5. trixie で注意すべき点
新しいリリースで導入された変更点には副作用が避けられず、どこか他の場所でバグを出してしまうことがあります。この章では、現時点で私たちが知っている問題点を記載しています。正誤表・関連パッケージの付属文書・バグ報告や、もっと読みたい で触れられているその他の情報も読んでください。
5.1. trixie へのアップグレード特有の事項
この項では bookworm から trixie へのアップグレードに関連した項目を取り扱います。
5.1.1. Reduced support for i386
From trixie, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Fewer packages are available for i386 because many projects no longer support it. The architecture's sole remaining purpose is to support running legacy code, for example, by way of multiarch or a chroot.
Users running i386 systems should not upgrade to trixie. Instead, Debian recommends either reinstalling them as amd64, where possible, or retiring the hardware. Cross-grading without a reinstall is a technically possible, but risky, alternative.
5.1.2. openssh-server no longer reads ~/.pam_environment
The Secure Shell (SSH) daemon provided in the openssh-server package,
which allows logins from remote systems, no longer reads the user's
~/.pam_environment file by default; this feature has a history of
security problems and has been
deprecated in current versions of the Pluggable Authentication Modules (PAM)
library. If you used this feature, you should switch from setting variables
in ~/.pam_environment to setting them in your shell initialization files
(e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism
instead.
Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see 復旧の準備.
5.1.3. OpenSSH no longer supports DSA keys
Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell
(SSH) protocol, are inherently weak: they are limited to 160-bit private
keys and the SHA-1 digest. The SSH implementation provided by the
openssh-client and openssh-server packages has disabled support for
DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9
("stretch"), although it could still be enabled using the
HostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options
for host and user keys respectively.
The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.
As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with
the above configuration options. If you have a device that you can only
connect to using DSA, then you can use the ssh1 command provided by the
openssh-client-ssh1 package to do so.
In the unlikely event that you are still using DSA keys to connect to a
Debian server (if you are unsure, you can check by adding the -v option
to the ssh command line you use to connect to that server and looking
for the "Server accepts key:" line), then you must generate replacement keys
before upgrading. For example, to generate a new Ed25519 key and enable
logins to a server using it, run this on the client, replacing
username@server with the appropriate user and host names:
$ ssh-keygen -t ed25519
$ ssh-copy-id username@server
5.1.4. The last, lastb and lastlog commands have been replaced
The util-linux package no longer provides the last or lastb commands,
and the login package no longer provides lastlog.
These commands provided information about previous login
attempts using /var/log/wtmp, /var/run/utmp and
/var/log/lastlog, but these files will not be usable after 2038
because they do not allocate enough space to store the login time (the
Year 2038 Problem), and the
upstream developers do not want to change the file formats. Most
users will not need to replace these commands with anything, but the
util-linux package provides a lslogins command which can tell you
when accounts were last used.
There are two direct replacements available:
last can be replaced by wtmpdb from the wtmpdb package (the
libpam-wtmpdb package also needs to be installed) and lastlog can
be replaced by lastlog2 from the lastlog2 package
(libpam-lastlog2 also needs to be installed). If you want to use
these, you will need to install the new packages after the upgrade,
see the util-linux NEWS.Debian
for further information. The command lslogins --failed provides
similar information to lastb.
If you do not install wtmpdb then we recommend you remove old log
files /var/log/wtmp*. If you do install wtmpdb it will upgrade
/var/log/wtmp and you can read older wtmp files with wtmpdb
import -f <dest>. There is no tool to read /var/log/lastlog*
files: they can be deleted after the upgrade.
5.1.5. RabbitMQ no longer supports HA queues
High-availability (HA) queues are no longer supported by rabbitmq-server starting in trixie. To continue with an HA setup, these queues need to be switched to "quorum queues".
If you have an OpenStack deployment, please switch the queues to quorum before upgrading. Please also note that beginning with OpenStack's "Caracal" release in trixie, OpenStack supports only quorum queues.
5.1.6. RabbitMQ cannot be directly upgraded from bookworm
There is no direct, easy upgrade path for RabbitMQ from bookworm to trixie. Details about this issue can be found in bug 1100165.
The recommended upgrade path is to completely wipe the rabbitmq database and
restart the service (after the trixie upgrade). This may be done by deleting
/var/lib/rabbitmq/mnesia and all of its contents.
