Chapter 2. What's new in Debian 10

Table of Contents

2.1. Supported architectures
2.2. What's new in the distribution?
2.2.1. CDs, DVDs, and BDs
2.2.2. AppArmor enabled per default
2.2.3. Substantially improved man pages for German speaking users
2.2.4. Network filtering based on nftables framework by default
2.2.5. Cryptsetup defaults to on-disk LUKS2 format

The Wiki has more information about this topic.

2.1. Supported architectures

The following are the officially supported architectures for Debian 10:

  • 32-bit PC (i386) and 64-bit PC (amd64)

  • 64-bit ARM (arm64)

  • ARM EABI (armel)

  • ARMv7 (EABI hard-float ABI, armhf)

  • MIPS (mips (big-endian) and mipsel (little-endian))

  • 64-bit little-endian MIPS (mips64el)

  • 64-bit little-endian PowerPC (ppc64el)

  • IBM System z (s390x)

You can read more about port status, and port-specific information for your architecture at the Debian port web pages.

2.2. What's new in the distribution?

 TODO: Make sure you update the numbers in the .ent file
     using the script found under ../

This new release of Debian again comes with a lot more software than its predecessor stretch; the distribution includes over 15346 new packages, for a total of over 51687 packages. Most of the software in the distribution has been updated: over 29859 software packages (this is 57% of all packages in stretch). Also, a significant number of packages (over 6739, 13% of the packages in stretch) have for various reasons been removed from the distribution. You will not see any updates for these packages and they will be marked as "obsolete" in package management front-ends; see Section 4.8, “Obsolete packages”.

Debian again ships with several desktop applications and environments. Among others it now includes the desktop environments GNOME 3.22, KDE Plasma 5.8, LXDE, LXQt 0.11, MATE 1.16, and Xfce 4.12.

Productivity applications have also been upgraded, including the office suites:

  • LibreOffice is upgraded to version 6.1;

  • Calligra is upgraded to 3.1.

  • GNUcash is upgraded to 3.4;

With buster, Debian for the first time brings a mandatory access control framework enabled per default. New installations of Debian buster will have AppArmor installed and enabled per default. See below for more information.

Besides, buster is the first Debian release to ship with Rust based programs such as Firefox, ripgrep, fd, exa, etc. and a significant number of Rust based libraries (more than 450). Buster ships with Rustc 1.32.

Updates of other desktop applications include the upgrade to Evolution 3.30.

Among many others, this release also includes the following software updates:

PackageVersion in 9 (stretch)Version in 10 (buster)
BIND DNS Server9.109.11
Dovecot MTA2.
Emacs24.5 and 25.126.1
Exim default e-mail server4.894.92
GNU Compiler Collection as default compiler6.37.4 and 8.3
the GNU C library2.242.28
Linux kernel image4.9 series4.19 series
LLVM/Clang toolchain3.76.0.1 and 7.0.1 (default)
OpenJDK88 and 11
Postfix MTA3.
Rustc 1.32
 TODO: (JFS) List other server software? RADIUS? Streaming ?

2.2.1. CDs, DVDs, and BDs

The official Debian distribution now ships on 12 to 14 binary DVDs (depending on the architecture) and 12 source DVDs. Additionally, there is a multi-arch DVD, with a subset of the release for the amd64 and i386 architectures, along with the source code. Debian is also released as Blu-ray (BD) and dual layer Blu-ray (DLBD) images for the amd64 and i386 architectures, and also for source code.

2.2.2. AppArmor enabled per default

Debian buster has AppArmor enabled per default. AppArmor is a mandatory access control framework for restricting programs' capabilities (such as mount, ptrace, and signal permissions, or file read, write, and execute access) by defining per-program profiles.

The default apparmor package ships with AppArmor profiles for several programs. Some other packages, such as evince, include profiles for the programs they ship. More profiles can be found in the apparmor-profiles-extra package.

AppArmor is pulled in due to a Recommends by the buster Linux kernel package. On systems that are configured to not install Recommends per default, the apparmor package can be installed manually in order to enable AppArmor.

2.2.3. Substantially improved man pages for German speaking users

The documentation (man-pages) for several projects like systemd, util-linux and mutt has been substantially extended. Please install manpages-de to benefit from the improvements. During the lifetime of buster further new/improved translations will be provided within the backports archive.

2.2.4. Network filtering based on nftables framework by default

Starting with iptables v1.8.2 the binary package includes iptables-nft and iptables-legacy, two variants of the iptables command line interface. The nftables-based variant, using the nf_tables Linux kernel subsystem, is the default in buster. The legacy variant uses the x_tables Linux kernel subsystem. The update-alternatives system can be used to select one variant or the other.

This applies to all related tools and utilities:

  • iptables

  • iptables-save

  • iptables-restore

  • ip6tables

  • ip6tables-save

  • ip6tables-restore

  • arptables

  • arptables-save

  • arptables-restore

  • ebtables

  • ebtables-save

  • ebtables-restore

All these have also gained -nft and -legacy variants. The -nft option is for users who can't or don't want to migrate to the native nftables command line interface. However, users are strongly enouraged to switch to the nftables interface rather than using iptables.

nftables provides a full replacement for iptables, with much better performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack firewalls, full atomic operations for dynamic ruleset updates, a Netlink API for third party applications, faster packet classification through enhanced generic set and map infrastructures, and many other improvements.

This change is in line with what other major Linux distributions are doing, such as RedHat, which now uses nftables as its default firewalling tool.

Also, please note that all iptables binaries are now installed in /usr/sbin instead of /sbin. A compatibility symlink is in place, but will be dropped after the buster release cycle. Hardcoded paths to the binaries in scripts will need to be corrected and are worth avoiding.

Extensive documentation is available in the package's README and NEWS files and on the Debian Wiki.

2.2.5. Cryptsetup defaults to on-disk LUKS2 format

The cryptsetup version shipped with Debian buster uses the new on-disk LUKS2 format. New LUKS volumes will use this format by default.

Unlike the previous LUKS1 format, LUKS2 provides redundancy of metadata, detection of metadata corruption, and configurable PBKDF algorithms. Authenticated encryption is supported as well, but still marked as experimental.

Existing LUKS1 volumes will not be updated automatically. They can be converted, but not all LUKS2 features will be available due to header size incompatibilities. See the cryptsetup manpage for more information.