Content

Introductory

Debian 12 (Bookworm) was released on June 2023, 10, which also includes many new features. In this article, we'll go over them and what the latest release of Debian can do more.

This description can also be considered as a kind of milestone, from here we are already actively working on the Debian 12 (Bookworm) version, so we will gradually prepare different (LAMP and perfect) servers with this release of Debian as well.

Life cycle

A Debian Security Teamand a Debian Long Term Support, Debian 12 (Bookworm) will continue to be supported for 5 years after its release. About Debian Release Lifecycles here you can find out.

architectures

Officially supported architectures of Debian 12 (Bookworm):

• 32-bit PC (i386)
• 64-bit PC (amd64)
• 64 bit ARM (arm64)
• ARM EABI
• ARMv7 (EABI hard-float HELP, armhf)
• little-endian MIPS (mipsel)
• 64-bit little-endian MIPS (mips64el)
• 64 bit little-endian PowerPC (ppc64el)
• IBM System z (s390x)

Package archive

The following structural changes have been made to the Debian 12 archive areas:

So far, Debian has divided the packages in its system into three main areas (archive areas), which are as follows:

• main: This is the main distribution of Debian, containing only software that fully complies with the Debian Free Software Guidelines (DFSG). These packages are free to use, modify and distribute.
• contrib: Add-on packages that work with the Debian distribution but require software from outside the distribution to build or run.
• non-free: These are also additional packages that work with the Debian distribution, but do not comply with DFSG, or their distribution is problematic for other reasons.

A Debian's 2022 General Decision on Unfree Firmware 5 extended the Social Contract by adding the following sentence:

"Official Debian media may include firmware that is not otherwise part of the Debian system to allow Debian to be used with hardware that requires such firmware."

This addition means that official Debian installer images may contain firmware that is required for certain hardware to work, even if these firmwares are not part of the standard Debian system.

So the change is that a new area has been introduced in the Debian 12 release:

• non-free-firmware: The archive allows you to separate non-free firmwares from the rest non-free from package. Most non-free firmware packages have been moved from the non-free area to the non-free-firmware area. This clean separation allows official installation images to be created that include the main and non-free-firmware packages, but not the contrib and non-free packages. As a result, it is possible to install systems that only contain packages from the main and non-free-firmware areas, without contrib or non-free packages.

This change benefits users as it allows Debian to be installed on hardware that requires special firmware, while maintaining its commitment to free software but making package management easier.

Setup

To install Debian 12 Bookworm in normal mode, we can choose from several downloadable installation packages, for example: Blu-ray Disc, DVD, CD, USB stick, or via a network connection. For more details, see the Installation guide.

Debian can now be installed in 78 languages, most of which are available in both text and graphical user interfaces.

Live installation image

If you simply want to try Debian 12 Bookworm without installation, you can use one of them  live image file, which is only loaded into our computer's memory, and loads and runs the entire operating system without making any changes to our existing system.

These live pictures are amd64 and i386 architectures and are available for DVDs, USB drives, and netboot installations. The user can choose from different desktop environments to try: GNOME, KDE Plasma, LXDE, LXQt, MATE and Xfce. Debian Live Bookworm has a standard live installation package, so it is also possible to try a basic system without a graphical desktop environment.

If you like the operating system, we have the option to install it from the launched Live system to the computer's hard drive. When installing in this way, the Squid a comfortable graphical interface of an independent installer guides us through the installation process.

basic System

Many things have changed in the basic system of Debian 12, let's see what they are.

Kernel

Debian 12 Bookworm came with Linux kernel version 6.1, the current LTS (Long Term Support) release. The kernel contains many new features and improvements aimed at improving the security and performance of the Linux system.

Support for Intel Software Guard Extensions (SGX 1/2) systems allows applications to write data to secure, hardware-protected enclaves. Ideal for storing sensitive data such as encryption or authorization keys. A particularly interesting use of this technology is to encrypt the memory space of virtual machines to prevent other system processes or virtual machines from reading the contents. For more information, see the Intel SGX page.

Improvements to AMD's Secure Encryption Virtualization (SEV) system support encryption of virtualized guest registers so that they cannot be read by the host (or other guest). For more information, see the AMD SEV page.

Secure virtualization with new CPU support from AMD and Intel that protects guest virtual machines from hypervisor-based attacks. AMD Secure Nested Paging (SEV-SNP) provides memory integrity protection, and Intel Trust Domain Extensions (TDX) provides both memory integrity and encryption.

