Chapter 2. What's new in Debian 9

Table of Contents

2.1. Supported architectures
2.2. What's new in the distribution?
2.2.1. CDs, DVDs, and BDs
2.2.2. Security
2.2.3. GCC versions
2.2.4. MariaDB replaces MySQL
2.2.5. Improvements to APT and archive layouts
2.2.6. New mirror
2.2.7. Move to "Modern" GnuPG
2.2.8. A new archive for debug symbols
2.2.9. New method for naming network interfaces
2.2.10. News from Debian Med Blend
2.2.11. The Xorg server no longer requires root

The Wiki has more information about this topic.

2.1. Supported architectures

Debian 9 introduces one new architecture:

  • 64-bit little-endian MIPS (mips64el)

Debian 9 regrettably removes support for the following architecture:

  • PowerPC (powerpc)

The following are the officially supported architectures for Debian 9:

  • 32-bit PC (i386) and 64-bit PC (amd64)

  • 64-bit ARM (arm64)

  • ARM EABI (armel)

  • ARMv7 (EABI hard-float ABI, armhf)

  • MIPS (mips (big-endian) and mipsel (little-endian))

  • 64-bit little-endian MIPS (mips64el)

  • 64-bit little-endian PowerPC (ppc64el)

  • IBM System z (s390x)

You can read more about port status, and port-specific information for your architecture at the Debian port web pages.

2.2. What's new in the distribution?

This new release of Debian again comes with a lot more software than its predecessor jessie; the distribution includes over 15346 new packages, for a total of over 51687 packages. Most of the software in the distribution has been updated: over 29859 software packages (this is 57% of all packages in jessie). Also, a significant number of packages (over 6739, 13% of the packages in jessie) have for various reasons been removed from the distribution. You will not see any updates for these packages and they will be marked as "obsolete" in package management front-ends; see Section 4.8, “Obsolete packages”.

Debian again ships with several desktop applications and environments. Among others it now includes the desktop environments GNOME 3.22, KDE Plasma 5.8, LXDE, LXQt 0.11, MATE 1.16, and Xfce 4.12.

Productivity applications have also been upgraded, including the office suites:

  • LibreOffice is upgraded to version 5.2;

  • Calligra is upgraded to 2.9.

Updates of other desktop applications include the upgrade to Evolution 3.22.

Among many others, this release also includes the following software updates:

PackageVersion in 8 (jessie)Version in 9 (stretch)
BIND DNS Server9.99.10
Emacs24.424.5 and 25.1
Exim default e-mail server4.844.88
GNU Compiler Collection as default compiler4.96.3
the GNU C library2.192.24
Linux kernel image3.16 series4.9 series
Postfix MTA2.113.1
Python 33.43.5

2.2.1. CDs, DVDs, and BDs

The official Debian distribution now ships on 12 to 14 binary DVDs (depending on the architecture) and 12 source DVDs. Additionally, there is a multi-arch DVD, with a subset of the release for the amd64 and i386 architectures, along with the source code. Debian is also released as Blu-ray (BD) and dual layer Blu-ray (DLBD) images for the amd64 and i386 architectures, and also for source code. Debian used to be released as a very large set of CDs for each architecture, but with the stretch release these have been dropped.

2.2.2. Security

For the stretch release, the Debian version of the GNU GCC 6 compiler now defaults to compiling "position independent executables" (PIE). Accordingly the vast majority of all executables will now support address space layout randomization (ASLR), which is a mitigation for a number of exploits that are now probabilistic rather than deterministic.

2.2.3. GCC versions

Debian stretch includes only version 6 of the GNU GCC compiler, which may impact users expecting version 4.x or 5.x to be available. See the GCC5 and GCC6 wiki pages for more information about the transition.

2.2.4. MariaDB replaces MySQL

MariaDB is now the default MySQL variant in Debian, at version 10.1. The stretch release introduces a new mechanism for switching the default variant, using metapackages created from the mysql-defaults source package. For example, installing the metapackage default-mysql-server will install mariadb-server-10.1. Users who had mysql-server-5.5 or mysql-server-5.6 will have it removed and replaced by the MariaDB equivalent. Similarly, installing default-mysql-client will install mariadb-client-10.1.


Note that the database binary data file formats are not backwards compatible, so once you have upgraded to MariaDB 10.1 you will not be able to switch back to any previous version of MariaDB or MySQL unless you have a proper database dump. Therefore, before upgrading, please make backups of all important databases with an appropriate tool such as mysqldump.

The virtual-mysql-* and default-mysql-* packages will continue to exist. MySQL continues to be maintained in Debian, in the unstable release. See the Debian MySQL Team wiki page for current information about the mysql-related software available in Debian.

