第2章 Debian 10 の最新情報

目次

2.1. サポートするアーキテクチャ
2.2. ディストリビューションの最新情報
2.2.1. UEFI Secure Boot
2.2.2. AppArmor enabled per default
2.2.3. Optional hardening of APT
2.2.4. Unattended-upgrades for stable point releases
2.2.5. Substantially improved man pages for German speaking users
2.2.6. Network filtering based on nftables framework by default
2.2.7. Cryptsetup defaults to on-disk LUKS2 format
2.2.8. driverless printing with CUPS 2.2.10
2.2.9. Basic support for Allwinner A64 based devices

The Wiki has more information about this topic.

2.1. サポートするアーキテクチャ

Debian buster で公式にサポートされているアーキテクチャは以下のとおりです。

  • 32 ビット PC (i386) および 64 ビット PC (amd64)

  • 64 ビット ARM (arm64)

  • ARM EABI (armel)

  • ARMv7 (EABI 浮動小数点ハードウェア ABI, armhf)

  • MIPS (mips (ビッグエンディアン) および mipsel (リトルエンディアン))

  • 64 ビットリトルエンディアン MIPS (mips64el)

  • 64 ビットリトルエンディアン PowerPC (ppc64el)

  • IBM System z (s390x)

移植状況の詳細や、お使いの移植版に特有の情報については、Debian の移植版に関するウェブページで読むことができます。

2.2. ディストリビューションの最新情報

 TODO: Make sure you update the numbers in the .ent file
     using the changes-release.pl script found under ../

Debian のこの新しいリリースには、一つ前のリリースである stretch に含まれていたよりさらに多くのソフトウェアが含まれています。このディストリビューションには、15346 以上の新しいパッケージが含まれており、全体のパッケージ数は 51687 以上になりました。ディストリビューション中のほとんどのソフトウェア、すなわち約 29859 ものソフトウェアパッケージ (これは stretch のパッケージ全体の 57% にあたります) が更新されました。また、かなりの数のパッケージ (stretch のパッケージの 13% にあたる 6739 以上) が、様々な理由でディストリビューションから取り除かれました。これらのパッケージは更新されることはなく、パッケージ管理用のフロントエンドでは 'obsolete' というマークが付けられます。これについては 「利用されなくなったパッケージ」 を参照してください。

Debian で今回も複数のデスクトップアプリケーションとデスクトップ環境をサポートしています。中でも GNOME 3.22、そして KDE 5.8、Plasma 5.8, LXDE, LXQt 0.11, MATE 1.16, and Xfce 4.12 というデスクトップ環境を含んでいます。

事務用アプリケーションもオフィス製品を含めてアップグレードされています:

  • LibreOffice is upgraded to version 6.1;

  • Calligra is upgraded to 3.1.

  • GNUcash is upgraded to 3.4;

With buster, Debian for the first time brings a mandatory access control framework enabled per default. New installations of Debian buster will have AppArmor installed and enabled per default. See below for more information.

Besides, buster is the first Debian release to ship with Rust based programs such as Firefox, ripgrep, fd, exa, etc. and a significant number of Rust based libraries (more than 450). Buster ships with Rustc 1.32.

Updates of other desktop applications include the upgrade to Evolution 3.30.

またこのリリースには、特に挙げるなら、以下のソフトウェアの更新も含まれています:

パッケージ9 (stretch) でのバージョン10 (buster) でのバージョン
Apache2.4.252.4.38
BIND DNS サーバ9.109.11
Cryptsetup1.72.1
Dovecot MTA2.2.272.3.4
Emacs24.5 および 25.126.1
Exim 標準の電子メールサーバ4.894.92
GNU Compiler Collection (デフォルトのコンパイラ)6.37.4 and 8.3
GIMP2.8.182.10.8
GnuPG2.12.2
Inkscape0.92.10.92.4
GNU C ライブラリ2.242.28
lighttpd1.4.451.4.53
Linux カーネルイメージ4.9 シリーズ4.19 series
LLVM/Clang toolchain3.76.0.1 and 7.0.1 (default)
MariaDB10.110.3
Nginx1.101.14
OpenJDK88 and 11
OpenSSH7.4p17.9p1
Perl5.245.28
PHP7.07.3
Postfix MTA3.1.83.3.2
PostgreSQL9.611
Python 33.5.33.7.2
Rustc 1.32
Samba4.54.9
Vim8.08.1
 TODO: (JFS) 他のサーバソフトウェアも挙げる? RADIUS? Streaming ?

2.2.1. UEFI Secure Boot

Secure Boot is a feature enabled on most PCs that prevents loading unsigned code, protecting against some kinds of bootkit and rootkit.

Debian can now be installed and run on most PCs with Secure Boot enabled.

It is possible to enable Secure Boot on a system that has an existing Debian installation, if it already boots using UEFI. Before doing this, it's necessary to install shim-signed, grub-efi-amd64-signed or grub-efi-ia32-signed, and a Linux kernel package from buster.

Some features of GRUB and Linux are restricted in Secure Boot mode, to prevent modifications to their code.

More information can be found on the Debian wiki at SecureBoot.

2.2.2. AppArmor enabled per default

Debian buster has AppArmor enabled per default. AppArmor is a mandatory access control framework for restricting programs' capabilities (such as mount, ptrace, and signal permissions, or file read, write, and execute access) by defining per-program profiles.