Indirect Branch Tracking on Intel's latest CPUs. Indirect Branch Tracking (IBT) is a new Control-Flow Enforcement Technology (CET) method that provides hardware-based protection against jump/call-oriented programming (JOP/COP) attacks.

New Kernel Concurrency Sanitizer (KCSAN) to detect data races with compile-time memory access systems supported by both GCC and Clang. For more details, see the kernel.org documentation.

The new Landlock Linux security module enables process sandboxing by allowing processes to set additional restrictions on top of system-wide restrictions. For more information, see the Landlock Linux Kernel documentation.

Merged with Google fscrypt project for hardware-accelerated full disk encryption on f2fs and ext4 file systems.

The CIFS file system module no longer supports the weak LANMAN and NTLM protocols used by SMBv1.

NTFS support is now built in, eliminating the need for third-party NTFS drivers.

APT

Among the innovations introduced in the latest release of Debian are: APT package manager update which has now changed to version 2.6. apt 2.6 is specifically designed to handle the new non-free ISO image support introduced in this release of Debian.

With these changes, non-free-firmware will be enabled by default, providing a smoother experience for users who need their own firmware for certain hardware.

In addition, this package manager will now offer updates for all non-free packages, making it easier to inform users about the latest developments in these components. These improvements further improved the user experience and provided better support for all Debian 12 non-free packages and firmware.

software Packages

Statistics package

The 12th release of Debian has once again arrived with much more new software than its predecessor:

• New packages: The new release of Debian contains more than 11089 new packages. This means that, compared to the previous release, these packages have now been included in the Debian distribution for the first time.
• All packages: The new release has a total of more than 64419 packages. This number includes new packages as well as packages that were previously part of the distribution.
• Updated software: A significant part of the software in the distribution, more than 43254 packages (which is 67% of all packages) has been updated. This means that these packages have been updated to a newer version.
• Removed packages: About 6296 packages (10% of the packages in the bullseye release) were removed from distribution for various reasons. These packages will no longer receive updates and will be marked as "obsolete" in package management interfaces.

Deprecated packages are software that is no longer maintained and has therefore been removed from the latest Debian release. These packages will no longer receive updates, and the package managers UI will show a separate indication that these packages are no longer part of the current distribution.

Here are some examples of upgraded packages

In Debian 12, 67% of packages have been updated, some frequently used packages are highlighted here:

Man page translations

Thanks to Debian's translators, documentation in the form of man pages is now available in more languages ​​than ever before. For example, many man pages are now available in Czech, Danish, Greek, Finnish, Indonesian, Macedonian, Norwegian (Bokmål), Russian, Serbian, Swedish, Ukrainian, and Vietnamese, and all systemd man pages are now available in German.

To ensure that the man command displays the documentation in our own language (where possible), we install the appropriate manpages-lang package and make sure that our locales are configured correctly for

dpkg-reconfigure locales

with the command.

Debian Med packages

As with every release, new packages have been added in the fields of medicine and life sciences. The new shiny-server package deserves special mention as it simplifies scientific web applications using Rt. Debian continues its efforts to provide continuous integration support for packages maintained by the Debian Med team.

The Debian Med team is always interested in user feedback, especially for packaging free software that has not yet been packaged, or from new packages or higher versions under testing. to backports in the form of relevant requests.

To install packages maintained by the Debian Med team, install the metapackages called med-*, which are included in version 3.8.x for Debian bookworm. Feel free to visit the Debian Med tasks pages, where the full range of biological and medical software available in Debian can be viewed.

Security

The Debian 12 Bookworm release has undergone several security fixes, let's see some of the more important ones.

OpenSSH

One of the most significant user changes in Debian 12 is the upgrade of OpenSSH from version 8.4 to release 9.2.

This upgrade from 8.4 brought a number of security improvements aimed at strengthening communication channels, removing older, less secure protocols, and increasing the overall security of the system. Let's look at some of them:

Stronger default key exchange method and first key preference settings

OpenSSH 9.2 uses stronger, more secure methods for key exchanges by default. This increases the security of the encryption process, reducing the risk of potential security breaches.

SCP command modernization

Az In OpenSSH version 9.0 (2022-04-08) is scp command has been changed to use the SFTP (SSH File Transfer Protocol) protocol instead of the old SCP/RCP protocol by default. This move modernizes SCP, improves security and eliminates some old vulnerabilities.

How does this affect users?

