relevantes, los informes de fallos y otra información mencionada en Para leer más.

5.1. Things to be aware of while upgrading to trixie

Esta sección cubre los elementos relacionados con la actualización de bookworm a trixie.

5.1.1. Reduced support for i386

From trixie, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Fewer packages are available for i386 because many projects no longer support it. The architecture’s sole remaining purpose is to support running legacy code, for example, by way of multiarch or a chroot on a 64-bit (amd64) system.

The i386 architecture is now only intended to be used on a 64-bit (amd64) CPU. Its instruction set requirements include SSE2 support, so it will not run successfully on most of the 32-bit CPU types that were supported by Debian 12.

Los usuarios que ejecuten sistemas i386 no deberían actualizar a trixie. En su lugar, Debian recomienda reinstalarlos como amd64, donde sea posible, o retirar el hardware. El Cross-grading sin reinstalar es una alternativa técnicamente posible, pero arriesgada.

5.1.2. 64-bit little-endian MIPS (mips64el) removed

From trixie, mips64el is no longer supported by Debian.

5.1.3. The temporary-files directory /tmp is now stored in a tmpfs

From trixie, the default is for the /tmp/ directory to be stored in memory using a tmpfs(5) filesystem. This should make applications using temporary files faster, but if you put large files there, you may run out of memory.

For systems upgraded from bookworm, the new behavior only starts after a reboot. Files left in /tmp will be hidden after the new tmpfs is mounted which will lead to warnings in the system journal or syslog. Such files can be accessed using a bind-mount (see mount(1)): running mount --bind / /mnt will make the underlying directory accessible at /mnt/tmp (run umount /mnt once you have cleaned up the old files).

The default is to allocate up to 50% of memory to /tmp (this is a maximum: memory is only used when files are actually created in /tmp). You can change the size by running systemctl edit tmp.mount as root and setting, for example:

[Mount]
Options=mode=1777,nosuid,nodev,size=2G

(see systemd.mount(5)).

You can return to /tmp being a regular directory by running systemctl mask tmp.mount as root and rebooting.

The new filesystem defaults can also be overridden in /etc/fstab, so systems that already define a separate /tmp partition will be unaffected.

5.1.4. openssh-server ya no lee ~/.pam_environment

El daemon de Secure Shell (SSH) proporcionado en el paquete openssh-server, que permite inicios de sesión desde sistemas remotos, ya no lee el archivo ~/.pam_environment del usuario por defecto; esta característica tiene un historial de problemas de seguridad y ha sido obsoleta en las versiones actuales de la biblioteca Pluggable Authentication Modules (PAM). Si usaba esta característica, debería cambiar de establecer variables en ~/.pam_environment a establecerlas en sus archivos de inicialización del shell (p. ej. ~/.bash_profile o ~/.bashrc) o algún otro mecanismo similar en su lugar.

Las conexiones SSH existentes no se verán afectadas, pero las nuevas conexiones pueden comportarse de manera diferente después de la actualización. Si está actualizando remotamente, normalmente es una buena idea asegurarse de que tiene alguna otra forma de iniciar sesión en el sistema antes de iniciar la actualización; vea Prepararse para la recuperación.

5.1.5. OpenSSH ya no soporta claves DSA

Las claves del Algoritmo de Firma Digital (DSA), como se especifica en el protocolo de Secure Shell (SSH), son inherentemente débiles: están limitadas a claves privadas de 160 bits y el resumen SHA-1. La implementación SSH proporcionada por los paquetes openssh-client y openssh-server ha deshabilitado el soporte para claves DSA por defecto desde OpenSSH 7.0p1 en 2015, liberado con Debian 9 («stretch»), aunque aún podía habilitarse usando las opciones de configuración HostKeyAlgorithms y PubkeyAcceptedAlgorithms para claves de host y de usuario respectivamente.

Los únicos usos restantes de DSA en este punto deberían ser conectarse a algunos dispositivos muy antiguos. Para todos los demás propósitos, los otros tipos de claves soportados por OpenSSH (RSA, ECDSA y Ed25519) son superiores.

