| Kapitel 5. Ting man skal være opmærksom på i forbindelse med stretch | ||
|---|---|---|
 |  | |
| Kapitel 5. Ting man skal være opmærksom på i forbindelse med stretch | ||
|---|---|---|
| | | |
Indholdsfortegnelse
libinput Xorg driverdbgsym packages by
defaultnet-tools will be deprecated in
favor of iproute2_netdev mount option is recommended when using AoE
(ATA over ethernet) devicesSometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Afsnit 6.1, “Yderligere læsning”.
This section covers items related to the upgrade from jessie to stretch.
![[Bemærk]](images/note.png) | Bemærk |
|---|---|
This section only applies to systems using a custom kernel, where
|
Mounting of /usr using only tools found in
/ is no longer supported. This has only worked for a
few specific configurations in the past, and now they are explicitly
unsupported.
This means that for stretch all systems where
/usr is a separate partition need to use an initramfs
generator that will mount /usr. All initramfs
generators in stretch do so.
Debian hosted mirrors will stop providing FTP access. If you have been
using the ftp: protocol in your sources.list, please
migrate to http:. Please consider the following example
for migrating:
deb http://deb.debian.org/debian stretch main deb http://deb.debian.org/debian-security stretch/updates main # tor variant (requires apt-transport-tor) # deb tor+http://vwakviie2ienjx6t.onion/debian stretch main # deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main
The above examples do not include non-free and
contrib. Please remember to include these if you require
those components enabled.
For more information, please refer to the announcement: Shutting down public FTP services.
Den følgende liste viser kendte og værd at bemærke forældede pakker (se Afsnit 4.8, “Forældede pakker” for en beskrivelse).
Listen over forældede pakker inkluderer:
Most -dbg packages have been removed from the main
archive. They have been replaced by -dbgsym packages
that are available from the debian-debug archive. Please
see Afsnit 2.2.8, “A new archive for debug symbols”.
The password managers fpm2 and
kedpm are no longer maintained
upstream. Please use another password manager like pass, keepassx, or keepass2. Make sure that you extract your
passwords from fpm2 and kedpm before removing the packages.
The net-tools package is being
deprecated in favor of iproute2.
See Afsnit 5.3.9, “net-tools will be deprecated in
favor of iproute2” or the
Debian reference manual for more information.
The nagios3 monitoring tools have
been removed from stretch. The icinga package is the closest replacement. It
reads its configuration files from a different path than nagios did, but is
otherwise compatible.
When apt-get dist-upgrade has finished, the
“formal” upgrade is complete. For the upgrade to
stretch, there are no special actions needed before performing a
reboot.
By default, the GNU GCC 6 compiler provided by Debian stretch will compile all executables as position independent. This provides a mitigation for an entire class of vulnerabilities.
Unfortunately, the Linux kernel provided in Debian 8 (up to 8.7) has an
issue that can cause some programs compiled as position independent
executables to crash with a non-descriptive issue like segmentation
fault. This issue is solved in the Linux version provided in 8.8
(version 3.16.43 or later) and in the kernel provided in Debian 9 (version
4.9 or later).
We recommend that you upgrade your kernel to a fixed version and then reboot before starting the upgrade to stretch. If you are running the kernel from Debian 8.8 or newer, you are not affected by this issue.
If you are running an affected version of the kernel during the upgrade, we highly recommend that you perform a reboot into the stretch kernel right after the upgrade to avoid hitting this.
| Bemærk |
|---|---|
This section is mainly intended for developers or system administrators. Desktop users are unlikely to be affected by this section. |
The above also leads to some changes that are worth being aware of.
The file tool (among others) will classify such binaries as “shared object” rather than an “executable”. If you have filters based on binary files, these may need to be updated (e.g. spamfilters).
Static libraries being compiled into an executable now also need to be compiled as position independent code. The following error message from the linker is a symptom of this:
relocation ... against '[SYMBOL]' can not be used when making a shared object; recompile with -fPIC
Note that even though the error message says -fPIC, it is sufficient to recompile with -fPIE (which is the default in the GCC 6 packages that are part of stretch).
Historically, position independent executables have been associated with
performance loss on some hardware. Notably the Debian architecture
i386 (32-bit Intel machines). While GCC 5 and GCC 6 have
greatly improved
performance for position independent executables on 32-bit Intel,
this optimization may not be applicable to all architectures. Please
consider evaluating the performance of your code if you are targeting
machine architectures with a very limited number of registers.
Due to lack of interest and testability, Debian has removed the vast majority of the Linux Standard Base (LSB) compatibility packages.
Debian will still provide a selected few key LSB utilities used internally
and externally, such as lsb-release
and the sysvinit init functions in lsb-base. Furthermore, Debian is still firmly
standing by the Filesystem
Hierarchy Standard (FHS) version 2.3 with the minor alterations described in
the Debian Policy Manual.
Der er nogle pakker hvor Debian ikke kan love at tilbyde minimale tilbageporteringer for sikkerhedsmæssige problemstillinger. Disse dækkes i de følgende underafsnit.