• Management of wildcards: The old scp/rcp protocol extracted wildcards (eg '*') in remote filenames in the remote shell, which required double-quoting handling of shell meta-characters on the SCP command line. By using the SFTP protocol, this is no longer necessary, which simplifies use.
• Change in file name citation rules: Since the SFTP protocol does not require meta-characters to be double-quoted, commands with filenames previously quoted in this way may be incorrect in the new version.
• Managing remote access paths: The old scp/rcp protocol supported relative paths to the remote user's home directory, such as:

  scp host:~user/file /tmp

  The SFTP protocol does not have built-in support for a ~user to expand paths, but the sftp-server(8.7) component of OpenSSH 8 or later supports a protocol extension (expand-path@openssh.com) that allows this.
• Return to the old protocol: If users encounter compatibility problems, the SCP client can be instructed to use the old scp/rcp protocol in -O using a switch.

In summary, the OpenSSH 9.0 update modernized the scp command by using the SFTP protocol by default, while providing the option to use the old protocol if needed. This change improves security and simplifies the user experience while supporting legacy use cases.

More secure sshd (SSH Daemon) execution

sshd, the SSH server-side component, has received additional security fixes to make it even more reliable.

Use default digital signature ED25519

Newer versions of OpenSSH now use the new ED25519 digital signatures by default instead of the previously used ECDSA. In addition, the Streamlined NTRU Prime + x25519 uses key exchange methods that are less vulnerable to future quantum computing attacks. This new key exchange method includes a fallback to the well-tested x25519 default introduced in previous OpenSSH releases.

In practice, this means so many changes that if we want to access a freshly installed Debian 12 system from an older system via SSH connection with a public key, we create the key pair as follows: ssh-keygen command on the client computer:

ssh-keygen -t ed25519

In this way, we can also generate ed25519 type keys on our older system.

What's New in OpenSSH 9.2

Since OpenSSH is an essential tool for everyday work on the server, it is worth saying a few more words about the latest version in the distribution. Version 9.2 also about its novelties.

sshd(8): New ChannelTimeout directive

The new "ChannelTimeout" directive in sshd_config allows us to automatically close channels on which no data traffic has occurred within a certain time interval. Different time limits can be applied to session, X11, agent and TCP forwarding channels.

sshd(8): New UnusedConnectionTimeout directive

The directive is used to terminate customer relations if you do not have open channels for a certain period of time. Complements the ChannelTimeout option as it applies to the entire connection, not just individual channels.

scp(1), sftp(1): New -X Option

Allows you to control certain parameters of the SFTP protocol for both scp and sftp. The length of the copy buffer and the number of pending requests can be controlled, which was previously only possible in sftp. This feature is now available in both clients of the SFTP protocol with the same option string.

ssh-keyscan(1): Scan Complete CIDR Address Ranges

It allows complete CIDR scanning address ranges. For example:

ssh-keyscan 192.168.0.0/24

CIDR ranges expand to all possible addresses in the range, including all zeros and all ones.

ssh(1): Support dynamic remote port forwarding in escape command line -R processing

Supports dynamic remote port forwarding when processing the escape command line -R option. This method can be particularly useful in situations where a user needs to securely connect to internal network resources, such as when working remotely or when accessing censored or restricted content over a secure connection.

OpenSSL

OpenSSL is an open source software library that offers various encryption protocols and cryptographic algorithms. OpenSSL version 3 includes significant improvements and new features, some of which are mentioned below.

Built-in FIPS 140-2 module

One of the most exciting innovations in OpenSSL 3 is the built-in, validated FIPS 140-2 module. FIPS (Federal Information Processing Standards) 140-2 is a US government standard that defines security requirements for encryption modules. The previous FIPS implementation was not directly integrated into the OpenSSL codebase and only worked with OpenSSL version 1.0.2, which is no longer supported.

Using Linux kernel cryptographic APIs

OpenSSL 3 uses Linux kernel cryptographic APIs for certain TLS (Transport Layer Security) operations. This improves performance and allows the use of hardware accelerator cards. This could be interesting in the future for outsourcing TLS work from web servers or load balancers.

New Supported Algorithms

• KDF (Key Derivation Function) algorithms: SINGLE STEP and SSH.
• MAC (Message Authentication Code) algorithms: GMAC and KMAC.
• KEM (Key Encapsulation Mechanism) algorithm: RSASVE and Cipher Algorithm AES-SIV.
• Support for new schemes for PKCS#7 and PKCS#12.
• New PKCS signature verification algorithm support.