A partir de OpenSSH 9.8p1 en trixie, las claves DSA ya no están soportadas ni siquiera con las opciones de configuración mencionadas anteriormente. Si tiene un dispositivo al que solo puede conectarse usando DSA, entonces puede usar el comando ssh1 proporcionado por el paquete openssh-client-ssh1 para hacerlo.

En el caso improbable de que aún esté usando claves DSA para conectarse a un servidor Debian (si no está seguro, puede verificarlo agregando la opción -v a la línea de comandos ssh que usa para conectarse a ese servidor y buscar la línea «Server accepts key:»), entonces debe generar claves de reemplazo antes de actualizar. Por ejemplo, para generar una nueva clave Ed25519 y habilitar inicios de sesión a un servidor usándola, ejecute esto en el cliente, reemplazando username@server con los nombres de usuario y host apropiados:

$ ssh-keygen -t ed25519
$ ssh-copy-id username@server

5.1.6. The last, lastb and lastlog commands have been replaced

The util-linux package no longer provides the last or lastb commands, and the login package no longer provides lastlog. These commands provided information about previous login attempts using /var/log/wtmp, /var/log/btmp, /var/run/utmp and /var/log/lastlog, but these files will not be usable after 2038 because they do not allocate enough space to store the login time (the Year 2038 Problem), and the upstream developers do not want to change the file formats. Most users will not need to replace these commands with anything, but the util-linux package provides a lslogins command which can tell you when accounts were last used.

There are two direct replacements available: last can be replaced by wtmpdb from the wtmpdb package (the libpam-wtmpdb package also needs to be installed) and lastlog can be replaced by lastlog2 from the lastlog2 package (libpam-lastlog2 also needs to be installed). If you want to use these, you will need to install the new packages after the upgrade, see the util-linux NEWS.Debian for further information. The command lslogins --failed provides similar information to lastb.

If you do not install wtmpdb then we recommend you remove old log files /var/log/wtmp*. If you do install wtmpdb it will upgrade /var/log/wtmp and you can read older wtmp files with wtmpdb import -f <dest>. There is no tool to read /var/log/lastlog* or /var/log/btmp* files: they can be deleted after the upgrade.

5.1.7. Encrypted filesystems need systemd-cryptsetup package

Support for automatically discovering and mounting encrypted filesystems has been moved into the new systemd-cryptsetup package. This new package is recommended by systemd so should be installed automatically on upgrades.

Please make sure the systemd-cryptsetup package is installed before rebooting, if you use encrypted filesystems.

5.1.8. Default encryption settings for plain-mode dm-crypt devices changed

The default settings for dm-crypt devices created using plain-mode encryption (see crypttab(5)) have changed to improve security. This will cause problems if you did not record the settings used in /etc/crypttab. The recommended way to configure plain-mode devices is to record the options cipher, size, and hash in /etc/crypttab; otherwise cryptsetup will use default values, and the defaults for cipher and hash algorithm have changed in trixie, which will cause such devices to appear as random data until they are properly configured.

This does not apply to LUKS devices because LUKS records the settings in the device itself.

To properly configure your plain-mode devices, assuming they were created with the bookworm defaults, you should add cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160 to /etc/crypttab.

To access such devices with cryptsetup on the command line you can use --cipher aes-cbc-essiv:sha256 --key-size 256 --hash ripemd160. Debian recommends that you configure permanent devices with LUKS, or if you do use plain mode, that you explicitly record all the required encryption settings in /etc/crypttab. The new defaults are cipher=aes-xts-plain64 and hash=sha256.

5.1.9. RabbitMQ ya no soporta colas (queues) HA

Las colas de alta disponibilidad (HA) ya no están soportadas por rabbitmq-server a partir de trixie. Para continuar con una configuración HA, estas colas necesitan cambiarse a «quorum queues».

Si tiene un despliegue de OpenStack, por favor cambie las colas a quorum antes de actualizar. Tenga en cuenta también que comenzando con la versión «Caracal» de OpenStack en trixie, OpenStack soporta solo quorum queues.

