Ronald P Guilmet via plug on 21 Sep 2019 11:09:26 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Changes Upgrading Debian 9 to Debian 10

If you are upgrading Debian 9 to Debian 10, you will come across some onscreen reading of what changes are taking effect. I am posting those onscreen changes here, so you can give them a look over before you do your upgrade.


apt (1.8.0~alpha3) unstable; urgency=medium

  The PATH for running dpkg is now configured by the option DPkg::Path,
  and defaults to "/usr/sbin:/usr/bin:/sbin:/bin". Previous behavior of
  not changing PATH may be restored by setting the option to an empty string.

  Support for /etc/apt/auth.conf.d/ has been added, see apt_auth.conf(5).

 -- Julian Andres Klode <jak@debian.org>  Tue, 18 Dec 2018 15:02:11 +0100

apt (1.6~rc1) unstable; urgency=medium

  Seccomp sandboxing has been turned off by default for now. If it works
  for you, you are encouraged to re-enable it by setting APT::Sandbox::Seccomp
  to true.

 -- Julian Andres Klode <jak@debian.org>  Fri, 06 Apr 2018 14:14:29 +0200

apt (1.6~beta1) unstable; urgency=medium

  APT now verifies that the date of Release files is not in the future. By
  default, it may be 10 seconds in the future to allow for some clock drift.

  Two new configuration options can be used to tweak the behavior:
    Acquire::Check-Date
    Acquire::Max-DateFuture

  These can be overridden in sources.list entries using the check-date
  and date-future-max options. Note that disabling check-date also
  disables checks on valid-until: It is considered to mean that your
  machine's time is not reliable.

 -- Julian Andres Klode <jak@debian.org>  Mon, 26 Feb 2018 13:14:13 +0100

apt (1.6~alpha1) unstable; urgency=medium

  All methods provided by apt except for cdrom, gpgv, and rsh now
  use seccomp-BPF sandboxing to restrict the list of allowed system
  calls, and trap all others with a SIGSYS signal. Three options
  can be used to configure this further:

    APT::Sandbox::Seccomp is a boolean to turn it on/off
    APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
    APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow

  Also, sandboxing is now enabled for the mirror method.

 -- Julian Andres Klode <jak@debian.org>  Mon, 23 Oct 2017 01:58:18 +0200

apt (1.5~beta1) unstable; urgency=medium

  [ New HTTPS method ]
  The default http method now supports HTTPS itself, including encrypted proxies
  and connecting to HTTPS sites via HTTPS proxies; and the apt-transport-https
  package only provides a "curl+https" method now as a fallback, but will be
  removed shortly. If TLS support is unwanted, it can be disabled overall by
  setting the option Acquire::AllowTLS to "false".

  As for backwards compatibility, the options IssuerCert and SslForceVersion
  are not supported anymore, and any specified certificate files must be in the
  PEM format (curl might have allowed DER files as well).

  [ Changes to unauthenticated repositories ]
  The security exception for apt-get to only raise warnings if it encounters
  unauthenticated repositories in the "update" command is gone now, so that it
  will raise errors just like apt and all other apt-based front-ends do since
  at least apt version 1.3.

  It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
  behaviour of apt-get by setting the option
    Binary::apt-get::Acquire::AllowInsecureRepositories "true";
  See apt-secure(8) manpage for configuration details.

  [ Release Info Changes ]
  If values like Origin, Label, and Codename change in a Release file,
  update fails, or asks a user (if interactive). Various
  --allow-releaseinfo-change are provided for non-interactive use.

 -- Julian Andres Klode <jak@debian.org>  Mon, 03 Jul 2017 15:09:23 +0200

glibc (2.26-5) unstable; urgency=medium

  Starting with version 2.26-1, the glibc requires a 3.2 or later Linux
  kernel.  If you use an older kernel, please upgrade it *before*
  installing this glibc version. Failing to do so will end-up with the
  following failure:

    Preparing to unpack .../libc6_2.26-5_amd64.deb ...
    ERROR: This version of the GNU libc requires kernel version
    3.2 or later.  Please upgrade your kernel before installing
    glibc.

  The decision to not support older kernels is a GNU libc upstream
  decision.

  Note: This obviously does not apply to non-Linux kernels.

