Chapter 5. Issues to be aware of for bookworm

Table of Contents

5.1. Upgrade specific items for bookworm
5.1.1. Non-free firmware moved to its own component in the archive
5.1.2. Puppet configuration management system upgraded to 7
5.1.3. youtube-dl replaced with yt-dlp
5.1.4. Things to do post upgrade before rebooting
5.2. Items not limited to the upgrade process
5.2.1. Limitations in security support
5.2.2. Python Interpreters marked externally-managed
5.2.3. Something
5.3. Obsolescence and deprecation
5.3.1. Noteworthy obsolete packages
5.3.2. Deprecated components for bookworm
5.3.3. No-longer-supported hardware
5.4. Known severe bugs

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.

5.1. Upgrade specific items for bookworm

This section covers items related to the upgrade from bullseye to bookworm.

5.1.1.  Non-free firmware moved to its own component in the archive

As described in Section 2.2, “Archive areas”, non-free firmware packages are now served from a dedicated archive component, called non-free-firmware. To ensure installed non-free firmware packages receive proper upgrades, changes to the APT configuration are required. Assuming the non-free component was only added to the APT sources-list to install firmware, the updated APT source-list entry could look like:

deb bookworm main non-free-firmware

If you were pointed to this chapter by apt you can prevent it from continuously notifying you about this change by creating an apt.conf(5) file named /etc/apt/apt.conf.d/no-bookworm-firmware.conf with the following content:

APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";

5.1.2. Puppet configuration management system upgraded to 7

Puppet has been upgraded from 5 to 7, skipping the Puppet 6 series altogether. This introduces major changes to the Puppet ecosystem.

The classic Ruby-based Puppet Master 5.5.x application has been deprecated upstream and is no longer available in Debian. It is replaced by Puppet Server 7.x, provided by the puppetserver package. The package is automatically installed as a dependency of the transitional puppet-master package.

In some cases, Puppet Server is a drop-in replacement for Puppet Master, but you should review the configuration files available under /etc/puppet/puppetserver to ensure the new defaults are suitable for your deployment. In particular the legacy format for the auth.conf file is deprecated, see the auth.conf documentation for details.

The recommended approach is to upgrade the server before clients. The Puppet 7 Server is backwards compatible with older clients; a Puppet 5 Server can still handle upgraded agents but cannot register new Puppet 7 agents. So if you deploy new Puppet 7 agents before upgrading the server, you will not be able to add them to the fleet.

The puppet package has been replaced by the puppet-agent package and is now a transitional package to ensure a smooth upgrade.

Finally, the puppetdb package was removed in bullseye but is reintroduced in bookworm.

5.1.3. youtube-dl replaced with yt-dlp

The popular tool youtube-dl, which can download videos from a large variety of websites (including, but not limited to, YouTube) is no longer included in Debian. Instead, it has been replaced with an empty transitional package that pulls in the yt-dlp package instead. yt-dlp is a fork of youtube-dl where new development is currently happening.

There are no compatibility wrappers provided, so you'll need to modify your scripts and personal behavior to call yt-dlp instead of youtube-dl. The functionality should be mostly the same, although some options and behavioral details have changed. Be sure to check yt-dlp's man page for details, and in particular the Differences in default behavior section.

5.1.4. Things to do post upgrade before rebooting

When apt full-upgrade has finished, the formal upgrade is complete. For the upgrade to bookworm, there are no special actions needed before performing a reboot.

When apt full-upgrade has finished, the formal upgrade is complete, but there are some other things that should be taken care of before the next reboot.

	add list of items here

5.2. Items not limited to the upgrade process

5.2.1. Limitations in security support

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.


The package debian-security-support helps to track the security support status of installed packages. Security status of web browsers and their rendering engines

Debian 12 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bookworm, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk and wpewebkit engines are covered by security support.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird. OpenJDK 21

Debian bookworm comes with an early access version of OpenJDK 21 (the next expected OpenJDK LTS version after OpenJDK 17), to avoid the rather tedious bootstrap process. The plan is for OpenJDK 21 to receive an update in bookworm to the final upstream release announced for September 2023, followed by security updates on a best effort basis, but users should not expect to see updates for every quarterly upstream security update. Go-based packages

The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. Before buster this wasn't a problem in practice, but with the growth of the Go ecosystem it means that Go-based packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.

If updates are warranted for Go development libraries, they can only come via regular point releases, which may be slow in arriving.

5.2.2. Python Interpreters marked externally-managed

The Debian provided python3 interpreter packages (python3.11 and pypy3) are now marked as being externally-managed, following PEP-668. The version of python3-pip provided in Debian follows this, and will refuse to manually install packages on Debian's python interpreters, unless the --break-system-packages option is specified.

If you need to install a Python application (or version) that isn't packaged in Debian, we recommend that you install it with pipx (in the pipx Debian package). pipx will set up an environment isolated from other applications and system Python modules, and install the application and its dependencies into that.

If you need to install a Python library module (or version) that isn't packaged in Debian, we recommend installing it into a virtualenv, where possible. You can create virtualenvs with the venv Python stdlib module (in the python3-venv Debian package) or the virtualenv Python 3rd-party tool (in the virtualenv Debian package). For example, instead of running pip install --user foo, run: mkdir -p ~/.venvs && python3 -m venv ~/.venvs/foo && ~/.venvs/foo/bin/python -m pip install foo to install it in a dedicated virtualenv.

See /usr/share/doc/python3.11/README.venv for more details.

5.2.3. Something


5.3. Obsolescence and deprecation

5.3.1. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).

          TODO: Use the change-release information and sort by popcon

          This needs to be reviewed based on real upgrade logs (jfs)

          Alternative, another source of information is the UDD
          'not-in-testing' page:


The list of obsolete packages includes:

  • The foo package has been removed from bookworm. The successor of foo is bar.

    The libnss-ldap package has been removed from bookworm. Its functionalities are now covered by libnss-ldapd and libnss-sss.

    The libpam-ldap package has been removed from bookworm. Its replacement is libpam-ldapd.

    The fdflush package has been removed from bookworm. In its stead, please use blockdev --flushbufs from util-linux.

5.3.2. Deprecated components for bookworm

With the next release of Debian 13 (codenamed trixie) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 13.

This includes the following features:

  • Development of the NSS service gw_name stopped in 2015. The associated package libnss-gw-name may be removed in future Debian releases. The upstream developer suggests using libnss-myhostname instead.

5.3.3. No-longer-supported hardware

For a number of `arch`-based devices that were supported in bullseye, it is no longer viable for Debian to build the required Linux kernel, due to hardware limitations. The unsupported devices are:

  • foo

Users of these platforms who wish to upgrade to bookworm nevertheless should keep the bullseye APT sources enabled. Before upgrading they should add an APT preferences file containing:

Package: linux-image-marvell
Pin: release n=bullseye
Pin-Priority: 900

The security support for this configuration will only last until bullseye's End Of Life.

5.4. Known severe bugs

Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bookworm can be found in the Debian Bug Tracking System. The following bugs were affecting bookworm at the time of the release and worth mentioning in this document:

Bug numberPackage (source or binary)Description
922981ca-certificates-javaca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts

[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk and the new wpewebkit.