5.1.10. RabbitMQ no puede ser actualizado directamente desde bookworm

No hay una ruta de actualización directa y fácil para RabbitMQ desde bookworm a trixie. Los detalles sobre este problema se pueden encontrar en el bug 1100165.

La ruta de actualización recomendada es limpiar completamente la base de datos de rabbitmq y reiniciar el servicio (después de la actualización a trixie). Esto puede hacerse eliminando /var/lib/rabbitmq/mnesia y todo su contenido.

5.1.11. MariaDB major version upgrades only work reliably after a clean shutdown

MariaDB does not support error recovery across major versions. For example if a MariaDB 10.11 server experienced an abrupt shutdown due to power loss or software defect, the database needs to be restarted with the same MariaDB 10.11 binaries so it can do successful error recovery and reconcile the data files and log files to roll-forward or revert transactions that got interrupted.

If you attempt to do crash recovery with MariaDB 11.8 using the data directory from a crashed MariaDB 10.11 instance, the newer MariaDB server will refuse to start.

To ensure a MariaDB Server is shut down cleanly before going into major version upgrade, stop the service with

# service mariadb stop

followed by checking server logs for Shutdown complete to confirm that flushing all data and buffers to disk completed successfully.

If it didn’t shut down cleanly, restart it to trigger crash recovery, wait, stop again and verify that second stop was clean.

For additional information about how to make backups and other relevant information for system administrators, please see /usr/share/doc/mariadb-server/README.Debian.gz.

5.1.12. Ping ya no se ejecuta con privilegios elevados

The default version of ping (provided by iputils-ping) is no longer installed with access to the CAP_NET_RAW linux capability, but instead uses ICMP_PROTO datagram sockets for network communication. Access to these sockets is controlled based on the user’s Unix group membership using the net.ipv4.ping_group_range sysctl. In normal installations, the linux-sysctl-defaults package will set this value to a broadly permissive value, allowing unprivileged users to use ping as expected, but some upgrade scenarios may not automatically install this package. See /usr/lib/sysctl.d/50-default.conf and the kernel documentation for more information on the semantics of this variable.

5.1.13. Dovecot configuration changes

The dovecot email server suite in trixie uses a configuration format that is incompatible with previous versions. Details about the configuration changes are available at docs.dovecot.org.

In order to avoid potentially extended downtime, you are strongly encouraged to port your configuration in a staging environment before beginning the upgrade of a production mail system.

5.1.14. Significant changes to libvirt packaging

The libvirt-daemon package, which provides an API and toolkit for managing virtualization platforms, has been overhauled in trixie. Each driver and storage backend now comes in a separate binary package, which enables much greater flexibility.

Care is taken during upgrades from bookworm to retain the existing set of components, but in some cases functionality might end up being temporarily lost. We recommend that you carefully review the list of installed binary packages after upgrading to ensure that all the expected ones are present; this is also a great time to consider uninstalling unwanted components.

In addition, some conffiles might end up marked as «obsolete» after the upgrade. The /usr/share/doc/libvirt-common/NEWS.Debian.gz file contains additional information on how to verify whether your system is affected by this issue and how to address it.

5.1.15. Samba: Active Directory Domain Controller packaging changes

The Active Directory Domain Controller (AD-DC) functionality was split out of samba. If you are using this feature, you need to install the samba-ad-dc package.

5.1.16. Samba: VFS modules

The samba-vfs-modules package was reorganized. Most VFS modules are now included in the samba package. However the modules for ceph and glusterfs have been split off into samba-vfs-ceph and samba-vfs-glusterfs.

5.1.17. OpenLDAP TLS now provided by OpenSSL

The TLS support in the OpenLDAP client libldap2 and server slapd is now provided by OpenSSL instead of GnuTLS. This affects the available configuration options, as well as the behavior of them.

Details about the changed options can be found in /usr/share/doc/libldap2/NEWS.Debian.gz.