 -- Aurelien Jarno <aurel32@debian.org>  Tue, 23 Jan 2018 22:03:12 +0100

gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium

  In this version we adopt GnuPG's upstream approach of making keyserver
  access default to self-sigs-only.  This defends against receiving
  flooded OpenPGP certificates.  To revert to the previous behavior (not
  recommended!), add the following directive to ~/.gnupg/gpg.conf:

    keyserver-options no-self-sigs-only

  We also adopt keys.openpgp.org as the default keyserver, since it avoids
  the associated bandwidth waste of fetching third-party certifications
  that will not be used.  To revert to the older SKS keyserver network (not
  recommended!), add the following directive to ~/.gnupg/dirmngr.conf:

    keyserver hkps://hkps.pool.sks-keyservers.net

  Note: we do *not* adopt upstream's choice of import-clean for the
  keyserver default, since it can lead to data loss, see
  https://dev.gnupg.org/T4628 for more details.

 -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 21 Aug 2019 14:53:47 -0400

ifupdown (0.8.34) unstable; urgency=medium

  VLAN interfaces that are marked allow-hotplug are now brought up
  automatically when the parent interface is hotplugged.

 -- Guus Sliepen <guus@debian.org>  Fri, 25 May 2018 22:33:22 +0200

ifupdown (0.8.32) unstable; urgency=medium

  Since version 0.8, ifupdown allows concurrent calls of ifup and ifdown.
  While calls for the same interface will be serialized, calls for different
  interfaces can run in parallel. This is especially important during boot
  time, when the chance is high that multiple interfaces are being brought up
  concurrently. Ensure that any if-pre/post-up/down.d scripts you use are safe
  to run concurrently, as well as any pre/post-up/down commands in
  /etc/network/interfaces.

 -- Guus Sliepen <guus@debian.org>  Wed, 04 Apr 2018 23:20:51 +0200

ifupdown (0.8.20) unstable; urgency=medium

  Ifupdown now supports pattern matching for interfaces. This will help
  writing /etc/network/interfaces for systems with changing interface names,
  or to simplify configuration for a large number of interfaces. The details
  are in the interfaces(5) manual page, and examples are provided in
  /usr/share/doc/ifupdown/examples/pattern-matching.

 -- Guus Sliepen <guus@debian.org>  Tue, 10 Jan 2017 17:20:09 +0100

iptables (1.8.1-2) unstable; urgency=medium

    All the iptables binaries have been moved away from /sbin to /usr/sbin.
    Some compatibility symlinks have been added for the Buster release cycle,
    but please make sure your scripts aren't using hardcoded binary paths.
    The plan after Buster is to drop the symlinks.

 -- Arturo Borrero Gonzalez <arturo@debian.org>  Wed,  25 Oct 2018 12:00:00 +0200

iptables (1.8.1-1) unstable; urgency=medium

    By default, this package will try to use the nf_tables kernel backend
    instead of the xtables one. Please, read more about this in
    /usr/share/doc/iptables/README.Debian, including details about the new
    update-alternatives configuration possibilities.
    This is a major update on the way iptables works and may have severe impact
    in running systems which are upgrading between Debian versions.
    The arptables and ebtables binaries are also affected, and those packages
    will be updated soon as well.

 -- Arturo Borrero Gonzalez <arturo@debian.org>  Wed,  24 Oct 2018 14:00:00 +0200

linux-latest (86) unstable; urgency=medium

  * From Linux 4.13.10-1, AppArmor is enabled by default.  This allows
    defining a "profile" for each installed program that can mitigate
    security vulnerabilities in it.  However, an incorrect profile might
    disable some functionality of the program.

    In case you suspect that an AppArmor profile is incorrect, see
    <https://lists.debian.org/debian-devel/2017/11/msg00178.html> and
    consider reporting a bug in the package providing the profile.  The
    profile may be part of the program's package or apparmor-profiles.

 -- Ben Hutchings <ben@decadent.org.uk>  Thu, 30 Nov 2017 20:08:25 +0000

linux-latest (81) unstable; urgency=medium

  * From Linux 4.10, the old 'virtual syscall' interface on 64-bit PCs
    (amd64) is disabled.  This breaks chroot environments and containers
    that use (e)glibc 2.13 and earlier, including those based on Debian 7
    or RHEL/CentOS 6.  To re-enable it, set the kernel parameter:
    vsyscall=emulate

 -- Ben Hutchings <ben@decadent.org.uk>  Fri, 30 Jun 2017 23:50:03 +0100

newt (0.52.20-4) unstable; urgency=medium

  * Drop Priority: important for whiptail, to minimize system size.
    This means any package that requires 'whiptail' for dialogs in scripts,
    etc. must now explicitly depend on it.
    Closes: #893563

 -- Alastair McKinstry <mckinstry@debian.org>  Mon, 19 Mar 2018 13:07:22 +0000

openssh (1:7.9p1-1) unstable; urgency=medium

  OpenSSH 7.9 includes a number of changes that may affect existing
  configurations:

   * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
     bans the use of DSA keys as certificate authorities.
   * sshd(8): the authentication success/failure log message has changed
     format slightly.  It now includes the certificate fingerprint
     (previously it included only key ID and CA key fingerprint).