The default apparmor package ships with AppArmor profiles for several programs. Some other packages, such as evince, include profiles for the programs they ship. More profiles can be found in the apparmor-profiles-extra package.

AppArmor is pulled in due to a Recommends by the buster Linux kernel package. On systems that are configured to not install Recommends per default, the apparmor package can be installed manually in order to enable AppArmor.

2.2.3. Optional hardening of APT

All methods provided by APT (e.g. http, and https) except for cdrom, gpgv, and rsh can make use of seccomp-BPF sandboxing as supplied by the Linux kernel to restrict the list of allowed system calls, and trap all others with a SIGSYS signal. This sandboxing is currently opt-in and needs to be enabled with:

      APT::Sandbox::Seccomp is a boolean to turn it on/off
    

Two options can be used to configure this further:

      APT::Sandbox::Seccomp::Trap is a list of names of more syscalls to trap
      APT::Sandbox::Seccomp::Allow is a list of names of more syscalls to allow
    

2.2.4. Unattended-upgrades for stable point releases

Previous versions of unattended-upgrades defaulted to installing only upgrades that came from the security suite. In buster it now also automates upgrading to the latest stable point release. For details, see the package's NEWS.Debian file.

2.2.5. Substantially improved man pages for German speaking users

The documentation (man-pages) for several projects like systemd, util-linux and mutt has been substantially extended. Please install manpages-de to benefit from the improvements. During the lifetime of buster further new/improved translations will be provided within the backports archive.

2.2.6. Network filtering based on nftables framework by default

Starting with iptables v1.8.2 the binary package includes iptables-nft and iptables-legacy, two variants of the iptables command line interface. The nftables-based variant, using the nf_tables Linux kernel subsystem, is the default in buster. The legacy variant uses the x_tables Linux kernel subsystem. The update-alternatives system can be used to select one variant or the other.

This applies to all related tools and utilities:

  • iptables

  • iptables-save

  • iptables-restore

  • ip6tables

  • ip6tables-save

  • ip6tables-restore

  • arptables

  • arptables-save

  • arptables-restore

  • ebtables

  • ebtables-save

  • ebtables-restore

All these have also gained -nft and -legacy variants. The -nft option is for users who can't or don't want to migrate to the native nftables command line interface. However, users are strongly enouraged to switch to the nftables interface rather than using iptables.

nftables provides a full replacement for iptables, with much better performance, a refreshed syntax, better support for IPv4/IPv6 dual-stack firewalls, full atomic operations for dynamic ruleset updates, a Netlink API for third party applications, faster packet classification through enhanced generic set and map infrastructures, and many other improvements.

This change is in line with what other major Linux distributions are doing, such as RedHat, which now uses nftables as its default firewalling tool.

Also, please note that all iptables binaries are now installed in /usr/sbin instead of /sbin. A compatibility symlink is in place, but will be dropped after the buster release cycle. Hardcoded paths to the binaries in scripts will need to be corrected and are worth avoiding.

Extensive documentation is available in the package's README and NEWS files and on the Debian Wiki.

2.2.7. Cryptsetup defaults to on-disk LUKS2 format

The cryptsetup version shipped with Debian buster uses the new on-disk LUKS2 format. New LUKS volumes will use this format by default.

Unlike the previous LUKS1 format, LUKS2 provides redundancy of metadata, detection of metadata corruption, and configurable PBKDF algorithms. Authenticated encryption is supported as well, but still marked as experimental.

Existing LUKS1 volumes will not be updated automatically. They can be converted, but not all LUKS2 features will be available due to header size incompatibilities. See the cryptsetup manpage for more information.

2.2.8. driverless printing with CUPS 2.2.10

Debian 10 provides CUPS 2.2.10 and cups-filters 1.21.6. Together these give a user everything that is needed to take advantage of driverless printing. The principal requirement is that a network print queue or printer offers an AirPrint service. A modern IPP printer is highly likely to be AirPrint-capable; a Debian CUPS print queue is always AirPrint-enabled.

In essence, the DNS-SD (Bonjour) broadcasts from a CUPS server advertising a queue, or those from IPP printers, are capable of being displayed in the print dialogs of applications without any action being required on the part of a user. An additional benefit is that the use of non-free vendor printing drivers and plugins can be dispensed with.

A default installation of the cups package also installs the package cups-browsed; print queues and IPP printers will now be automatically set up and managed by this utility. This is the recommended way for a user to experience seamless and trouble-free driverless printing.

2.2.9. Basic support for Allwinner A64 based devices

Thanks to the efforts of the linux-sunxi community Debian buster will have basic suport for many devices based on the Allwinner A64 SoC. This includes FriendlyARM NanoPi A64; Olimex A64-OLinuXino and TERES-A64; PINE64 PINE A64/A64/A64-LTS, SOPINE, and Pinebook; SINOVOIP Banana Pi BPI-M64; and Xunlong Orange Pi Win(Plus).

The essential features of these devices (e.g. serial console, ethernet, USB ports and basic video output) should work with the kernel from buster. More advanced features (e.g. audio and accelerated video) are included or scheduled to be included in later kernels, which will be made available as usual through the backports archive. See also the status page for the mainlining effort.