Chapter 5. Issues to be aware of for bullseye

Table of Contents

5.1. Upgrade specific items for bullseye
5.1.1. New VA-API default driver for Intel GPUs
5.1.2. The XFS file system no longer supports barrier/nobarrier option
5.1.3. Changed security archive layout
5.1.4. Password hashing uses yescrypt by default
5.1.5. NSS NIS and NIS+ support require new packages
5.1.6. Config file fragment handling in unbound
5.1.7. rsync parameter deprecation
5.1.8. Vim addons handling
5.1.9. OpenStack and cgroups v1
5.1.10. Noteworthy obsolete packages
5.1.11. Deprecated components for bullseye
5.1.12. Things to do post upgrade before rebooting
5.2. Limitations in security support
5.3. Package specific issues
5.3.1. Accessing GNOME Settings app without mouse

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.

5.1. Upgrade specific items for bullseye

This section covers items related to the upgrade from buster to bullseye.

5.1.1. New VA-API default driver for Intel GPUs

For Intel GPUs available with Broadwell and newer, the Video Acceleration API (VA-API) implementation now defaults to intel-media-va-driver for hardware accelerated video decoding. Systems which have va-driver-all installed will automatically be upgraded to the new driver.

The legacy driver package i965-va-driver is still available and offers support up to the Cannon Lake micro architecture. To prefer the legacy driver over the new default one, set the environment variable LIBVA_DRIVER_NAME to i965, for instance by setting the variable in /etc/environment. For more information, please see the Wiki's page on hardware video acceleration.

5.1.2. The XFS file system no longer supports barrier/nobarrier option

Support for the barrier and nobarrier mount options has been removed from the XFS file system. It is recommended to check /etc/fstab for the presence of either keyword and remove it. Partitions using these options will fail to mount.

5.1.3. Changed security archive layout

For bullseye, the security suite is now named bullseye-security instead of buster/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

deb bullseye-security main contrib

5.1.4. Password hashing uses yescrypt by default

The default password hash for local system accounts has been changed to yescrypt. This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.

To take advantage of this improved security, change local passwords; for example use the passwd command.

Old passwords will continue to work using whatever password hash was used to create them.

Yescrypt is not supported by Debian 10 (buster). As a result, shadow password files (/etc/shadow) cannot be copied from a bullseye system back to a buster system. If these files are copied, passwords that have been changed on the bullseye system will not work on the buster system. Similarly, password hashes cannot be cut&pasted from a bullseye to a buster system.

If compatibility is required for password hashes between bullseye and buster, modify /etc/pam.d/common-password. Find the line that looks like:

        password [success=1 default=ignore] obscure yescrypt

and replace yescrypt with sha512.

5.1.5. NSS NIS and NIS+ support require new packages

NSS NIS and NIS+ support has been moved to separate packages called libnss-nis and libnss-nisplus. Unfortunately, glibc can't depend on those packages, so they are now only recommended.

On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.

5.1.6. Config file fragment handling in unbound

The DNS resolver unbound has changed the way it handles configuration file fragments. If you are relying on an include: directive to merge several fragments into a valid configuration, you should read the NEWS file.

5.1.7. rsync parameter deprecation

The rsync parameters --copy-devices and --noatime have been renamed to --write-devices and --open-noatime. The old forms are no longer supported; if you are using them you should see the NEWS file. Transfer processes between systems running different Debian releases may require the buster side to be upgraded to a version of rsync from the backports repository.

5.1.8. Vim addons handling

The addons for vim historically provided by vim-scripts are now managed by Vim's native package functionality rather than by vim-addon-manager. Vim users should prepare before upgrading by following the instructions in the NEWS file.

5.1.9. OpenStack and cgroups v1

OpenStack Victoria (released in bullseye) requires cgroup v1 for block device QoS. Since bullseye also changes to using cgroupv2 by default (see Section 2.2.3, “Control groups v2”), the sysfs tree in /sys/fs/cgroup will not include cgroup v1 features such as /sys/fs/cgroup/blkio, and as a result cgcreate -g blkio:foo will fail. For OpenStack nodes running nova-compute or cinder-volume, it is strongly advised to add the parameters systemd.unified_cgroup_hierarchy=false and systemd.legacy_systemd_cgroup_controller=false to the kernel command line in order to override the default and restore the old cgroup hierarchy.

5.1.10. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).

The list of obsolete packages includes:

  • The lilo package has been removed from bullseye. The successor of lilo as boot loader is grub2.

  • The Mailman mailing list manager suite version 3 is the only available version of Mailman in this release. Mailman has been split up into various components; the core is available in the package mailman3 and the full suite can be obtained via the mailman3-full metapackage.

    The legacy Mailman version 2.1 is no longer available (this used to be the package mailman). This branch depends on Python 2 which is no longer available in Debian.

    For upgrading instructions, please see the project's migration documentation.

  • The Linux kernel no longer provides isdn4linux (i4l) support. Consequently, the related userland packages isdnutils, isdnactivecards, drdsl and ibod have been removed from the archives.

  • The deprecated libappindicator libraries are no longer provided. As a result, the related packages libappindicator1, libappindicator3-1 and libappindicator-dev are no longer available. This is expected to cause dependency errors for third-party software that still depends on libappindicator to provide system tray and indicator support.

    Debian is using libayatana-appindicator as the successor of libappindicator. For technical background see this announcement.

  • Debian no longer provides chef. If you use Chef for configuration management, the best upgrade path is probably to switch to using the packages provided by Chef Inc.

    For background on the removal, see the removal request.

5.1.11. Deprecated components for bullseye

With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.

This includes the following features:

  • Python 2 is already beyond its End Of Life, and will receive no security updates. It is not supported for running applications. However, Debian bullseye does still include a version of Python 2.7, as well as a small number of Python 2 build tools such as python-setuptools. These are present only because they are required for a few application build processes that have not yet been converted to Python 3.

  • The historical justifications for the filesystem layout with /bin, /sbin, and /lib directories separate from their equivalents under /usr no longer apply today; see the summary. Debian bullseye will be the last Debian release that supports the non-merged-usr layout; for systems with a legacy layout that have been upgraded without a reinstall, the usrmerge package exists to do the conversion if desired.

5.1.12. Things to do post upgrade before rebooting

When apt full-upgrade has finished, the formal upgrade is complete. For the upgrade to bullseye, there are no special actions needed before performing a reboot.

5.2. Limitations in security support

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.


The package debian-security-support helps to track the security support status of installed packages.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between buster and bullseye. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.

5.3.1. Accessing GNOME Settings app without mouse

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.