If no TLS CA certificates are specified, the system default trust store will now be loaded automatically. If you do not want the default CAs to be used, you must configure the trusted CAs explicitly.

For more information about LDAP client configuration, see the ldap.conf.5 man page. For the LDAP server (slapd), see /usr/share/doc/slapd/README.Debian.gz and the slapd-config.5 man page.

5.1.18. bacula-director: Database schema update needs large amounts of disk space and time

The Bacula database will undergo a substantial schema change while upgrading to trixie.

Upgrading the database can take many hours or even days, depending on the size of the database and the performance of your database server.

The upgrade temporarily needs around double the currently used disk space on the database server, plus enough space to hold a backup dump of the Bacula database in /var/cache/dbconfig-common/backups.

Running out of disk space during the upgrade might corrupt your database and will prevent your Bacula installation from functioning correctly.

5.1.19. dpkg: warning: unable to delete old directory: …

During the upgrade, dpkg will print warnings like the following, for various packages. This is due to the finalization of the usrmerge project, and the warnings can be safely ignored.

Unpacking firmware-misc-nonfree (20230625-1) over (20230515-3) ...
dpkg: warning: unable to delete old directory '/lib/firmware/wfx': Directory not empty
dpkg: warning: unable to delete old directory '/lib/firmware/ueagle-atm': Directory not empty

5.1.20. Skip-upgrades are not supported

As with any other Debian release, upgrades must be performed from the previous release. Also all point release updates should be installed. See Comenzar de un Debian «puro».

Skipping releases when upgrading is explicitly not supported.

For trixie, the finalization of the usrmerge project requires the upgrade to bookworm be completed before starting the trixie upgrade.

5.1.21. WirePlumber has a new configuration system

WirePlumber has a new configuration system. For the default configuration you don’t have to do anything; for custom setups see /usr/share/doc/wireplumber/NEWS.Debian.gz.

5.1.22. strongSwan migration to a new charon daemon

The strongSwan IKE/IPsec suite is migrating from the legacy charon-daemon (using the ipsec(8) command and configured in /etc/ipsec.conf) to charon-systemd (managed with the swanctl(8) tools and configured in /etc/swanctl/conf.d). The trixie version of the strongswan metapackage will pull in the new dependencies, but existing installations are unaffected as long as charon-daemon is kept installed. Users are advised to migrate their installation to the new configuration following the upstream migration page ``

5.1.23. Things to do before rebooting

Cuando haya terminado apt full-upgrade la actualización «formal» se habrá completado. No hay que hacer ninguna acción especial antes del siguiente reinicio del sistema tras la actualización a trixie.

5.2. Elementos no limitados durante el proceso de actualización

5.2.1. The directories /tmp and /var/tmp are now regularly cleaned

On new installations, systemd-tmpfiles will now regularly delete old files in /tmp and /var/tmp while the system is running. This change makes Debian consistent with other distributions. Because there is a small risk of data loss, it has been made «opt-in»: the upgrade to trixie will create a file /etc/tmpfiles.d/tmp.conf which reinstates the old behavior. This file can be deleted to adopt the new default, or edited to define custom rules. The rest of this section explains the new default and how to customize it.

The new default behavior is for files in /tmp to be automatically deleted after 10 days from the time they were last used (as well as after a reboot). Files in /var/tmp are deleted after 30 days (but not deleted after a reboot).

Before adopting the new default, you should either adapt any local programs that store data in /tmp or /var/tmp for long periods to use alternative locations, such as ~/tmp/, or tell systemd-tmpfiles to exempt the data file from deletion by creating a file local-tmp-files.conf in /etc/tmpfiles.d containing lines such as:

x /var/tmp/my-precious-file.pdf
x /tmp/foo

Please see systemd-tmpfiles(8) and tmpfiles.d(5) for more information.

5.2.2. systemd message: System is tainted: unmerged-bin

systemd upstream, since version 256, considers systems having separate /usr/bin and /usr/sbin directories noteworthy. At startup systemd emits a message to record this fact: System is tainted: unmerged-bin.