Note that the package debian-security-support helps to track the
security support status of installed packages.
Debian 9 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdependencies make it impossible to update to newer upstream releases. Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in stretch, but not covered by security support. These browsers should not be used against untrusted websites.
Som generel internetbrowser, anbefaler vi Firefox eller Chromium.
Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable. Firefox and Thunderbird will also be kept up-to-date by rebuilding the current ESR releases for stable.
The Node.js platform is built on top of libv8-3.14, which experiences a high volume of
security issues, but there are currently no volunteers within the project or
the security team sufficiently interested and willing to spend the large
amount of time required to stem those incoming issues.
Desværre betyder dette, at libv8-3.14, nodejs, og det associerede node-*-pakkeøkosystem
ikke bør bruges med utroværdigt indhold, såsom urensede data fra
internettet.
In addition, these packages will not receive any security updates during the lifetime of the stretch release.
In most cases, packages should upgrade smoothly between jessie and stretch. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.
The OpenSSH 7 release has disabled some older ciphers and the SSH1 protocol by default. Please be careful when upgrading machines where you only have SSH access.
Moreover, the default of the "UseDNS" configuration option has changed from yes to no. This may cause users who use the "from=" functionality in authorized_keys to limit ssh access by host to be locked out, which is especially troublesome if upgrading remotely.
Se OpenSSH documentation for yderligere information.
Dette afsnit dækker nogle af de ikke kompatible ændringer til APT, som kan påvirke dit system.
APT will now attempt to discard all root privileges before fetching files from mirrors. APT can detect some common cases where this will fail and fall back to fetching things as root with a warning. However, it may fail to detect some exotic setups (e.g. UID-specific firewall rules).
If you experience issues with this feature, please change to the
_apt user and check that it:
har læseadgang til filer i /var/lib/apt/lists og
/var/cache/apt/archives.
har læseadgang til APT trust store
(/etc/apt/trusted.gpg og
/etc/apt/trusted.gpg.d/)
kan slå DNS-navne op og hente filer. Eksempler på testmetoder:
# From the dnsutils package (if using tor, please check with tor-resolve instead). $ nslookup debian.org >/dev/null || echo "Cannot resolve debian.org" $ wget -q https://debian.org/ -O- > /dev/null || echo "Cannot download index page of debian.org"
For DNS-problemstillinger, kontroller venligst at
/etc/resolv.conf er læsbar.
APT 1.1 introduced a new pinning engine that now matches the description in the manual page.
The old engine assigned one pin priority per package; the new one assigns pin priorities per version. It then picks the version with the highest pin that is not a downgrade or that has a pin > 1000.
This changes the effect of some pins, especially negative ones. Previously, pinning a version to -1 effectively prevented the package from being installed (the package pin was -1); it now only prevents the version of this package from being installed.
| Bemærk |
|---|---|
This section only applies if you have (or intend to use) third-party repositories enabled or if you maintain an APT repository. |
To improve download stability and ensure security of the downloaded content, APT now requires the following from an APT repository:
The InRelease file must be available.
All metadata must include at least SHA256 checksums of all items. This includes the GPG signature of the InRelease file.
Signatures on the InRelease file should be done with a key size of 2048 bits or larger.
Hvis du afhænger af et tredjepartsarkiv, som ikke kan overholde ovenstående, så bed dem om at opgradere deres arkiv. Yderligere information om InRelease-filen kan findes på Debians wiki.
| Bemærk |
|---|---|
This section is only relevant if you have tweaked or need to change the default Xorg input configuration. |
In jessie, the default input driver for Xorg is the evdev
driver. In stretch, the default has changed to
libinput. If you have Xorg configuration that relies on
the evdev driver, you will either have to convert it to
the libinput driver or reconfigure your system to use the
evdev driver.
The following is an example configuration for libinput to
enable the “Emulate3Buttons” feature.
Section "InputClass"
Identifier "mouse"
MatchIsPointer "on"
Driver "libinput"
Option "MiddleEmulation" "on"
EndSection
Insert it into
/etc/X11/xorg.conf.d/41-middle-emulation.conf, reboot
(or restart your Xserver) and it should now be enabled.
The evdev driver is still available in the xserver-xorg-input-evdev package.
Due to the lack of upstream maintainers, the Upstart init system has been removed from stretch. If your system relies on this package, you should note that it will not be updated during the lifetime of Debian 9, and starting from Debian 10 (buster), Upstart jobs may be removed from packages.
Please consider switching to a supported init system, like systemd or OpenRC.
| Bemærk |
|---|---|
This section is mainly intended for developers or organizations that build their own debian packages. |
The debhelper tool suite will now generate dbgsym
packages by default for ELF binaries. If you develop and package binaries,
please check that your tooling supports these extra auto-generated packages.
If you use reprepro, you want to
upgrade it to at least version 4.17.0. For aptly, you will need at least version 1.0.0,
which is unfortunately not available in Debian stretch.
Should your tooling be unable to cope with these gracefully, you can ask
debhelper to disable this feature by adding
“noautodbgsym” in the DEB_BUILD_OPTIONS
variable of your build service. Please see the
dh_strip manpage for more information.