Sudo

A sudo also received many security fixes during the transition from 1.9.5 to 1.9.13, let's look at some of them.

Command capture function

A in version 1.9.8 of sudo added a feature that allows users to block or prevent specific subcommands from being invoked via sudo-enabled commands. This feature complements the previously introduced log_subcmds option, which allows logging of all subcommands.

How It Works?

After enabling the "intercept" option, you can define the commands you want to prevent from running. For example, if it is set to /usr/bin/bash command is intercepted, only Bash shell restrictions will apply and other shells or commands will not be prevented from running.

In an example, if in the sudoers file the czanik user is disallowed from a /usr/bin/who command, then when the user tries to run this command, the system refuses to execute it.

This feature allows, for example, administrators to prevent shells from running, so users cannot start interactive sessions. However, the setting applies not only to shells, but also to virtually any other application that executes commands through the shell. For example, if sudo is configured to prevent access from shells, then from an editor (e.g. vi) commands cannot be run either.

In summary, sudo's "intercept" feature gives administrators more control and security by fine-tuning which subcommands are allowed or denied by sudo to run. This is especially useful from a security point of view, when finer customization of access is critical.

Command capture logging function

Also introduced in sudo version 1.9.8 is "log_subcmds", a new logging feature that allows each sub-command launched by applications run via sudo to be logged. This feature can be especially useful for system administrators to see more precisely what actions users are performing through sudo.

How It Works?

If a user launches an editor such as joe via sudo and runs a shell within it, the "log_subcmds" function allows the administrator to see what commands were launched within the application. In this way, the administrator not only sees that the user started an editor via sudo, but also what additional commands were run within it. The function can be useful in cases where, for security reasons, we want to track what actions users perform with sudo privileges.

More about this in on the sudo page get information.

Several additional functions have been added to the sudo command on the sudo page get information.

Systemd

Systemd in Debian 11 has been updated from version 247 to version 12 in Debian 251, which includes many changes that make services more secure. Here are some of them:

• Limited file system and network access: New systemd system unit configuration options allow users to restrict file system and network access to services. This can be particularly useful in reducing the attack surface if a service is compromised.
• Encrypted Credentials: Credentials used to start services can now be encrypted and stored locally or stored in TPM2 chips using the systemd-creds command. These credentials are decrypted when the service is started, so they no longer need to be stored in configuration files that users can read.
• Several improvements to LUKS2 volume and partition support, including the ability to unlock LUKS2 volumes using TPM2 hardware or FIDO2 hardware, and a new utility, systemd-cryptenroll, to register tokens on LUKS volumes.
• Secure user data: For users sharing a system with multiple users, systemd-homed has been enhanced to keep user data safe between sessions. systemd-homed will now retry unmounting the user's home directory on logoff to prevent the next user from accessing sensitive data.
• Systemd-resolved will still use DNS over TLS even if restarted and will no longer fail if the nameserver uses an unknown protocol.
• Networkd now supports passing values ​​to the Kernel's netlabel modules via a new `NetLabel=` configuration option.
• VM boot configuration data can now be passed to systemd using the DMI type 11 field without the need for cloud-init.
• Resolvectl now includes information about where a host was resolved from and whether the communication was encrypted.

Other operational changes

Here we go over a couple of other changes from the previous release of Debian.

Pipewire audio server

The release of Debian 12 is great news for the pipewire fans, as Pipewire is the default audio server on systems in this version of Debian. Pipewire aims to significantly improve the handling of audio and video on Linux systems. Pipewire replaces PulseAudio, which is a POSIX systems such as Linux was the default audio server.

What is Pipewire?

Pipewire is a modern media management framework that aims to unify and modernize Linux audio and video systems. It enables the management of audio and video streams with low latency and high quality, paying particular attention to the user experience. Furthermore, Pipewire supports multi-user audio management and easier connection between the audio server.

Better detection of Windows 11 in dual boot mode

In Debian 12, the recognition of the Windows 11 operating system has been improved dual-boot mode. This ensures smoother interaction between the two operating systems, allowing users to seamlessly switch between them.

Cinnamon desktop screen reader support

In Debian 12, screen reader support is now available in the Cinnamon desktop environment. This innovation makes the desktop environment more friendly for visually impaired users, improving navigation and interaction with the interface.

