Chapter 2. What's new in Debian 10

Table of Contents

2.1. Supported architectures
2.2. What's new in the distribution?
2.2.1. UEFI Secure Boot
2.2.2. AppArmor enabled per default
2.2.3. Optional hardening of APT
2.2.4. Unattended-upgrades for stable point releases
2.2.5. Substantially improved man pages for German speaking users
2.2.6. Network filtering based on nftables framework by default
2.2.7. Cryptsetup defaults to on-disk LUKS2 format
2.2.8. Driverless printing with CUPS 2.2.10
2.2.9. Basic support for Allwinner A64 based devices
2.2.10. News from Debian Med Blend
2.2.11. GNOME defaults to Wayland
2.2.12. Merged /usr on fresh installs
2.2.13. News from Debian Live team

The Wiki has more information about this topic.

2.1. Supported architectures

The following are the officially supported architectures for Debian 10:

  • 32-bit PC (i386) and 64-bit PC (amd64)

  • 64-bit ARM (arm64)

  • ARM EABI (armel)

  • ARMv7 (EABI hard-float ABI, armhf)

  • MIPS (mips (big-endian) and mipsel (little-endian))

  • 64-bit little-endian MIPS (mips64el)

  • 64-bit little-endian PowerPC (ppc64el)

  • IBM System z (s390x)

You can read more about port status, and port-specific information for your architecture at the Debian port web pages.

2.2. What's new in the distribution?

This new release of Debian again comes with a lot more software than its predecessor stretch; the distribution includes over 13370 new packages, for a total of over 57703 packages. Most of the software in the distribution has been updated: over 35532 software packages (this is 62% of all packages in stretch). Also, a significant number of packages (over 7278, 13% of the packages in stretch) have for various reasons been removed from the distribution. You will not see any updates for these packages and they will be marked as "obsolete" in package management front-ends; see Section 4.8, “Obsolete packages”.

Debian again ships with several desktop applications and environments. Among others it now includes the desktop environments GNOME 3.30, KDE Plasma 5.14, LXDE 10, LXQt 0.14, MATE 1.20, and Xfce 4.12.

Productivity applications have also been upgraded, including the office suites:

  • LibreOffice is upgraded to version 6.1;

  • Calligra is upgraded to 3.1.

  • GNUcash is upgraded to 3.4;

With buster, Debian for the first time brings a mandatory access control framework enabled per default. New installations of Debian buster will have AppArmor installed and enabled per default. See below for more information.

Besides, buster is the first Debian release to ship with Rust based programs such as Firefox, ripgrep, fd, exa, etc. and a significant number of Rust based libraries (more than 450). Buster ships with Rustc 1.34.

Updates of other desktop applications include the upgrade to Evolution 3.30.

Among many others, this release also includes the following software updates:

PackageVersion in 9 (stretch)Version in 10 (buster)
BIND DNS Server9.109.11
Dovecot MTA2.
Emacs24.5 and 25.126.1
Exim default e-mail server4.894.92
GNU Compiler Collection as default compiler6.37.4 and 8.3
the GNU C library2.242.28
Linux kernel image4.9 series4.19 series
LLVM/Clang toolchain3.76.0.1 and 7.0.1 (default)
Postfix MTA3.
Rustc 1.34

2.2.1. UEFI Secure Boot

Secure Boot is a feature enabled on most PCs that prevents loading unsigned code, protecting against some kinds of bootkit and rootkit.

Debian can now be installed and run on most PCs with Secure Boot enabled.

It is possible to enable Secure Boot on a system that has an existing Debian installation, if it already boots using UEFI. Before doing this, it's necessary to install shim-signed, grub-efi-amd64-signed or grub-efi-ia32-signed, and a Linux kernel package from buster.

Some features of GRUB and Linux are restricted in Secure Boot mode, to prevent modifications to their code.

More information can be found on the Debian wiki at SecureBoot.

2.2.2. AppArmor enabled per default

Debian buster has AppArmor enabled per default. AppArmor is a mandatory access control framework for restricting programs' capabilities (such as mount, ptrace, and signal permissions, or file read, write, and execute access) by defining per-program profiles.

