Was ist neu in Debian 10 Buster? ================================ :author: Axel Beckert :backend: slidy :data-uri: https://noone.org/talks/whats-new-in-debian/ :max-width: 94% :icons: :copyright: Axel Beckert, licensed under CC-SA-3.0-DE Debian 10 Buster ---------------- Release-Datum: 6. Juli 2019 Neue Binär-Pakete in Buster gegenüber Stretch: 13193 Stand der Folien: 8. Juli 2019 Folien online unter https://noone.org/talks/whats-new-in-debian/ Versionen wichtiger Pakete -------------------------- [cols="a,a,a,a"] |=== | * Kernel 4.19 * Xen 4.11 * glibc 2.28 * X.org 7.7 [small]#(unverändert)# + 1.20 [small]#(XServer)# | * GNOME 3.30 * KDE Plasma 5.14 * XFCE 4.12 [small]#(unverändert)# | * APT 1.8 * dpkg 1.19 * Git 2.20 * Aptitude 0.8.11 | * Apache 2.4.38 * Nginx 1.14 * PHP 7.3 * OpenJDK 11 | * GCC 8.3 * Clang/LLVM 6 + 7 | * GNU Bash 5.0 * Zsh 5.7.1 | * GNU Emacs 26.1 * Vim 8.1 | * GNU Screen 4.6.2 * Tmux 2.8 | * OpenSSH 7.9p1 * OpenVPN 2.4.7 [small]#(Stretch: 2.4.0)# * OpenSSL 1.1.1 | * PostgreSQL 11.3 * MariaDB 10.3 * Berkeley-DB 5.3.28 [small]#(unverändert)# | * Postfix 3.4 * Exim 4.92 * Dovecot 2.3.4 * Mutt 1.10 [small]#(ohne NeoMutt)# * NeoMutt 20180716 | * Perl 5.28 * Python 2.7.16 + 3.7.3 * Ruby 2.5.5 * Tcl/Tk 8.6.9 | * LibreOffice 6.1 | * Samba 4.9 | * CUPS 2.2.10 [small]#(Stretch: 2.2.1)# | * BIND 9.11 // * Battle for Wesnoth 1.14 |=== Neues ausserhalb von Paketen ---------------------------- * Installation und Betrieb unter UEFI Secure Boot ist unterstützt. * AppArmor ist per Default aktiviert. * Substantiell verbesserte deutschsprachige Man-Pages. * `nf_tables` statt `x_tables` als Backend für `iptables` ist nun Default. Wechseln per `update-alternatives`. * Treiberloses Drucken mit CUPS 2.2.10 und CUPS-Filters 1.21.6. (AirPrint-Kompatibilität via DNS-SD aka Bonjour/ZeroConf) Architekturen/Hardware ~~~~~~~~~~~~~~~~~~~~~~ * Keine Änderungen bei den Architekturen * Allwinner-A64-Unterstützung, dies beinhaltet: ** FriendlyARM: NanoPi A64 ** Olimex: A64-OLinuXino, TERES-A64 ** PINE64: PINE A64/A64/A64-LTS, SOPINE, Pinebook ** SINOVOIP Banana Pi BPI-M64 ** Xunlong Orange Pi Win(Plus). Neues beim Debian Installer --------------------------- * Default-Installation hat "merged /usr", d.h. `/usr/bin` ist ein Symlink nach `/bin`, etc. ** Bei `debootrap` kann man's mit der Option `--no-merged-usr` abschalten. * Cryptsetup nutzt per Default das LUKS2-Format (vorher LUKS1) ** Metadaten-Redundanz ** Erkennung von kaputten Metadaten ** Existierende LUKS1-Volumes werden nicht konvertiert. APT --- * Optionales Abhärten von APT durch Seccomp-BPF-Sandboxen. * Default-Einstellungen von `unattended-upgrades` geändert: Upgrades auf Punkt-Releases werden jetzt per Default auch "unattended" gemacht. Neue Pakete ----------- E-Mail, Kalender, etc. ~~~~~~~~~~~~~~~~~~~~~~~ * `astroid` - graphical notmuch email client * `calendarserver` — Apple's Calendar and Contacts Server * `mailman3` — Mailing list management system * `neomutt` — command line mail reader based on Mutt, with added features * `schleuder` — GPG-enabled mailing list manager with resending-capabilities * `schleuder-cli` — command line tool to configure schleuder mailing lists * `z-push` — open source implementation of the ActiveSync protocol (metapackage, ex `d-push`) * `rainloop` — Simple, modern & fast web-based email client Neue Pakete ----------- Chat, IM und Microblogging ~~~~~~~~~~~~~~~~~~~~~~~~~~ * Neue Bitlbee (IRC-zu-IM-Gateway)-Plugins ** `bitlbee-plugin-facebook` — IRC to other chat networks gateway (Facebook chat plugin) ** `bitlbee-plugin-mastodon` — Mastodon plugin for bitlbee IRC gateway * `localslackirc` — IRC gateway for slack, running on localhost for one user * Viele Pakete rund um das Matrix-Protokoll ** `matrix-synapse` — Matrix reference homeserver (Leider nicht die kürzlich erschienene Version 1.0) ** `nheko` — desktop IM client for the Matrix protocol ** `quaternion` - desktop IM client for the Matrix protocol ** `revolt` — better desktop integration for Riot.im * `telegram-desktop` — official telegram messaging app * Tox-Clients (Wikipedia: " freies