Further development of speech synthesis

Text-to-speech and text-to-speech features are essential components of Debian accessibility; however, in Debian 12, this capability has been improved, thanks to which text reading is automatically activated with a 30-second delay. This means that if there is no interaction for 30 seconds, the function will be activated. This improves accessibility features for the visually impaired.

Easier detection of multipath devices

Debian 12 improves the detection and handling of multipath devices, which means that storage devices connected via multiple paths are more easily identified and automatically configured. The redundancy and security of the system can be increased by using multipath devices. This is especially important in large data centers and enterprise environments where continuous data access and system availability are critical. Easier detection of multipath devices is a significant step forward in the redundant and reliable management of storage devices, which is especially important in environments requiring large amounts of data and high availability.

Support for multiple initial ramdisk paths

An "initial ramdisk" or "initrd" is a temporary file system used during Linux boot before the operating system kernel. This file system contains the drivers and tools that the system needs during boot to access the actual root file system on the hard disk or other storage device.

Debian 12 allows administrators to specify several different initrd images, each for a different purpose. This provides more flexibility in configuring the boot process, allowing for example the use of separate initrd images for different hardware configurations or boot scenarios.

Debian 12's support for multiple initrd paths is therefore a significant improvement in boot processes. This functionality is particularly useful in systems where the boot process needs to adapt to different circumstances, or where boot customization is key.

Asztalkörnyezetek

Debian 12 ships with the following desktops:

• Gnome 43
• KDE Plasma 5.27
• LXDE 11
• LXQt 1.2.0
• MATE 1.26
• Xfce 4.18

Of course, other desktop environments can also be installed, these are only desktop environments that are part of the official installation kit.

Upgrading Debian

Upgrading to Debian 12 Bookworm from the previous release, Debian 11 Bullseye, can be handled automatically for most configurations APT package manager using a tool.

Before updating our system, it is highly recommended that we make a full backup, or at least save any data or configuration files that we cannot afford to lose. The update tools and processes are fairly reliable, but a hardware failure during an update can seriously damage your system. During the backup, the most important are a / Etc, /var/lib/dpkg libraries, a /var/lib/apt/extended_states saving the contents of the file and the output of the following command:

dpkg --get-selections '*'

Debian welcomes input from users on upgrading from Bullseye to Bookworm. We can share update experiences and information with In Debian's bug tracking system with a bug report submitted for the update reports package.

Many improvements have been made to the Debian installer, resulting in improved hardware support and other features such as improved UTM graphics support, improved GRUB font loader, removal of long waits at the end of the installation process, and detection of BIOS boot systems. This version of the Debian installer can also enable the "non-free-firmware" package archive area if needed.

The ntp package has been replaced by the ntpsec package, the default system clock service is now systemd-timesyncd; chrony and openntpd are also supported.

Since non-free firmware has been moved to its own component in the archive (non-free-firmware), if you have installed non-free firmware, it is recommended to add "non-free-firmware" to the APT source list.

It is advisable to remove the "bullseye-backports" entries from the APT source list files before upgrading; after the update, consider adding "bookworm-backports" if necessary.

For Debian 12 Bookworm, the security update repository is labeled "bookworm-security". Users should change their APT source list files accordingly during the upgrade instead of the previous "bullseye-security" names. If your APT configuration includes "pinning" or APT::Default-Release setting, then these settings must also be updated to migrate to Debian 12.

During the update, conflicts or Pre-Depends loops may occur between certain packages. These can usually be solved by removing problematic packages or by re-installing some packages (forcing re-installation). This means that some packages that are not compatible with the new release will be removed or reinstalled during the upgrade process.

In the case of "Could not perform immediate configuration..." errors, the system cannot immediately configure some packages during the update. In this case, it is recommended that a / Etc / apt / sources.list file keep the sources of the bullseye (previously removed) and bookworm (newly added) releases both. This allows APT to manage dependencies and conflicts between the two releases.

During the upgrade, the files of some packages may conflict with each other. In such cases, it may become necessary to forcibly remove certain packages (forcibly remove packages). This means that you have to manually intervene in the package manager to remove packages that prevent the update process.

As mentioned above, a system backup is crucial for a distribution upgrade and helps prevent any unexpected errors. This means that before we update the system, we should make a full backup so that if any problems arise, we can easily restore the previous state.

For more details on updating your distribution on this page get information.

Conclusion

Debian 12 Bookworm is a great release that introduced many new features and improvements. The update includes the latest desktop environments, an updated kernel, and updated packages, providing a rich and modern experience for both novice and advanced Debian users.