Chapter 5. Issues to be aware of for squeeze

Table of Contents

5.1. Potential problems
5.1.1. Migration of disk drivers from IDE to PATA subsystem
5.1.2. mdadm metadata format change requires recent Grub
5.1.3. Xen upgrades
5.1.4. breakage with newer libdb
5.1.5. Potential issues with diversions of /bin/sh
5.1.6. Change in kernel policy regarding resource conflicts
5.2. LDAP support
5.3. sieve service moving to its IANA-allocated port
5.4. Security status of web browsers
5.5. KDE desktop
5.5.1. Upgrading from KDE 3
5.5.2. New KDE metapackages
5.6. GNOME desktop changes and support
5.6.1. GDM 2.20 and 2.30
5.6.2. Device and other administrative permissions
5.6.3. network-manager and ifupdown interaction
5.7. Graphics stack changes
5.7.1. Obsolete Xorg drivers
5.7.2. Kernel mode setting
5.7.3. Input device hotplug
5.7.4. X server zapping
5.8. Munin web path change
5.9. Shorewall upgrade instructions

5.1. Potential problems

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports and other information mentioned in Section 6.1, “Further reading”.

5.1.1. Migration of disk drivers from IDE to PATA subsystem

The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, CD-ROM, and tape devices may change.

It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than by device name, which will work with both old and new kernel versions. Upon upgrading to the squeeze version of the Debian kernel packages, the linux-base package will offer to do this conversion for you in the config files for most of the filesystem-related packages on the system, including the various bootloaders included in Debian. If you choose not to update the system configuration automatically, or if you are not using the Debian kernel packages, you must update device IDs yourself before the next system reboot to ensure the system remains bootable.

5.1.2. mdadm metadata format change requires recent Grub

The following only applies to users who want to let the grub-pc bootloader load the kernel directly off a RAID device created with mdadm 3.x and default values, or when the metadata version is explicitly set using -e. Specifically, this includes all arrays created during or after the installation of Debian squeeze. Arrays created with older mdadm versions, and RAIDs created with the command-line option -e 0.9 are not affected.

Versions of grub-pc older than 1.98+20100720-1 will not be able to boot directly off a RAID with the 1.x metadata formats (the new default is 1.2). To ensure a bootable system, please make sure to use grub-pc 1.98+20100720-1 or later, which is provided by Debian squeeze. An unbootable system may be rescued with Super Grub2 Disk or grml.

5.1.3. Xen upgrades

If you installed Xen on lenny, the default kernel booted by GRUB Legacy was the one providing a Xen hypervisor and dom0 support. This behavior has changed with GRUB 2 in squeeze: the non-Xen kernel will boot by default. If you need Xen and expect to boot with it by default, there are configuration hints at

Upgrades from lenny will not automatically install Xen version 4.0. You should install the xen-linux-system-2.6-xen-amd64 or xen-linux-system-2.6-xen-686 package to ensure the Xen hypervisor and suitable dom0 kernel are installed, and to make future upgrades easier.

Squeeze's 2.6.32 Xen kernel uses pvops instead of the forward-ported Xenlinux patch. This means that on squeeze your domU won't be able to use (for example) sda1 as a device name for its hard drive, since this naming scheme is not available under pvops. Instead you should use (as a corresponding example) xvda1, which is compatible with both old and new Xen kernels.

5.1.4. breakage with newer libdb

Some Berkeley Database version 7 files created with libdb3 cannot be read by newer libdb versions (see bug #521860). As a workaround, the files can be recreated with db4.8_load, from the db4.8-util package.

5.1.5. Potential issues with diversions of /bin/sh

If you have previously added a local diversion for /bin/sh, or modified the /bin/sh symlink to point to somewhere other than /bin/bash, then you may encounter problems when upgrading the dash or bash packages. Note that this includes changes made by allowing other packages (for example mksh) to become the default system shell by taking over /bin/sh.

If you encounter any such issues, please remove the local diversion and ensure that the symlinks for both /bin/sh and its manual page point to the files provided by the bash package and then dpkg-reconfigure --force dash.

    dpkg-divert --remove /bin/sh
    dpkg-divert --remove /usr/share/man/man1/sh.1.gz
    ln -sf bash /bin/sh
    ln -sf bash.1.gz /usr/share/man/man1/sh.1.gz

5.1.6. Change in kernel policy regarding resource conflicts

The default setting for the acpi_enforce_resources parameter in the Linux kernel has changed to be strict by default. This can lead some legacy sensor drivers to be denied access to the sensors' hardware. One workaround is to append acpi_enforce_resources=lax to the kernel command line.