The openssl application expects option arguments before non-option arguments. For example, this does not work anymore:
openssl dsaparam 2048 -out file
while this still does:
openssl dsaparam -out file 2048
The openssl enc command changed the default digest (used to create the key from passphrase) from MD5 to SHA256. The digest can be specified with the -md option in case old files need to be decrypted with newer OpenSSL (or the other way around).
The 3DES and RC4 ciphers are no longer available for TLS/SSL communication. Servers linked against OpenSSL can't offer them and clients can't connect to servers which offer only those. This means that OpenSSL and Windows XP share no common cipher.
The package libssl-dev provides
header files to compile against OpenSSL 1.1.0. The API changed a lot and it
is possible that the software won't compile anymore. There is an overview of the
changes. If you can't update your software, there is also
libssl1.0-dev which provides headers
against OpenSSL 1.0.2.
| Bemærk |
|---|---|
This section applies to code maintained outside Debian - local, third-party, or legacy Perl scripts and modules. |
Some modules have been removed from Perl core and are now shipped in
separate packages. Notable examples are CGI, available in
the libcgi-pm-perl package, and
Module::Build, available in the libmodule-build-perl package.
The current working directory (.) has been removed from
the default list of include directories, @INC. This may
affect usage of require(), do(), etc.,
where the arguments are files in the current directory.
All perl programs and module shipped by Debian should have been fixed to address any incompatibilities caused by the above; please file bugs if this is not the case. As the change has now been made in perl 5.26.0, third-party software should also start to be fixed. Information about how to fix this issue for developers is provided in the perl 5.26 release notes (see the SECURITY section).
If needed you can temporarily reinstate . in
@INC globally by commenting out the line in
/etc/perl/sitecustomize.pl but you should only do this
with a understanding of the potential risks. This workaround will be removed
in Debian 10. You can also set the
PERL_USE_UNSAFE_INC environment variable in a specific
context which will have the same effect.
The full list of changes in Perl since the version in Debian 8 is available in perl522delta and perl524delta.
The PostgreSQL PL/Perl procedural language package in jessie is incompatible
with the Perl version in stretch. The postgresql-plperl-9.4 package will be removed
during the update, rendering server-side Perl procedures
dysfunctional. Upgrading to PostgreSQL 9.6 should be unaffected; the
procedures will work in the new PostgreSQL cluster if the postgresql-plperl-9.6 package is installed. If
unsure, take a backup of your PostgreSQL 9.4 clusters before upgrading to
stretch.
The net-tools package is no longer
part of new installations by default, since its priority has been lowered
from important to optional. Users are instead advised to use the modern
iproute2 toolset (which has been
part of new installs for several releases already). If you still prefer to
continue using the net-tools
programs you can simply install it via
apt install net-tools
Here is a summary of the net-tools commands, together with their iproute2 equivalent:
| legacy net-tools commands | iproute2 replacement commands |
|---|---|
| arp | ip n (ip neighbor) |
| ifconfig | ip a (ip addr), ip link, ip -s (ip -stats) |
| iptunnel | ip tunnel |
| nameif | ip link |
| netstat | ss, ip route (for netstat -r), ip -s link (for netstat -i), ip maddr (for netstat -g) |
| route | ip r (ip route) |
| Bemærk |
|---|---|
This only applies to systems that have ATA over ethernet (AoE) devices mounted. If the system does not mount any network shares, you can safely skip this section. |
Due to a cleanup in the handling of network deconfiguration, AoE devices in
use are no longer handled as expected during shutdown, possibly resulting in
hangs and/or data loss. To mitigate that situation, it is suggested to mount
such devices using the _netdev mount option. That option
is available when using swap over AoE as well.
During the upgrade, you may see some warning like:
![[Advarsel]](images/warning.png)
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at /usr/share/perl5/Debconf/Question.pm line 72.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 30.
These are harmless and happens if perl-base is upgraded before the debconf package.
| Bemærk |
|---|---|
This section only applies to system that is using SELinux, which is not enabled by default. |
In stretch, the SELinux policy store have moved from
/etc/selinux/
to
<policy_name>/var/lib/selinux/.
Furthermore, the format used inside the store has changed.
<policy_name>
The policies provided by Debian (from e.g. the selinux-policy-default package) will be migrated
automatically. However, system specific policies need to be migrated
manually.
The semanage-utils package provides
the script /usr/lib/selinux/semanage_migrate_store to
do this transition.
The iSCSI Enterprise Target (IET), packaged in the iscsitarget package in previous releases, is no
longer in Debian, as it will not work with recent kernel versions, and the
project has seen no development activity in recent years.
Users of IET are encouraged to switch to the LIO stack, which is fully
supported in Debian stretch. The package targetcli-fb provides the configuration utility
for the LIO iSCSI target.
As the LIO stack was developed independently of the IET, the configuration has to be migrated manually.
| | | |
| Kapitel 4. Opgraderinger fra Debian 8 (jessie) |  | Kapitel 6. Yderligere oplysninger om Debian |