The apparmor package ships with AppArmor profiles for several programs. Some other packages, such as evince, include profiles for the programs they ship. More profiles can be found in the apparmor-profiles-extra package.

AppArmor is pulled in due to a Recommends by the buster Linux kernel package. On systems that are configured to not install recommended packages by default, the apparmor package can be installed manually in order to enable AppArmor.

2.2.3. Optional hardening of APT

All methods provided by APT (e.g. http, and https) except for cdrom, gpgv, and rsh can make use of seccomp-BPF sandboxing as supplied by the Linux kernel to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. This sandboxing is currently opt-in and needs to be enabled with:

      APT::Sandbox::Seccomp is a boolean to turn it on/off

Two options can be used to configure this further:

      APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
      APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow

2.2.4. Unattended-upgrades for stable point releases

Previous versions of unattended-upgrades defaulted to installing only upgrades that came from the security suite. In buster it now also automates upgrading to the latest stable point release. For details, see the package's NEWS.Debian file.

2.2.5. Substantially improved man pages for German speaking users

The documentation (man-pages) for several projects like systemd, util-linux and mutt has been substantially extended. Please install manpages-de to benefit from the improvements. During the lifetime of buster further new/improved translations will be provided within the backports archive.

2.2.6. Network filtering based on nftables framework by default

Starting with iptables v1.8.2 the binary package includes iptables-nft and iptables-legacy, two variants of the iptables command line interface. The nftables-based variant, using the nf_tables Linux kernel subsystem, is the default in buster. The legacy variant uses the x_tables Linux kernel subsystem. The update-alternatives system can be used to select one variant or the other.

This applies to all related tools and utilities:

  • iptables

  • iptables-save

  • iptables-restore

  • ip6tables

  • ip6tables-save

  • ip6tables-restore

  • arptables

  • arptables-save

  • arptables-restore

  • ebtables

  • ebtables-save

  • ebtables-restore

All these have also gained -nft and -legacy variants. The -nft option is for users who can't or don't want to migrate to the native nftables command line interface. However, users are strongly enouraged to switch to the nftables interface rather than using iptables.

nftables provides a full replacement for iptables, with much better performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack firewalls, full atomic operations for dynamic ruleset updates, a Netlink API for third party applications, faster packet classification through enhanced generic set and map infrastructures, and many other improvements.

This change is in line with what other major Linux distributions are doing, such as RedHat, which now uses nftables as its default firewalling tool.

Also, please note that all iptables binaries are now installed in /usr/sbin instead of /sbin. A compatibility symlink is in place, but will be dropped after the buster release cycle. Hardcoded paths to the binaries in scripts will need to be corrected and are worth avoiding.

Extensive documentation is available in the package's README and NEWS files and on the Debian Wiki.

2.2.7. Cryptsetup defaults to on-disk LUKS2 format

The cryptsetup version shipped with Debian buster uses the new on-disk LUKS2 format. New LUKS volumes will use this format by default.

Unlike the previous LUKS1 format, LUKS2 provides redundancy of metadata, detection of metadata corruption, and configurable PBKDF algorithms. Authenticated encryption is supported as well, but still marked as experimental.

Existing LUKS1 volumes will not be updated automatically. They can be converted, but not all LUKS2 features will be available due to header size incompatibilities. See the cryptsetup manpage for more information.

Please note that the GNU GRUB bootloader doesn't support the LUKS2 format yet. See the corresponding documentation for further information on how to install Debian 10 with encrypted boot.

2.2.8. Driverless printing with CUPS 2.2.10

Debian 10 provides CUPS 2.2.10 and cups-filters 1.21.6. Together these give a user everything that is needed to take advantage of driverless printing. The principal requirement is that a network print queue or printer offers an AirPrint service. A modern IPP printer is highly likely to be AirPrint-capable; a Debian CUPS print queue is always AirPrint-enabled.

In essence, the DNS-SD (Bonjour) broadcasts from a CUPS server advertising a queue, or those from IPP printers, are capable of being displayed in the print dialogs of applications without any action being required on the part of a user. An additional benefit is that the use of non-free vendor printing drivers and plugins can be dispensed with.

