Table of Contents
Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.
This section covers items related to the upgrade from bullseye to bookworm.
As described in Section 2.2, “Archive areas”, non-free
firmware packages are now served from a dedicated archive
component, called non-free-firmware
. To
ensure installed non-free firmware packages receive proper
upgrades, changes to the APT configuration are
required. Assuming the non-free
component
was only added to the APT sources-list to install firmware,
the updated APT source-list entry could look like:
deb https://deb.debian.org/debian bookworm main non-free-firmware
If you were pointed to this chapter by apt
you can prevent it from continuously notifying you about this
change by creating an apt.conf(5)
file named
/etc/apt/apt.conf.d/no-bookworm-firmware.conf
with the following content:
APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";
Puppet has been upgraded from 5 to 7, skipping the Puppet 6 series altogether. This introduces major changes to the Puppet ecosystem.
The classic Ruby-based Puppet Master 5.5.x application has
been deprecated upstream and is no longer available in Debian.
It is replaced by Puppet Server 7.x, provided by the
puppetserver
package. The
package is automatically installed as a dependency of the
transitional puppet-master
package.
In some cases, Puppet Server is a drop-in replacement for
Puppet Master, but you should review the configuration files
available under /etc/puppet/puppetserver
to
ensure the new defaults are suitable for your deployment. In
particular the legacy format for the
auth.conf
file is deprecated, see the
auth.conf
documentation for details.
The recommended approach is to upgrade the server before clients. The Puppet 7 Server is backwards compatible with older clients; a Puppet 5 Server can still handle upgraded agents but cannot register new Puppet 7 agents. So if you deploy new Puppet 7 agents before upgrading the server, you will not be able to add them to the fleet.
The puppet
package has been replaced by the puppet-agent
package and is now a
transitional package to ensure a smooth upgrade.
Finally, the puppetdb
package was removed in bullseye but is reintroduced in
bookworm.
The popular tool youtube-dl
,
which can download videos from
a large variety of websites (including, but not limited to, YouTube)
is no longer included in Debian. Instead,
it has been replaced with an empty transitional package that pulls in the
yt-dlp
package instead.
yt-dlp
is a fork of
youtube-dl
where new development
is currently happening.
There are no compatibility wrappers provided, so you'll need to modify your scripts and personal behavior to call yt-dlp instead of youtube-dl. The functionality should be mostly the same, although some options and behavioral details have changed. Be sure to check yt-dlp's man page for details, and in particular the Differences in default behavior section.
When apt full-upgrade
has finished, the
“formal” upgrade is complete. For the upgrade to
bookworm, there are no special actions needed before
performing a reboot.
When apt full-upgrade
has finished, the “formal” upgrade
is complete, but there are some other things that should be taken care of
before the next reboot.
add list of items here
There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.
![]() | Note |
---|---|
The package |
Debian 12 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bookworm, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk and wpewebkit engines are covered by security support.
For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.
Debian bookworm comes with an early access version of
OpenJDK 21
(the next expected
OpenJDK LTS
version after OpenJDK
17
), to avoid the rather tedious bootstrap
process. The plan is for OpenJDK 21
to
receive an update in bookworm to the final upstream release
announced for September 2023, followed by security updates on a
best effort basis, but users should not expect to see updates
for every quarterly upstream security update.
The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. Before buster this wasn't a problem in practice, but with the growth of the Go ecosystem it means that Go-based packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.
If updates are warranted for Go development libraries, they can only come via regular point releases, which may be slow in arriving.
The Debian provided python3 interpreter packages
(python3.11
and
pypy3
)
are now marked as being externally-managed, following
PEP-668.
The version of python3-pip
provided in Debian follows this, and will refuse to manually install
packages on Debian's python interpreters, unless the
--break-system-packages
option is specified.
If you need to install a Python application (or version) that isn't
packaged in Debian, we recommend that you install it with
pipx (in the
pipx
Debian package).
pipx will set up an environment isolated from other
applications and system Python modules, and install the application and
its dependencies into that.
If you need to install a Python library module (or version) that isn't
packaged in Debian, we recommend installing it into a virtualenv, where
possible. You can create virtualenvs with the venv
Python stdlib module (in the
python3-venv
Debian package) or
the virtualenv Python 3rd-party tool (in the
virtualenv
Debian package). For
example, instead of running
pip install --user foo
, run:
mkdir -p ~/.venvs &&
python3 -m venv ~/.venvs/foo
&&
~/.venvs/foo
/bin/python -m pip install foo
to install it in a dedicated virtualenv.
See /usr/share/doc/python3.11/README.venv
for more
details.
The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).
TODO: Use the change-release information and sort by popcon This needs to be reviewed based on real upgrade logs (jfs) Alternative, another source of information is the UDD 'not-in-testing' page: https://udd.debian.org/bapase.cgi?t=testing
The list of obsolete packages includes:
The foo
package
has been removed from bookworm. The successor of
foo is bar
.
The libnss-ldap
package
has been removed from bookworm. Its functionalities are
now covered by libnss-ldapd
and libnss-sss
.
The libpam-ldap
package
has been removed from bookworm. Its replacement is
libpam-ldapd
.
The fdflush
package
has been removed from bookworm. In its stead, please
use blockdev --flushbufs from
util-linux
.
With the next release of Debian 13 (codenamed trixie) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 13.
This includes the following features:
For a number of `arch`-based devices that were supported in
bullseye, it is no longer viable for Debian to build the
required Linux
kernel, due to hardware
limitations. The unsupported devices are:
foo
Users of these platforms who wish to upgrade to bookworm nevertheless should keep the bullseye APT sources enabled. Before upgrading they should add an APT preferences file containing:
Package: linux-image-marvell Pin: release n=bullseye Pin-Priority: 900
The security support for this configuration will only last until bullseye's End Of Life.
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bookworm can be found in the Debian Bug Tracking System. The following bugs were affecting bookworm at the time of the release and worth mentioning in this document:
Bug number | Package (source or binary) | Description |
---|---|---|
922981 | ca-certificates-java | ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts |
[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk and the new wpewebkit.