2.2.5. Improvements to APT and archive layouts

The apt package manager has seen a number of improvements since jessie. Most of these apply to aptitude as well. Following are selected highlights of some of these.

On the security side, APT now rejects weaker checksums by default (e.g. SHA1) and attempts to download as an unprivileged user. Please refer to Section, “New requirements for APT repository” and Section, “APT now fetches files as an unprivileged user (_apt)” for more information.

The APT-based package managers have also gotten a number of improvements that will remove the annoying hash sum mismatch warning that occurs when running apt during a mirror synchronization. This happens via the new by-hash layout, which enables APT to download metadata files by their content hash.

If you use third-party repositories, you may still experience these intermittent issues, if the vendor does not provide the by-hash layout. Please recommend them to adopt this layout change. A very short technical description is available in the Repository format description.

While this may be mostly interesting for mirror administrators, APT in stretch can use DNS (SRV) records to locate an HTTP backend. This is useful for providing a simple DNS name and then managing backends via DNS rather than using a redirector service. This feature is also used by the new Debian mirror described in Section 2.2.6, “New mirror”.

2.2.6. New mirror

Debian now provides a new additional service called It provides the content of the main archive, the security archive, ports and even our new debug archive (see Section 2.2.8, “A new archive for debug symbols”) under a single easy to remember hostname.

This service relies on the new DNS support in APT, but will fall back to a regular redirect for HTTPS access or older versions of APT. More details are provided on

Thanks to Fastly and Amazon CloudFront for sponsoring the CDN backends behind this service.

2.2.7. Move to "Modern" GnuPG

The stretch release is the first version of Debian to feature the modern branch of GnuPG in the gnupg package. This brings with it elliptic curve cryptography, better defaults, a more modular architecture, and improved smartcard support. The modern branch also explicitly does not support some older, known-broken formats (like PGPv3). See /usr/share/doc/gnupg/README.Debian for more information.

We will continue to supply the classic branch of GnuPG as gnupg1 for people who need it, but it is now deprecated.

2.2.8. A new archive for debug symbols


This section is mostly interesting for developers or if you wish to attach a full stack trace to a crash report.

Previously, the main Debian archive would include packages containing debug symbols for selected libraries or programs. With stretch, most of these have been moved to a separate archive called the debian-debug archive. This archive contains the debug symbol packages for the vast majority of all packages provided by Debian.

If you want to fetch such debug packages, please include the following in your APT sources:

deb stretch-debug main

Alternatively, you can also fetch them from

Once enabled, you can now fetch debug symbols for the package in question by installing pkg-dbgsym. Please note that individual packages may still provide a pkg-dbg package in the main archive instead of the new dbgsym.

2.2.9. New method for naming network interfaces

The installer and newly installed systems will use a new standard naming scheme for network interfaces instead of eth0, eth1, etc. The old naming method suffered from enumeration race conditions that made it possible for interface names to change unexpectedly and is incompatible with mounting the root filesystem read-only. The new enumeration method relies on more sources of information, to produce a more repeatable outcome. It uses the firmware/BIOS provided index numbers and then tries PCI card slot numbers, producing names like ens0 or enp1s1 (ethernet) or wlp3s0 (wlan). USB devices, which can be added to the system at any time, will have names based upon their ethernet MAC addresses.

This change does not apply to upgrades of jessie systems; the naming will continue to be enforced by /etc/udev/rules.d/70-persistent-net.rules. For more information, see /usr/share/doc/udev/README.Debian.gz or the upstream documentation.

2.2.10. News from Debian Med Blend

Besides several new packages and updates for software targeting life sciences and medicine, the Debian Med team has again put a focus on the quality of the provided packages. In a GSoC project and an Outreachy project, two students worked hard to add Continuous Integration support to the packages with the highest popularity-contest usage statistics. The latest Debian Med sprint in Bucharest also concentrated on package testing.

To install packages maintained by the Debian Med team, install the metapackages named med-*, which are at version 3.0.1 for Debian stretch. Feel free to visit the Debian Med tasks pages to see the full range of biological and medical software available in Debian.

2.2.11. The Xorg server no longer requires root

In the stretch version of Xorg, it is possible to run the Xorg server as a regular user rather than as root. This reduces the risk of privilege escalation via bugs in the X server. However, it has some requirements for working:

  • It needs logind and libpam-systemd.

  • The system needs to support Kernel Mode Setting (KMS). Therefore, it may not work in some virtualization environments (e.g. virtualbox) or if the kernel has no driver that supports your graphics card.

  • It needs to run on the virtual console it was started from.

  • Only the gdm3 display manager supports running X as a non-privileged user in stretch. Other display managers will always run X as root. Alternatively, you can also start X manually as a non-root user on a virtual terminal via startx.

When run as a regular user, the Xorg log will be available from ~/.local/share/xorg/.