A default installation of the cups package also installs the package cups-browsed; print queues and IPP printers will now be automatically set up and managed by this utility. This is the recommended way for a user to experience seamless and trouble-free driverless printing.

2.2.9. Basic support for Allwinner A64 based devices

Thanks to the efforts of the linux-sunxi community Debian buster will have basic suport for many devices based on the Allwinner A64 SoC. This includes FriendlyARM NanoPi A64; Olimex A64-OLinuXino and TERES-A64; PINE64 PINE A64/A64+/A64-LTS, SOPINE, and Pinebook; SINOVOIP Banana Pi BPI-M64; and Xunlong Orange Pi Win(Plus).

The essential features of these devices (e.g. serial console, ethernet, USB ports and basic video output) should work with the kernel from buster. More advanced features (e.g. audio or accelerated video) are included or scheduled to be included in later kernels, which will be made available as usual through the backports archive. See also the status page for the Linux mainlining effort.

2.2.10. News from Debian Med Blend

The Debian Med team has added several new packages and updates for software targeting life sciences and medicine. The effort to add Continuous Integration support for the packages in this field was (and will be) continued.

To install packages maintained by the Debian Med team, install the metapackages named med-*, which are at version 3.3 for Debian buster. Feel free to visit the Debian Med tasks pages to see the full range of biological and medical software available in Debian.

2.2.11. GNOME defaults to Wayland

Following upstream, GNOME in buster defaults to using the Wayland display server instead of Xorg. Wayland has a simpler and more modern design, which has advantages for security.

The Xorg display server is still installed by default and the default display manager still allows you to choose it as the display server for the next session, which may be needed if you want to use some applications (see Section 5.1.9, “Some applications don't work in GNOME on Wayland”).

People requiring accessibility features of the display server, e.g. global keyboard shortcuts, are recommended to use Xorg instead of Wayland.

2.2.12. Merged /usr on fresh installs

On fresh installs, the content of /bin, /sbin and /lib will be installed into their /usr counterpart by default. /bin, /sbin and /lib will be soft-links pointing at their directory counterpart under /usr/. In graphical form:

/bin → /usr/bin
/sbin → /usr/sbin
/lib → /usr/lib

When upgrading to buster, systems are left as they are, although the usrmerge package exists to do the conversion if desired. The project hosts a Wiki with most of the rationale.

This change shouldn't impact normal users that only run packages provided by Debian, but it may be something that people that use or build third party software want to be aware of.

2.2.13. News from Debian Live team

The Debian Live team is proud to introduce LXQt live ISOs as a new flavor. LXQt is a lightweight Qt desktop environment. It will not get in your way. It will not hang or slow down your system. It is focused on being a classic desktop with a modern look and feel.

The LXQt desktop environment offered in the Debian Live LXQt project is pure, unmodified, so you will get the standard desktop experience that the LXQt developers created for their popular operating system. Users are presented with the standard LXQt layout comprised of a single panel (taskbar) located on the bottom edge of the screen, which includes various useful applets, such as the Main Menu, task manager, app launcher, system tray area, and integrated calendar.

The buster live images come with something new that a bunch of other distributions have also adopted, which is the Calamares installer. Calamares is an independent installer project (they call it The universal installer framework) which offers a Qt based interface for installing a system. It doesn't replace debian-installer on the live images; rather, it serves a different audience.

Calamares is really easy to use, with friendly guided partitioning and really simple full-disk encryption setup. It doesn't cover all the advanced features of debian-installer (although it very recently got RAID support) and it doesn't have an unattended install mode either. However, for 95%+ of desktop and laptop users, Calamares is a much easier way to get a system installed, which makes it very appropriate for live systems. For anyone who needs anything more complicated, or who's doing a mass-install, debian-installer is still available in both text and GUI forms.

Debian Live Buster re-introduces the standard live image. This is a basic Debian image that contains a base Debian system without any graphical user interface. Because it installs from a squashfs image rather than installing the system files using dpkg, installation times are a lot faster than installing from a minimal Debian installation image.