5.2. LDAP support

A feature in the cryptography libraries used in the LDAP libraries causes programs that use LDAP and attempt to change their effective privileges to fail when connecting to an LDAP server using TLS or SSL. This can cause problems for suid programs on systems using libnss-ldap like sudo, su or schroot and for suid programs that perform LDAP searches like sudo-ldap.

It is recommended to replace the libnss-ldap package with libnss-ldapd, a newer library which uses separate daemon (nslcd) for all LDAP lookups. The replacement for libpam-ldap is libpam-ldapd.

Note that libnss-ldapd recommends the NSS caching daemon (nscd) which you should evaluate for suitability in your environment before installing. As an alternative to nscd you can consider unscd.

Further information is available in bugs #566351 and #545414.

5.3. sieve service moving to its IANA-allocated port

The IANA port allocated for ManageSieve is 4190/tcp, and the old port used by timsieved and other managesieve software in many distributions (2000/tcp) is allocated for Cisco SCCP usage, according to the IANA registry.

Starting with the version 4.38 of the Debian netbase package, the sieve service will be moved from port 2000 to port 4190 in the /etc/services file.

Any installs which used the sieve service name instead of a numeric port number will switch to the new port number as soon as the services are restarted or reloaded, and in some cases, immediately after /etc/services is updated.

This will affect Cyrus IMAP. This may also affect other sieve-enabled software such as DoveCot.

In order to avoid downtime problems, mail cluster administrators using Debian are urged to verify their Cyrus (and probably also DoveCot) installs, and take measures to avoid services moving from port 2000/tcp to port 4190/tcp by surprise in either servers or clients.

It is worth noting that:

  • /etc/services will only be automatically updated if you never made any modifications to it. Otherwise, you will be presented with a prompt by dpkg asking you about the changes.

  • You can edit /etc/services and change the sieve port back to 2000 if you want (this is not recommended, though).

  • You can edit /etc/cyrus.conf and any other relevant configuration files for your mail/webmail cluster (e.g. on the sieve web frontends) ahead of time to force them all to a static port number.

  • You can configure cyrus master to listen on both ports (2000 and 4190) at the same time, and thus avoid the problem entirely. This also allows for a much more smooth migration from port 2000 to port 4190.

5.4. Security status of web browsers

Debian 6.0 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdepencies make it impossible to update to newer upstream releases. As such, browsers built upon the qtwebkit and khtml engines are included in Squeeze, but not covered by full security support. We will make an effort to track down and backport security fixes, but in general these browsers should not be used against untrusted websites.

For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape), browsers based on the Webkit engine (e.g. Epiphany) or Chromium. Xulrunner has had a history of good backportability for older releases over the previous release cycles.

Chromium —while built upon the Webkit codebase— is a leaf package, i.e. if backporting becomes no longer feasible, there's still the possibility of upgrading to a later upstream release (which is not possible for the webkit library itself).

Webkit is supported by upstream with a long term maintenance branch.

5.5. KDE desktop

Squeeze is the first Debian release to ship with the full support for the next generation KDE that is based on Qt 4. Most official KDE applications are at version 4.4.5 with the exception of kdepim that is at version 4.4.7. You can read the announcements from the KDE Project to learn more about the changes.

5.5.1. Upgrading from KDE 3

KDE 3 Desktop Environment is no longer supported in Debian 6.0. It will be automatically replaced by the new 4.4 series on upgrade. As this is a major change, users should take some precautions in order to ensure as smooth of an upgrade process as possible.


It is discouraged to upgrade while there is an active KDE 3 session on the system. Otherwise, the process might render the running session dysfunctional with the possibility of data loss.

Upon the first login on the upgraded system, existing users will be prompted with the Debian-KDE guided migration procedure called kaboom which will assist in the process of migrating the user's personal data and optionally backing up old KDE configuration. For more information, visit the Kaboom homepage.

While KDE 3 based desktop environment is no longer supported, users can still install and use some individual KDE 3 applications since the core libraries and binaries of KDE 3 (kdelibs) and Qt 3 are still available in Debian 6.0. However, please note that these applications might not be well integrated with the new environment. What's more, neither KDE 3 nor Qt 3 will be supported in any form in the next Debian release so if you are using them, you are strongly advised to port your software to the new platform.

5.5.2. New KDE metapackages

As noted earlier, Debian 6.0 introduces a new set of KDE related metapackages:

  • You are strongly advised to install the kde-standard package for normal desktop usage. kde-standard will pull in the KDE Plasma Desktop by default, and a selected set of commonly used applications.

  • If you want a minimal desktop you can install the kde-plasma-desktop package and manually pick the applications you need. This is a rough equivalent of the kde-minimal package as shipped in Debian 5.0.

  • For small form factor devices, there is an alternative environment called KDE Plasma Netbook that can be installed with the kde-plasma-netbook package. Plasma Netbook and Plasma Desktop can live in the same system and the default can be configured in System Settings (replacement of the former KControl).