 -- Colin Watson <cjwatson@debian.org>  Sun, 21 Oct 2018 10:39:24 +0100

openssh (1:7.8p1-1) unstable; urgency=medium

  OpenSSH 7.8 includes a number of changes that may affect existing
  configurations:

   * ssh-keygen(1): Write OpenSSH format private keys by default instead of
     using OpenSSL's PEM format.  The OpenSSH format, supported in OpenSSH
     releases since 2014 and described in the PROTOCOL.key file in the
     source distribution, offers substantially better protection against
     offline password guessing and supports key comments in private keys.
     If necessary, it is possible to write old PEM-style keys by adding "-m
     PEM" to ssh-keygen's arguments when generating or updating a key.
   * sshd(8): Remove internal support for S/Key multiple factor
     authentication.  S/Key may still be used via PAM or BSD auth.
   * ssh(1): Remove vestigial support for running ssh(1) as setuid.  This
     used to be required for hostbased authentication and the (long gone)
     rhosts-style authentication, but has not been necessary for a long
     time.  Attempting to execute ssh as a setuid binary, or with uid !=
     effective uid will now yield a fatal error at runtime.
   * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
     HostbasedAcceptedKeyTypes options have changed.  These now specify
     signature algorithms that are accepted for their respective
     authentication mechanism, where previously they specified accepted key
     types.  This distinction matters when using the RSA/SHA2 signature
     algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
     counterparts.  Configurations that override these options but omit
     these algorithm names may cause unexpected authentication failures (no
     action is required for configurations that accept the default for these
     options).
   * sshd(8): The precedence of session environment variables has changed.
     ~/.ssh/environment and environment="..." options in authorized_keys
     files can no longer override SSH_* variables set implicitly by sshd.
   * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed.  They
     will now use DSCP AF21 for interactive traffic and CS1 for bulk.  For a
     detailed rationale, please see the commit message:
     https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284

 -- Colin Watson <cjwatson@debian.org>  Thu, 30 Aug 2018 15:35:27 +0100

openssh (1:7.6p1-1) unstable; urgency=medium

  OpenSSH 7.6 includes a number of changes that may affect existing
  configurations:

   * ssh(1): Delete SSH protocol version 1 support, associated configuration
     options and documentation.
   * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
   * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
     ciphers.
   * Refuse RSA keys <1024 bits in length and improve reporting for keys
     that do not meet this requirement.
   * ssh(1): Do not offer CBC ciphers by default.

 -- Colin Watson <cjwatson@debian.org>  Fri, 06 Oct 2017 12:36:48 +0100

openssh (1:7.5p1-1) experimental; urgency=medium

  OpenSSH 7.5 includes a number of changes that may affect existing
  configurations:

   * This release deprecates the sshd_config UsePrivilegeSeparation option,
     thereby making privilege separation mandatory.

   * The format of several log messages emitted by the packet code has
     changed to include additional information about the user and their
     authentication state. Software that monitors ssh/sshd logs may need to
     account for these changes. For example:

       Connection closed by user x 1.1.1.1 port 1234 [preauth]
       Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
       Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]

     Affected messages include connection closure, timeout, remote
     disconnection, negotiation failure and some other fatal messages
     generated by the packet code.

 -- Colin Watson <cjwatson@debian.org>  Sun, 02 Apr 2017 02:58:01 +0100

openssl (1.1.1-2) unstable; urgency=medium

  Following various security recommendations, the default minimum TLS version
  has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
  plan to do same around March 2020.

  The default security level for TLS connections has also be increased from
  level 1 to level 2. This moves from the 80 bit security level to the 112 bit
  security level and will require 2048 bit or larger RSA and DHE keys, 224 bit
  or larger ECC keys, and SHA-2.

  The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications
  might also have a way to override the defaults.

  In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString
  line. The CipherString can also sets the security level. Information about the
  security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.
  The list of valid strings for the minimum protocol version can be found in
  SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
  config(5ssl).

  Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide
  defaults can be done using:
  MinProtocol = None
  CipherString = DEFAULT

  It's recommended that you contact the remote site in case the defaults cause
  problems.

 -- Kurt Roeckx <kurt@roeckx.be>  Sun, 28 Oct 2018 20:58:35 +0100

systemd (236-1) unstable; urgency=medium

  DynamicUser=yes has been enabled for systemd-journal-upload.service and
  systemd-journal-gatewayd.service.
  This means we no longer need to statically allocate a systemd-journal-upload
  and systemd-journal-gateway user and you can now safely remove those system
  users along with their associated groups.