It is recommended to ignore this message. Merging these directories manually is unsupported and will break future upgrades. Further details can be found in bug #1085370.

5.2.3. Limitaciones en el soporte de seguridad

Hay algunos paquetes para los que Debian no puede comprometerse a proporcionar versiones actualizadas resolviendo problemas de seguridad. La información de estos paquetes se cubre en las siguientes subsecciones.

Nota

El paquete debian-security-support ayuda a supervisar el estado de soporte de seguridad de los paquetes instalados en el sistema.

5.2.3.1. Estado de seguridad en los navegadores web y sus motores de render

Debian 13 incluye varios motores de navegador que están afectados por un flujo constante de vulnerabilidades de seguridad. La alta tasa de vulnerabilidades y la falta parcial de soporte upstream en forma de ramas de largo plazo hace muy difícil soportar estos navegadores y motores con correcciones de seguridad portadas hacia atrás. Adicionalmente, las interdependencias de bibliotecas hacen extremadamente difícil actualizar a versiones upstream más nuevas. Las aplicaciones que usan el paquete fuente webkit2gtk (p. ej. epiphany) están cubiertas por soporte de seguridad, pero las aplicaciones que usan qtwebkit (paquete fuente qtwebkit-opensource-src) no lo están.

Para la navegación web general se recomienda utilizar Firefox o Chromium. Se mantendrán actualizados mediante la reconstrucción de las versiones ESR actuales para stable. La misma estrategia se aplicará para Thunderbird.

Una vez que una versión se convierte en oldstable, los navegadores con soporte oficial pueden no continuar recibiendo actualizaciones durante el período estándar de cobertura. Por ejemplo, Chromium solo recibirá 6 meses de soporte de seguridad en oldstable en lugar de los típicos 12 meses.

5.2.3.2. Paquetes basados en Go y Rust

La infraestructura de Debian actualmente tiene problemas con la reconstrucción de paquetes de tipos que sistemáticamente usan enlazado estático. Con el crecimiento de los ecosistemas de Go y Rust significa que estos paquetes tendrán cobertura limitada de soporte de seguridad hasta que la infraestructura sea mejorada para manejarlos de manera sostenible.

En la mayoría de los casos si las actualizaciones están justificadas para las bibliotecas de desarrollo de Go o Rust, solo se publicarán a través de versiones menores regulares.

5.3. Obsolescencia y deprecación

5.3.1. Paquetes obsoletos notables

A continuación se muestra una lista de los paquetes conocidos y notables que ahora están obsoletos (consulte Paquetes obsoletos para obtener una descripción).

La lista de paquetes obsoletos incluye:

  • El paquete libnss-gw-name ha sido eliminado de trixie. El desarrollador upstream sugiere usar libnss-myhostname en su lugar.

  • El paquete pcregrep ha sido eliminado de trixie. Se puede reemplazar con grep -P (--perl-regexp) o pcre2grep (de pcre2-utils).

  • The request-tracker4 package has been removed from trixie. Its replacement is request-tracker5, which includes instructions on how to migrate your data: you can keep the now obsolete request-tracker4 package from bookworm installed while migrating.

  • The git-daemon-run and git-daemon-sysvinit packages have been removed from trixie due to security reasons.

  • The nvidia-graphics-drivers-tesla-470 packages are no longer supported upstream and have been removed from trixie.

  • The deborphan package has been removed from trixie. To remove unnecessary packages, apt autoremove should be used, after apt-mark minimize-manual. debfoster can also be a useful tool.

5.3.2. Componentes obsoletos de trixie

Con la publicación de Debian 14 (nombre en clave forky) algunas funcionalidades estarán obsoletas. Los usuarios deben migrar a otras alternativas para evitar problemas al actualizar a Debian 14.

Esto incluye las siguientes funcionalidades:

  • The sudo-ldap package will be removed in forky. The Debian sudo team has decided to discontinue it due to maintenance difficulties and limited use. New and existing systems should use libsss-sudo instead.