  • If you want a full set of official KDE applications, you have the possibility to install the kde-full package. It will install KDE Plasma Desktop by default.

5.6. GNOME desktop changes and support

There have been many changes in the GNOME desktop environment from the version shipped in lenny to the version in squeeze, you can find more information in the GNOME 2.30 Release Notes. Specific issues are listed below.

5.6.1. GDM 2.20 and 2.30

The GNOME Display Manager (GDM), is kept at version 2.20 for systems upgraded from lenny. This version will still be maintained for the squeeze cycle but it is the last release to do so. Newly installed systems will get GDM 2.30 instead, provided by the gdm3 package. Because of incompatibilities between both versions, this upgrade is not automatic, but it is recommended to install gdm3 after the upgrade to squeeze. This should be done from the console, or with only one open GNOME session. Note that settings from GDM 2.20 will not be migrated. For a standard desktop system, however, simply installing gdm3 should be enough.

5.6.2. Device and other administrative permissions

Specific permissions on devices are granted automatically to the user currently logged on physically to the system: video and audio devices, network roaming, power management, device mounting. The cdrom, floppy, audio, video, plugdev and powerdev groups are no longer useful. See the consolekit documentation for more information.

Most graphical programs requiring root permissions now rely on PolicyKit to do so, instead of gksu. The recommended way to give a user administrative rights is to add it to the sudo group.

5.6.3. network-manager and ifupdown interaction

Upon upgrading the network-manager package, interfaces configured in /etc/network/interfaces to use DHCP with no other options will be disabled in that file, and handled by NetworkManager instead. Therefore the ifup and ifdown commands will not work. These interfaces can be managed using the NetworkManager frontends instead, see the NetworkManager documentation.

Conversely, any interfaces configured in /etc/network/interfaces with more options will be ignored by NetworkManager. This applies in particular to wireless interfaces used during the installation of Debian (see bug #606268).

5.7. Graphics stack changes

There have been a number of changes to the X stack in Debian 6.0. This section lists the most important and user-visible.

5.7.1. Obsolete Xorg drivers

The cyrix, imstt, sunbw2 and vga Xorg video drivers are no longer provided. Users should switch to a generic such as vesa or fbdev instead.

The old via driver was no longer maintained, and has been replaced by the openchrome driver, which will be used automatically after the upgrade.

The nv and radeonhd drivers are still present in this release, but are deprecated. Users should consider the nouveau and radeon drivers instead, respectively.

The calcomp, citron, digitaledge, dmc, dynapro, elo2300, fpit, hyperpen, jamstudio, magellan, microtouch, mutouch, palmax, spaceorb, summa, tek4957 and ur98 X input drivers have been discontinued and are not included in this release. Users of these devices might want to switch to a suitable kernel driver and the evdev X driver. For many serial devices, the inputattach utility allows attaching them to a Linux input device which can be recognized by the evdev X driver.

5.7.2. Kernel mode setting

Kernel drivers for Intel (starting from i830), ATI/AMD (from the original Radeon to the Radeon HD 5xxx Evergreen series) and for NVIDIA graphics chipsets now support native mode setting.

Support for old-style userspace mode setting is discontinued in the intel X driver, which requires a recent kernel. Users of custom kernels should make sure that their configuration includes CONFIG_DRM_I915_KMS=y.

5.7.3. Input device hotplug

The Xorg X server included in Debian 6.0 provides improved support for hotplugging of input devices (mice, keyboards, tablets, …). The old xserver-xorg-input-kbd and xserver-xorg-input-mouse packages are replaced by xserver-xorg-input-evdev, which requires a kernel with the CONFIG_INPUT_EVDEV option enabled. Additionally, some of the keycodes produced by this driver differ from those traditionally associated with the same keys. Users of programs like xmodmap and xbindkeys will need to adjust their configurations for the new keycodes.

5.7.4. X server zapping

Traditionally, the Ctrl+Alt+Backspace combination would kill the X server. This combination is no longer active by default, but can be re-enabled by reconfiguring the keyboard-configuration package (system-wide), or using your desktop environment's keyboard preferences application.

5.8. Munin web path change

For squeeze, the default location for the generated web content of munin has been changed from /var/www/munin to /var/cache/munin/www and therefore /etc/munin/munin.conf needs to be adapted on upgrades, if it has been changed by the admin. If you are upgrading, please read /usr/share/doc/munin/NEWS.Debian.gz.

5.9. Shorewall upgrade instructions

Users of the shorewall firewall should read the instructions at, also available as /usr/share/doc/shorewall-doc/html/LennyToSqueeze.html in the shorewall-doc package, upon upgrading to Debian 6.0.