Peer-to-Peer-Instant-Messaging- und Videotelefonie-Netzwerkprotokoll, das verschlüsselten Datenaustausch ermöglicht", https://tox.chat/) ** `qtox` — Powerful Tox client that follows the Tox design guidelines ** `utox` — lightest and fluffiest Tox client * `toot` — mastodon cli client * `dino-im` — modern XMPP client — Da muss ich lästern: ** "Dinos" sind meist nicht modern sondern alt. ** "If you are looking for a Conversations look-alike, this program might be for you." → Also nix für mich. ;-) Neue Pakete ----------- Hardware- und System-Management ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `autorandr` — Automatically select a display configuration for connected devices * `ceni` — Curses interface to /etc/network/interfaces * `chkboot` — detection of malicious changes for boot files * `chkservice` — Tool for managing systemd units * `cockpit` — Web Console for Linux servers * `driverctl` — Device driver control utility for Linux * `efitools` — Tools to manipulate EFI secure boot keys and signatures * `hostfiles` — simple script to manage multiple sets of hostfiles * `rear` — Bare metal disaster recovery and system migration framework * `zram-tools` — utilities for working with zram * `tuned` — daemon for monitoring and adaptive tuning of system devices * `tuned-gtk` — GTK+ GUI for tuned Neue Pakete ----------- Versionskontrolle ~~~~~~~~~~~~~~~~~ * `brz` — easy to use distributed version control system (Ersatz für bzr) * `git-lfs` — Git Large File Support * `git-secret` — store encrypted credential inside source code git repository * `git-secrets` — Prevents accidental commits of credentials Entwicklungstools ~~~~~~~~~~~~~~~~~ * `ccdiff` — Colored Character Diff * `changeme` — Default credential scanner * `debug-me` — secure remote debugging * `pcc` — Portable C Compiler Neue Pakete ----------- Kryptografie ~~~~~~~~~~~~ * `certspotter` — Certificate Transparency Log Monitor * `tpm2-tools` — TPM 2.0 utilities * `tomb` — crypto undertaker Anonymität ~~~~~~~~~~ * `i2p` — Invisible Internet Project (I2P) - anonymous network * `onionshare` — Share a file over Tor Hidden Services anonymously and securely * `tinyproxy-bin` — Lightweight, non-caching, optionally anonymizing HTTP proxy (executable only) Neue Pakete ----------- System-Hardening ~~~~~~~~~~~~~~~~ * `hardening-runtime` — Runtime hardening configuration files * `lockdown` — make it harder for attackers to compromise your system * `infnoise` — Infinite Noise TRNG driver and tools * `ntpsec` — Network Time Protocol daemon and utility programs * `ntpsec-ntpdate` — client for setting system time from NTP servers * `usbauth` — USB firewall against BadUSB attacks * `usbauth-notifier` — Notifier for USB Firewall to use with desktop environments Neue Pakete ----------- Audio/Video ~~~~~~~~~~~ * `butt` — multi OS streaming audio tool easy to use * `opencubicplayer` — UNIX port of Open Cubic Player * `photoflare` — Simple but powerful Image Editor * `streamlink` — CLI for extracting video streams from various websites to a video player * `taptempo` — command line tap tempo Funk/SDR ~~~~~~~~ * `cubicsdr` — Software Defined Radio receiver * `dump1090-mutability` — ADS-B Ground Station System for RTL-SDR 3D-Druck ~~~~~~~~ * `cura` — GUI G-code generator for 3D printers Neue Pakete ----------- Selbsthosting ~~~~~~~~~~~~~ Es ist alles in der Cloud — E-oh E-oh! * `freedom-maker` — FreedomBox image builder * `freedombox` — easy to manage, privacy oriented home server * `ftpsync` — Debian archive mirror tool * `nextcloud-desktop` — Nextcloud folder synchronization tool * `seafile-cli` — Client CLI for the Seafile Client * `seafile-daemon` — Client daemon for the Seafile Client * `seafile-gui` — Seafile Desktop Client DNS ~~~ * `curvedns` — DNS/DNSCurve forwarding name server * `knot-resolver` — caching, DNSSEC-validating DNS resolver * `knot-resolver-module-http` — HTTP/2 module for Knot Resolver Neue Pakete ----------- Debian-Spezifisches ~~~~~~~~~~~~~~~~~~~ * `debos` — Debian OS builder * `dh-perl6` — debhelper add-on to simplify Perl 6 package building * `lintian-brush` — automatically fix lintian problems * `mmdebstrap` — create a Debian chroot * `reportbug-gtk` — reports bugs in the Debian distribution (GTK+ UI) Andere Paketierungssysteme ~~~~~~~~~~~~~~~~~~~~~~~~~~ * `fdroidcl` — F-Droid desktop client (via adb) * `fdroidserver` — F-Droid build server and repository tools for Android * `perl6-zef` — Perl 6 package manager * `zypper` — command line software manager using libzypp Neue Pakete ----------- Web und Gopher: Browser, Clients + Plugins ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `falkon` — lightweight web browser based on Qt WebEngine * `qutebrowser` — Keyboard-driven, vim-like browser based on PyQt5 * `sacc` — simple terminal gopher client * `webext-umatrix` — browser plugin to block requests and reduce data leakage * `wget2` — file and recursive website downloader Webserver ~~~~~~~~~ * `h2o` — optimized HTTP/1.x, HTTP/2 server * `httpfs2` — FUSE filesystem for mounting files from http servers * `janus` — general purpose WebRTC gateway * `hddemux` — HTTP/1.x and DNS demultiplexer Neue Pakete ----------- Kommandozeilen-Helfer/-Tools ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `exa` — Modern replacement for ls * `fd-find` — Simple, fast and user-friendly alternative to find * `lsmount` — is a small program for formatting the /proc/mounts output * `px` — ps and top for human beings * `imediff` — interactive full screen 2/3-way merge tool * `ripgrep` — Recursively searches directories for a regex pattern Toys ~~~~ * `hollywood` — fill your console with Hollywood melodrama technobabble * `wallstreet` — fill your console with Wall Street-like news and stats Neue Pakete ----------- Terminal-Emulatoren ~~~~~~~~~~~~~~~~~~~ * `kitty` — fast, featureful, GPU based terminal emulator * `terminology` — Enlightenment efl based terminal emulator * `tilix` — Tiling terminal emulator for GNOME Terminal-Recording ~~~~~~~~~~~~~~~~~~ * `peek` — Simple animated GIF screen recorder with GUI * `termrec` — terminal videos/scripts recorder and player Neue Pakete ----------- Monitoring/Logging ~~~~~~~~~~~~~~~~~~ * `iptables-netflow-dkms` — iptables target which generates netflows * `irqtop` — Observe IRQ and SoftIRQ in a top-like fashion * `netconsole` — Dynamically configure Linux netconsole * `nagios4` — host/service/network monitoring and management system * `netdata` — real-time performance monitoring (metapackage) * `s-tui` — terminal UI for monitoring your computer * `xymonq` — query cli for Xymon * `zabbix-cli` — Command-line interface for Zabbix monitoring system Authentifizierung ~~~~~~~~~~~~~~~~~ * FreeIPA — centralized identity framework (diverse Pakete) * `libpam-biometric` — Insertable authentication module for PAM * `libpam-elogind` — elogind PAM module (Alternative zu `libpam-systemd`) Neue Pakete ----------- Zeugs für moderne Desktops ~~~~~~~~~~~~~~~~~~~~~~~~~~ * `elogind` — user, seat and session management daemon * `grim` — command-line utility to make screenshots of Wayland desktops * `usrmerge` — Convert the system to the merged /usr directories scheme * `slurp` — cli utility to select a region in a Wayland compositor Container-Zeugs ~~~~~~~~~~~~~~~ * `rkt` — CLI for running App Containers Lustige Paketnamen und andere schräge Sachen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `mess-desktop-entries` — Desktop entries for MESS ROMs * `rebound` — Command-line tool to fetch Stack Overflow results when program execution error Neue Pakete ----------- JavaScript-Bibliotheken ~~~~~~~~~~~~~~~~~~~~~~~ * `libjs-bootstrap4` — HTML, CSS and JS framework * `libjs-vue` — Core library of the Vue JavaScript framework, browser build * Ganz viele `libjs-jquery-*`-Pakete. JavaScript-Paketierungs-Tools ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `npm2deb` — tool to help debianize Node.js modules * `yarnpkg` — Fast, reliable and secure npm alternative * `uglifyjs` — JavaScript parser, mangler/compressor and beautifier (CLI tool) Neue Pakete ----------- Netzwerk-Konfiguration + VPN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `libreswan` — Internet Key Exchange daemon * `netplan.io` — YAML network configuration abstraction for various backends * `network-manager-fortisslvpn` — network management framework (Fortinet SSLVPN plugin core) * `network-manager-l2tp` — network management framework (L2TP plugin core) * `network-manager-config-connectivity-debian` — NetworkManager configuration to enable connectivity check * `quicktun` — very simple, yet secure VPN software Forensik + Pen-Testing ~~~~~~~~~~~~~~~~~~~~~~ * `o-saft` — SSL advanced forensic tool * `wifite` — Python script to automate wireless auditing using aircrack-ng tools Neue Pakete ----------- Reproduzierbarkeit ~~~~~~~~~~~~~~~~~~ * `reprounzip` — tool for reproducing scientific experiments (unpacker) * `reprozip` — tool for reproducing scientific experiments (packer) * `uprightdiff` — examine differences between two images Init-Systeme, Watch-Dogs und Prozess-Überwachung ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `pid1` — signal handling and orphan reaping for Unix PID1 init processes * `runit-init` — system-wide service supervision (as init system) * `s6` — small and secure supervision software suite * `tini` — tiny but valid init for containers Neue Pakete ----------- SSH ~~~ * `ssh-audit` — tool for ssh server auditing * `ssh-tools` — collection of various tools using ssh ** ssh-ping: check if host is reachable using ssh_config ** ssh-version: shows version of the SSH server you are connecting to ** ssh-diff: diff a file over SSH ** ssh-facts: get some facts about the remote system ** ssh-hostkeys: prints server host keys in several formats * `tinysshd` — Tiny SSH server (daemon) ** minimalistic SSH server which implements only a subset of SSHv2 features. ** supports only ED25519, Curve25519(X25519), CHACHA20POLY1305. ** implements only public-key authentication. (password and hostbased authentication are not implemented.) Neue Pakete ----------- Tmux ~~~~ * `tmux-themepack-jimeh` — pack of various themes for tmux by jimeh * `tmuxp` — tmux session manager TLDR-Clients ~~~~~~~~~~~~ * `tldr` — Haskell tldr client * `tldr-py` — Python client for tldr: simplified and community-driven man pages Neue Pakete ----------- * `canid` — Caching Additional Network Information Daemon * `colorize` — Colorizes text on terminal with ANSI escape sequences * `e-wrapper` — invoke your editor, with optional file:lineno handling * `earlyoom` — Early OOM Daemon * `feedreader` — simple client for online RSS services like tt-rss and others * `fuse3` — Filesystem in Userspace (3.x version) * `gost-crypto-dkms` — Linux kernel modules implementing GOST cryptography * `iraf` — Image Reduction and Analysis Facility * `lz4` — Fast LZ compression algorithm library (CLI tool) * `markdent` — event-based Markdown parser toolkit` (command-line tool) * `pinentry-fltk` — FLTK-based PIN or pass-phrase entry dialog for GnuPG * `rmlint` + `rmlint-gui` — Extremely fast tool to remove filesystem lint * `rover` — text-based light-weight frontend for update-alternatives * `teensy-loader-cli` — load and run programs onto your Teensy micro controller * `usbtop` — utility to show bandwidth on USB buses and devices Und ganz viele `elpa-*` und `fonts-*` und `tesseract-ocr-*`-Pakete Wieder dabei ------------ * `docker.io` — Linux container runtime * `dokuwiki` — standards compliant simple to use wiki * `icebreaker` — Break the iceberg * `lilypond` — program for typesetting sheet music * `npm` — package manager for Node.js * `omegat` — Computer Assisted Translation (CAT) tool * `photofilmstrip` — Slideshow creator with Ken Burns effect * `tt-rss` — Tiny Tiny RSS - web-based news feed (RSS/Atom) aggregator * `xchat` — IRC client for X similar to AmIRC * `inn` — News transport system `InterNetNews' (version 1.7.x, simpler as 2.x from the `inn2` package) Nicht dabei ----------- Aus Maintainer-Sicht noch nicht stabil genug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Wireguard — fast, modern, secure kernel VPN tunnel (diverse Pakete) Erst nach dem Freeze in Debian aufgenommen worden ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * `sway` — i3-compatible Wayland compositor * `tootle` — Mastodon client * `telegram-purple - Purple plugin to support Telegram RC-buggy ~~~~~~~~ * `telegram-cli` — Command-line interface for Telegram messenger (baut nicht mehr) * `amarok` — easy to use media player based on the KDE Platform (baut nicht mehr) * MongoDB - object/document-oriented database (diverse Pakete) * `rpmlint` — RPM package checker * GCC/CPP documentation * `cuyo` — Tetris-like game with very impressive effects * `ca-cacert` — CAcert.org root certificates * `telnet-ssl` — telnet client with SSL encryption support * `ftp-ssl` — FTP client with SSL or TLS encryption support * `synergy` — Share mouse, keyboard and clipboard over the network * `quicksynergy` — GUI for easy configuration of Synergy * Netsurf — small web browser with CSS support for GTK and Framebuffer * `pathspider` — Internet path transparency measurement tool * `dosemu` — DOS Emulator for Linux [small]#(`dosbox` ist noch dabei)# Ganz Rausgeflogen ----------------- * `weboob`/`weboob-qt` - CLI/Qt applications to interact with websites * `conkeror` — keyboard focused web browser with Emacs look and feel * `aptsh` — apt interactive shell * `shutter` — feature-rich screenshot program Keine Sicherheitsupdates ------------------------ Ohne Anspruch auf Vollständigkeit. Details siehe Datei `/usr/share/debian-security-support/security-support-limited` aus dem Paket `debian-security-support`. * Diverse Webanwendungen nur hinter HTTP-basiertem Passwort-Schutz. * QtWebKit, WebKitGtk (aber nicht WebKit2Gtk), QtWebEngine und KHTML (und damit z.B. qutebrowser) Versionen, die es nicht mehr nach Buster geschafft haben -------------------------------------------------------- … aber bereits in Unstable oder Experimental. * Python 3.8 * Perl 5.30 * GCC 9.1 * LLVM 9 (pre-release) * OpenJDK 13 (pre-release) Derivate auf Debian 10 Buster basierend ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Grml 2018.12 "Gnackwatschn" (kurz vor dem Freeze) * Ubuntu 19.04 "Disco Dingo" (während des Freezes) * Raspbian Buster (veröffentlich vorab zusammen mit dem Raspberry Pi 4 am 24. Juni 201.9) * Devuan 3.0 "Beowulf" (wohl erst nach dem Buster-Release) Bekannte Probleme beim Upgrade ------------------------------ Hatte man bereits vorher `testing`, `buster` oder `stable` in der `sources.list` und nutzt nur `aptitude`, dann meckert dieses wie folgt: ---- E: Repository 'http://deb.debian.org/debian testing InRelease' changed its 'Codename' value from 'buster' to 'bullseye' E: Failed to download some files W: Failed to fetch http://deb.debian.org/debian/dists/testing/InRelease: E: Some index files failed to download. They have been ignored, or old ones used instead. ---- Workaround: Einmal `apt update` aufrufen und die Fragen mit `y` beantworten. Mehr Infos: https://bugs.debian.org/915246 Erster Ausblick auf Debian 11 Bullseye -------------------------------------- Neue URLs für Security-Updates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ APT-Repo-URLs/-Zeilen für Security-Updates wechseln von ---- deb http://security.debian.org/ bullseye/updates … ---- auf ---- deb http://security.debian.org/ bullseye-security … ---- um nicht mehr mit den sonstigen Stable-Updates unter ---- deb http://ftp.….debian.org/debian/ bullseye-updates … ---- verwechselt zu werden. Testing: Pakete müssen auf Buildds gebaut sein ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Es migrieren nur noch die Pakete von Debian Unstable nach Debian Testing, bei denen _alle_ Binär-Pakete auf Debian Build Daemons (buildd) gebaut wurden. (Ausnahmen: Pakete in `contrib` und `non-free`) Initiale Uploads (in die sog. NEW-Queue) müssen aber nach wie vor alle Binär-Pakete dabei haben. Links ----- Folien ~~~~~~ - https://noone.org/talks/whats-new-in-debian/ - Lizenz: link:https://creativecommons.org/licenses/by-sa/3.0/de/[CC-SA-3.0-DE] - Kontakt: Axel Beckert Hilfreiches ~~~~~~~~~~~ - Offizieller "Was ist neu in Debian 10?"-Eintrag (amd64) in den Veröffentlichungshinweisen: https://www.debian.org/releases/buster/amd64/release-notes/ch-whats-new.de.html - Installer-Images mit Firmware: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/