    Upgrading Debian trixie to forky without completing this migration may result in the loss of intended privilege escalation.

    For further details, please refer to bug 1033728 and to the NEWS file in the sudo package.

  • The sudo_logsrvd feature, used for sudo input/output logging, may be removed in Debian forky unless a maintainer steps forward. This component is of limited use within the Debian context, and maintaining it adds unnecessary complexity to the basic sudo package.

    For ongoing discussions, see bug 1101451 and the NEWS file in the sudo package.

  • El paquete libnss-docker ya no se desarrolla upstream y requiere la versión 1.21 de la API de Docker. Esa versión de API obsoleta aún es compatible con Docker Engine v26 (incluido en Debian trixie) pero será eliminada en Docker Engine v27+ (incluido en Debian forky). A menos que se reanude el desarrollo upstream, el paquete será eliminado en Debian forky.

  • Los paquetes openssh-client y openssh-server actualmente soportan autenticación e intercambio de claves GSS-API, que usualmente se usa para autenticar a servicios Kerberos. Esto ha causado algunos problemas, especialmente en el lado del servidor donde añade nueva superficie de ataque de preautenticación, y los paquetes principales de OpenSSH de Debian, por tanto dejarán de soportarlo a partir de forky.

    Si está usando autenticación GSS-API o intercambio de claves (busque opciones que empiecen con GSSAPI en sus archivos de configuración de OpenSSH) entonces debería instalar el paquete openssh-client-gssapi (en clientes) o openssh-server-gssapi (en servidores) ahora. En trixie, estos son paquetes vacíos que dependen de openssh-client y openssh-server respectivamente; en forky, se construirán por separado.

  • sbuild-debian-developer-setup ha quedado obsoleto en favor de sbuild+unshare

    sbuild, la herramienta para construir paquetes de Debian en un entorno mínimo, ha tenido una actualización mayor y debería funcionar sin configuración adicional ahora. Como resultado, el paquete sbuild-debian-developer-setup ya no es necesario y ha quedado obsoleto. Puede probar la nueva versión con:

    $ sbuild --chroot-mode=unshare --dist=unstable hello
    
  • The fcitx packages have been deprecated in favor of fcitx5

    The fcitx input method framework, also known as fcitx4 or fcitx 4.x, is no longer maintained upstream. As a result, all related input method packages are now deprecated. The package fcitx and packages with names beginning with fcitx- will be removed in Debian forky.

    Existing fcitx users are encouraged to switch to fcitx5 following the fcitx upstream migration guide and Debian Wiki page.

  • The lxd virtual machine management package is no longer being updated and users should move to incus.

    After Canonical Ltd changed the license used by LXD and introduced a new copyright assignment requirement, the Incus project was started as a community-maintained fork (see bug 1058592). Debian recommends that you switch from LXD to Incus. The incus-extra package includes tools to migrate containers and virtual machines from LXD.

  • The isc-dhcp suite is deprecated upstream.

    If you are using NetworkManager or systemd-networkd, you can safely remove the isc-dhcp-client package as they both ship their own implementation. If you are using the ifupdown package, dhcpcd-base provides a replacement. The ISC recommends the Kea package as a replacement for DHCP servers.

5.4. Bugs graves conocidos

Aunque Debian publica versiones cuando están listas, eso desafortunadamente no significa que no haya bugs conocidos. Como parte del proceso de publicación todos los bugs de severidad grave o superior son rastreados activamente por el Release Team, así que un resumen de esos bugs que fueron etiquetados para ser ignorados en la última parte de la publicación de trixie se puede encontrar en el Debian Bug Tracking System. Los siguientes bugs estaban afectando a trixie al momento de la publicación y vale la pena mencionarlos en este documento:

Número de bug

Paquete (fuente o binario)

Descripción

1032240

akonadi-backend-mysql

el servidor akonadi falla al iniciar ya que no puede conectarse a la base de datos mysql

1102690

flash-kernel

available kernels not always updated in u-boot configuration