Chapter 2. What's new in Debian 10

Table of Contents

2.1. Supported architectures
2.2. What's new in the distribution?
2.2.1. CDs, DVDs, and BDs
2.2.2. AppArmor enabled per default
2.2.3. Substantial improved man pages for German speaking users
2.2.4. Network filtering based on nftables framework by default
2.2.5. Cryptsetup defaults to on-disk LUKS2 format

The Wiki has more information about this topic.

2.1. Supported architectures

The following are the officially supported architectures for Debian 10:

  • 32-bit PC (i386) and 64-bit PC (amd64)

  • 64-bit ARM (arm64)

  • ARM EABI (armel)

  • ARMv7 (EABI hard-float ABI, armhf)

  • MIPS (mips (big-endian) and mipsel (little-endian))

  • 64-bit little-endian MIPS (mips64el)

  • 64-bit little-endian PowerPC (ppc64el)

  • IBM System z (s390x)

You can read more about port status, and port-specific information for your architecture at the Debian port web pages.

2.2. What's new in the distribution?

 TODO: Make sure you update the numbers in the .ent file
     using the changes-release.pl script found under ../

This new release of Debian again comes with a lot more software than its predecessor stretch; the distribution includes over 15346 new packages, for a total of over 51687 packages. Most of the software in the distribution has been updated: over 29859 software packages (this is 57% of all packages in stretch). Also, a significant number of packages (over 6739, 13% of the packages in stretch) have for various reasons been removed from the distribution. You will not see any updates for these packages and they will be marked as "obsolete" in package management front-ends; see Section 4.8, “Obsolete packages”.

Debian again ships with several desktop applications and environments. Among others it now includes the desktop environments GNOME 3.22, KDE Plasma 5.8, LXDE, LXQt 0.11, MATE 1.16, and Xfce 4.12.

Productivity applications have also been upgraded, including the office suites:

  • LibreOffice is upgraded to version 6.1;

  • Calligra is upgraded to 3.1.

  • GNUcash is upgraded to 3.4;

With buster, Debian for the first time brings a mandatory access control framework enabled per default. New installations of Debian buster will have AppArmor installed and enabled per default. See below for more information.

Besides, buster is the first Debian release to ship with Rust based programs such as Firefox, ripgrep, fd, exa, etc and a significant number of Rust based libraries (more than 450). Buster ships with Rustc 1.32.

Updates of other desktop applications include the upgrade to Evolution 3.30.

Among many others, this release also includes the following software updates:

PackageVersion in 9 (stretch)Version in 10 (buster)
Apache2.4.252.4.38
BIND DNS Server9.109.11
Cryptsetup1.72.1
Dovecot MTA2.2.272.3.4
Emacs24.5 and 25.126.1
Exim default e-mail server4.894.92
GNU Compiler Collection as default compiler6.37.4 and 8.3
GIMP2.8.182.10.8
GnuPG2.12.2
Inkscape0.92.10.92.4
the GNU C library2.242.28
lighttpd1.4.451.4.53
Linux kernel image4.9 series4.19 series
LLVM/Clang toolchain3.76.0.1 and 7.0.1 (default)
MariaDB10.110.3
Nginx1.101.14
OpenJDK88 and 11
OpenSSH7.4p17.9p1
Perl5.245.28
PHP7.07.3
Postfix MTA3.1.83.3.2
PostgreSQL9.611
Python 33.5.33.7.2
Rustc 1.32
Samba4.54.9
Vim8.08.1
 TODO: (JFS) List other server software? RADIUS? Streaming ?

2.2.1. CDs, DVDs, and BDs

The official Debian distribution now ships on 12 to 14 binary DVDs (depending on the architecture) and 12 source DVDs. Additionally, there is a multi-arch DVD, with a subset of the release for the amd64 and i386 architectures, along with the source code. Debian is also released as Blu-ray (BD) and dual layer Blu-ray (DLBD) images for the amd64 and i386 architectures, and also for source code.

2.2.2. AppArmor enabled per default

Debian buster has AppArmor enabled per default. AppArmor is a mandatory access control framework that allows to restrict programs' capabilities like read, write and execute permissions on files or mount, ptrace and signal permissions by defining per-program profiles.

The default apparmor package ships with AppArmor profiles for several programs. More profiles can be found in the apparmor-profiles and apparmor-profiles-extra packages. The latter also ships experimental profiles that need to be enabled manually.

AppArmor is pulled in due to a Recommends by the buster Linux kernel package. On systems that are configured to not install Recommends per default, the apparmor package can be installed manually in order to enable AppArmor.

2.2.3. Substantial improved man pages for German speaking users

The documentation (man-pages) for several projects like systemd, util-linux and mutt have been substantially extended and added. Please install manpages-de to benefit from the improvements. During the lifetime of buster backports of further improvements / translations will be provided within the backports archive.

2.2.4. Network filtering based on nftables framework by default

Starting with iptables v1.8.2 the binary package includes iptables-nft and iptables-legacy, two variants of the iptables command line interface. The nftables-based variant is the default in buster and works with the nf_tables Linux kernel subsystem. The legacy one uses the x_tables Linux kernel subsystem. Users can use the update-alternatives system to select one variant or the other.

This applies to all related tools and utilities:

  • iptables

  • iptables-save

  • iptables-restore

  • ip6tables

  • ip6tables-save

  • ip6tables-restore

  • arptables

  • arptables-save

  • arptables-restore

  • ebtables

  • ebtables-save

  • ebtables-restore

All these gained the -nft and -legacy variants as well. The -nft option is for users that don't want -or can't- migrate to the native nftables command line interface. However users are really enouraged to switch to nftables interface rather than using the old iptables interface.

nftables provides a full replacement for iptables, with much better performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack firewalls, full atomic operations for dynamic ruleset updates, a Netlink API for third party applications, faster packet classification through enhanced generic set and map infrastructures, and many other improvements.

This movement is in line with what other major Linux distributions are doing, like RedHat, that now uses nftables as default firewalling tool.

Also, please note that all iptables binaries are now installed in /usr/sbin instead of /sbin. A compatibility symlink is in place, but will be dropped after the buster release cycle. Please, don't use hardcoded binary paths in scripts or update them manually for the new location.

Extensive documentation is available in package's README and NEWS files and on the Debian Wiki.

2.2.5. Cryptsetup defaults to on-disk LUKS2 format

Debian buster ships with cryptsetup which brings the new on-disk LUKS2 format per default. New LUKS volumes will use the LUKS2 format per default.

Other than the previous LUKS1 format, LUKS2 provides redundancy of metadata, detection of metadata corruption and configurable PBKDF algorithms. Authenticated encryption is supported as well but still marked as experimental.

Existing LUKS1 volumes will not be updated automatically. They can be converted, but not all LUKS2 features will be available due to header size incompatibilities. See the cryptsetup manpage for more information.