 -- Michael Biebl <biebl@debian.org>  Sun, 17 Dec 2017 21:17:32 +0100

util-linux (2.32-0.4) unstable; urgency=medium

  The util-linux implementation of /bin/su is now used, replacing the
  one previously supplied by src:shadow (shipped in login package), and
  bringing Debian in line with other modern distributions. The two
  implementations are very similar but have some minor differences (and
  there might be more that was not yet noticed ofcourse), e.g.

  - new 'su' (with no args, i.e. when preserving the environment) also
    preserves PATH and IFS, while old su would always reset PATH and IFS
    even in 'preserve environment' mode.
  - new 'su -' (creating new environment) will do just that, while old
    su would always preserve content of DISPLAY and XAUTHORITY
    environment variables. Set them as needed (but beware X doesn't give
    you any real privileges separation anyway if you can access an X
    server of another user). See pam_xauth(8) if you want to reconfigure
    pam for seamless xauth keys.
  - su '' (empty user string) used to give root, but now returns an error.
  - previously su only had one pam config, but now 'su -' is configured
    separately in /etc/pam.d/su-l. This file additionally invokes
    'pam_keyinit' to revoke the session keyring.

  The first difference is probably the most user visible one. Doing
  plain 'su' is a really bad idea for many reasons, so using 'su -' is
  strongly recommended to always get a newly set up environment similar
  to a normal login. If you want to restore behaviour more similar to
  the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs.

 -- Andreas Henriksson <andreas@fatal.se>  Fri, 03 Aug 2018 10:52:22 +0200

util-linux (2.29.2-3) experimental; urgency=medium

  * The cfdisk, fdisk and sfdisk utilities has been split out into a
    separate fdisk package. Any package needing these utilities should
    add a dependency on: fdisk | util-linux (<< 2.29.2-3~)
    (The second part of it makes the dependency also be fulfilled in case
     of stretch-backports and should be considered optional.)

 -- Andreas Henriksson <andreas@fatal.se>  Sun, 06 Aug 2017 14:59:02 +0200

util-linux (2.29.2-2) unstable; urgency=medium

  * The deprecated 'pg' utility is no longer shipped.
    (Please use either 'more' or 'less' instead.)
  * The deprecated 'tunelp' utility is no longer shipped.
    (Parallell port printers are suspected to be extinct by now.)
  * The deprecated 'line' utility is no longer shipped.
    (Please use the 'head' utility instead.)
  * The deprecated 'tailf' utility is no longer shipped.
    (Please use 'tail -f' instead.)

 -- Andreas Henriksson <andreas@fatal.se>  Mon, 13 Mar 2017 19:27:14 +0100

wpasupplicant (2:2.6-19) unstable; urgency=medium

  With this release, wpasupplicant no longer respects the system
  default minimum TLS version, defaulting to TLSv1.0, not TLSv1.2. If
  you're sure you will never connect to EAP networks requiring anything less
  than 1.2, add this to your wpasupplicant configuration:

    tls_disable_tlsv1_0=1
    tls_disable_tlsv1_1=1

  wpasupplicant also defaults to a security level 1, instead of the system
  default 2. Should you need to change that, change this setting in your
  wpasupplicant configuration:

    openssl_ciphers=DEFAULT@SECLEVEL=2

  Unlike wpasupplicant, hostapd still respects system defaults.

 -- Andrej Shadura <andrewsh@debian.org>  Sat, 15 Dec 2018 14:22:18 +0100

apt-listchanges (3.14) unstable; urgency=low

  When displaying changelogs during upgrades is enabled, but no changelog
  file is provided by any of binary packages being processed together, then
  apt-listchanges will call `apt-get changelog' command to retrieve changes
  over network.  (Similar functionality has existed in Ubuntu for ages, and
  was incorporated into Debian a few versions ago.)

  If for some reason, like limited network connectivity, this behavior
  is undesirable, it can be now disabled with the new `--no-network' option
  that can be also set using debconf interface:

     dpkg-reconfigure apt-listchanges


  Additionally the debconf interface was improved to manage a few older
  configuration options, for example `--email-format'.

 -- Robert Luberda <robert@debian.org>  Sun, 09 Jul 2017 09:55:48 +0200

debconf (1.5.68) unstable; urgency=low

  From now on, Kde frontend requires debconf-kde-helper package.
  libqtcore4-perl and libqtgui4-perl packages can be safely removed.

 -- Modestas Vainius <modax@debian.org>  Wed, 18 Jul 2018 21:12:23 +0100

--
Ron
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug