Capítulo 5. Problemas a serem considerados para a stretch

Índice

5.1. Upgrade specific items for Stretch
5.1.1. Late mounting of /usr is no longer supported
5.1.2. Noteworthy obsolete packages
5.1.3. Deprecated components for Stretch
5.1.4. Things to do post upgrade before rebooting
5.1.5. Executables are now compiled as position independent executables (PIE) by default
5.1.6. 32-bit MIPS now requires an R2 processor
5.2. Limitações no suporte de segurança
5.2.1. Situação da segurança dos navegadores web
5.2.2. Falta de suporte de segurança para o ecossistema em torno da libv8 e Node.js
5.3. Package specific issues
5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default
5.3.2. Possible backwards incompatible changes to APT
5.3.3. The Xorg server is no longer setuid root by default
5.3.4. Upstart removed
5.3.5. The debhelper tool now generates dbgsym packages by default

Algumas vezes, mudanças introduzidas em uma nova versão têm efeitos colaterais que não podem ser evitados ou que acabam expondo bugs em outros locais. Esta seção documenta problemas conhecidos. Por favor, também leia a errata, a documentação dos pacotes relevantes, relatórios de bugs e outras informações mencionadas na Seção 6.1, “Leitura complementar”.

5.1. Upgrade specific items for Stretch

This section covers items related to the upgrade from Jessie to Stretch

5.1.1. Late mounting of /usr is no longer supported

[Nota]Nota

This section only applies to systems using a custom kernel, where /usr is on a separate mount point from /. If you use the kernel packages provided by Debian, you are unaffected by this issue.

Mounting of /usr using only tools found in / is no longer supported. This has only worked for a few specific configurations in the past, and now they are explicitly unsupported.

This means that for stretch all systems where /usr is a separate partition need to use an initramfs generator that will mount /usr. All initramfs generators in Stretch do so.

5.1.2. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Seção 4.8, “Pacotes obsoletos” for a description).

The list of obsolete packages includes:

5.1.3. Deprecated components for Stretch

With the next release of Debian 10 (codenamed Buster) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to 10.

This includes the following features:

  • TODO: Add items if any

5.1.4. Things to do post upgrade before rebooting

When apt-get dist-upgrade has finished, the formal upgrade is complete, but there are some other things that should be taken care of before the next reboot.


      add list of items here
      
    

5.1.5. Executables are now compiled as position independent executables (PIE) by default

[Nota]Nota

This section mainly intended for developers or system administrators. Desktop users are unlikely to be affected by this section.

By default, the GNU GCC 6 compiler provided by Debian stretch will compile all executables as position independent. This provides a mitigation for an entire class of vulnerabilities, but it also leads to some changes that are worth being aware of.

  • The file tool (among other) will classify such binaries as "shared object" rather than an "executable". If you have filters based on binary files, these may need to be updated (e.g. spamfilters).

  • Static libraries being compiled into an executable now also need to be compiled as position independent code. The following error message from the linker is a symptom of this:

    relocation ... against '[SYMBOL]' can not be used when making a shared object; recompile with -fPIC
    

  • Historically, position independent executables have been associated with performance loss on some hardware. Notably the Debian architecture i386 (32-bit Intel machines). While GCC 5 and GCC 6 have greatly improved performance for position independent executables on 32-bit Intel, this optimisation may not be applicable to all architectures. Please consider evaluating the performance of your code if you are targetting machine architectures with very limited number of registers.

5.1.6. 32-bit MIPS now requires an R2 processor

The 32-bit MIPS support (both big and little endian) now requires a processor supporting MIPS32 Release 2 of the MIPS instruction set. Notably the Loongson-2E/2F and systems based on them (including the Yeeloong laptop) are no longer supported.

The following shell script can be used to indicate if your machine supports R2 (assuming only one type of processor is present). Note that Loongson-3 processors are supported even though they only claim to support MIPS32 Release 1.

if grep -E -q '^isa.*\bmips(32|64)r2\b' /proc/cpuinfo; then
	echo "OK (R2 supported)"
elif grep -q '^cpu model.*\bICT Loongson-3\b' /proc/cpuinfo; then
	echo "OK (Loongson 3)"
else
	echo "NOT OK: R2 not supported"
fi

5.2. Limitações no suporte de segurança

Há alguns pacotes onde o Debian não pode prometer fornecer portes retroativos mínimos para problemas de segurança. Esses são abordados nas subseções a seguir.

Note that the package debian-security-support helps to track security support status of installed packages.

5.2.1. Situação da segurança dos navegadores web

O Debian 9 inclui diversos motores de navegadores que são afetados por um fluxo constante de vulnerabilidades de segurança. A alta taxa de vulnerabilidades e a ausência parcial de suporte do upstream na forma de ramos de longo prazo tornam muito difícil o suporte a esses navegadores com correções de segurança portadas retroativamente. Além disso, as interdependências das bibliotecas tornam impossível atualizar para uma versão upstream mais nova. Por isso, navegadores feitos sobre os motores webkit, qtwebkit e khtml foram incluídos no Stretch, mas não estão cobertos pelo suporte de segurança. Esses navegadores não devem ser usados em sites web não confiáveis.

Para uso geral de navegador web recomendamos Firefox ou Chromium.

Chromium - enquanto construído sobre a base de código Webkit - é um pacote sem dependência, que será mantido atualizado através da reconstrução das versões atuais do Chromium para a estável. O Firefox e o Icedove também serão mantidos atualizados através da reconstrução das versões ESR atuais para a estável.

5.2.2. Falta de suporte de segurança para o ecossistema em torno da libv8 e Node.js

A plataforma Node.js é construída em cima da libv8-3.14, que vivencia um alto volume de problemas de segurança, mas atualmente não há voluntários no projeto ou na equipe de segurança suficientemente interessados e dispostos a gastar a grande quantidade de tempo necessária para conter esses problemas encontrados.

Infelizmente, isso significa que a libv8-3.14, o nodejs e o ecossistema de pacotes node-* associados não devem ser atualmente utilizados com conteúdo não confiável, tal como dados não avaliados oriundos da Internet.

In addition, these packages will not receive any security updates during the lifetime of the Stretch release.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between Jessie and Stretch. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.

5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default

The OpenSSH 7 release has disabled some older ciphers and the SSH1 protocol by default. Please be careful when upgrading machines, where you only have SSH access.

Please refer to the OpenSSH documentation for more information.

5.3.2. Possible backwards incompatible changes to APT

This section covers some of the incompatible changes to APT that may affect your system.

5.3.2.1. APT now fetches files with an unprivileged user ("_apt")

APT will now attempt to discard all root privileges before fetching files from mirrors. APT can detect some common cases where this will fail and fallback to fetching things as root with a warning. However, it may fail to detect some exotic setups (e.g. uid-specific firewall rules).

If you experience issues with this feature, please change to the "_apt" user and check that it:

  • has read access to files in /var/lib/apt/lists and /var/cache/apt/archives.

  • has read access to the APT trust store (/etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/)

  • can resolve DNS names and download files. Example methods for testing:

    # From the dnsutils package (if using tor, please check with tor-resolve instead).
    $ nslookup debian.org >/dev/null || echo "Cannot resolve debian.org"
    $ wget -q https://debian.org/ -O- > /dev/null || echo "Cannot download index page of debian.org"
    

    For DNS issues, please check that /etc/resolv.conf is readable.

5.3.2.2. New requirements for APT repository

[Nota]Nota

This section only applies if you have (or intend to use) third-party repositories enabled or if you maintain an APT repository.

To improve the download stability and ensure security of the downloaded content, APT now requires the following from an APT repository:

  • The InRelease file must be available

  • All metadata must include at least SHA256 checksums of all items. This includes the gpg signature of the InRelease file.

  • Signatures on the InRelease file should be done with a key at the size of 2048 bit or larger.

If you rely on a third-party repository that cannot comply with the above, please urge them to upgrade their repository. More information about the InRelease file can be found on the Debian Wiki.

5.3.3. The Xorg server is no longer setuid root by default

[Nota]Nota

This change only applies if your X Display Manager supports running X as rootless (or if you start X manually via startx). Currently the only known display manager supporting this is gdm. Other display managers simply start X as root regardless of this change.

This reduces the risk of privilege escalation via bugs in the X server. However, it has some requirements for working:

  • It needs logind and libpam-systemd.

  • It needs a kernel video driver (as Xorg cannot talk directly to the hardware anymore).

  • It needs to run on the virtual console it was started from.

When run as a regular user, the Xorg log will be available from ~/.local/share/xorg/.

If these requirements are not possible, please install the xserver-xorg-legacy package to reinstate the setuid Xorg.

5.3.4. Upstart removed

Due to the lack of upstream maintainers, the Upstart init system has been removed from Stretch. If your system relies on this package, you should note that it will not be updated during the lifetime of Debian 9, and starting from Debian 10 (Buster), upstart jobs could be removed from packages.

Please consider switching to a supported init system, like systemd or openrc.

5.3.5. The debhelper tool now generates dbgsym packages by default

[Nota]Nota

This section mainly intended for developers or organizations that build their own debian packages.

The debhelper tool suite will now generate "dbgsym" packages by default for ELF binaries. If you develop and package binaries, please check that your tooling supports these extra auto-generated packages.

If you use reprepro, you want to upgrade it to at least version 4.17.0. At the time of writing, the aptly does not support dbgsym packages.

Should your tooling be unable to cope with these gracefully, you can ask debhelper to disable this feature by adding "noautodbgsym" in the DEB_BUILD_OPTIONS variable of your build service. Please see the dh_strip manpage for more information