5.1.7. Ping no longer runs with elevated privileges
The default version of ping (provided by iputils-ping) is no longer
installed with access to the CAP_NET_RAW linux
capability, but instead uses ICMP_PROTO datagram sockets for
network communication. Access to these sockets is controlled based on
the user's Unix group membership using the
net.ipv4.ping_group_range sysctl. In normal installations, the
linux-sysctl-defaults package will set this value to a broadly
permissive value, allowing unprivileged users to use ping as expected,
but some upgrade scenarios may not automatically install this package.
See /usr/lib/sysctl.d/50-default.conf and the kernel
documentation for
more information on the semantics of this variable.
5.1.8. Significant changes to libvirt packaging
The libvirt-daemon package, which provides an API and toolkit for managing virtualization platforms, has been overhauled in trixie. Each driver and storage backend now comes in a separate binary package, which enables much greater flexibility.
Care is taken during upgrades from bookworm to retain the existing set of components, but in some cases functionality might end up being temporarily lost. We recommend that you carefully review the list of installed binary packages after upgrading to ensure that all the expected ones are present; this is also a great time to consider uninstalling unwanted components.
In addition, some conffiles might end up marked as "obsolete" after
the upgrade. The /usr/share/doc/libvirt-common/NEWS.Debian.gz
file contains additional information on how to verify whether your
system is affected by this issue and how to address it.
5.2. アップグレード後、再起動前にすること
apt full-upgrade が完了した時点で、"正規"のアップグレードは完了しています。trixie へのアップグレードについては、再起動の実行前に必要となる特別な作業はありません。
5.2.1. アップグレード後も影響がある項目
5.2.2. セキュリティサポートにおける制限事項
Debian がセキュリティ問題に対する最小限のバックポートを約束できないパッケージがいくつか存在しています。これらについては以下の章で触れられています。
注釈
debian-security-support パッケージが、インストールされたパッケージのセキュリティサポート状況を確認するのに役立ちます。
5.2.2.1. ウェブブラウザとそのレンダリングエンジンにおけるセキュリティ更新の状態
Debian 13 は複数のブラウザエンジンを含んでおり、これらは一定の割合でセキュリティ脆弱性の影響を受けます。高い脆弱性率と長期ブランチ形式での upstream でのサポートが限定的なことによって、セキュリティ修正をバックポートしてこれらのブラウザならびにブラウザエンジンをサポートする事が難しくなっています。さらに、ライブラリとの相互依存性のため、開発元での新しいリリースへの更新を極めて難しくしています。webkit2gtk ソースパッケージを使ったアプリケーション (例: epiphany) はセキュリティサポートの対象ですが、qtwebkit (qtwebkit-opensource-src ソースパッケージ) を使っているアプリケーションはセキュリティサポートの対象外です。
一般的なウェブブラウザ利用として我々は Firefox または Chromium を推奨しています。安定版向けに現行の ESR リリースをリビルドすることで最新を維持します。同じ手法が Thunderbird にも適用されます。
一旦リリースが oldstable となると、公式サポート対象のブラウザは標準的な保証期間の更新を受け続けられないかもしれません。例えば、Chromium は oldstable では通常の 12 ヶ月 ではなく 6 ヶ月のセキュリティサポートのみを受けます。
5.2.2.2. Go および Rust 言語ベースのパッケージ
現在、Debian のインフラは静的リンクを行うパッケージをリビルドすることに問題を抱えています。Go および Rust のエコシステムの成長に伴い、インフラが強化されメンテナンスが行き届くようになるまでは、限定的なセキュリティサポートとなります。
多くの場合ですが Go あるいは Rust の開発用ライブラリへの更新は、定期的なポイントリリースでのみ提供されます。
5.3. 廃止および非推奨となった事柄について
5.3.1. 特記すべき廃止されたパッケージたち
以下は、よく知られていて特に廃止されたパッケージの一覧です (説明については 利用されなくなったパッケージ 参照)。
廃止パッケージの一覧には以下が含まれます:
The libnss-gw-name package has been removed from trixie. The upstream developer suggests using libnss-myhostname instead.
The pcregrep package has been removed from trixie. It can be replaced with
grep -P(--perl-regexp) orpcre2grep(from pcre2-utils).
5.3.2. trixie で非推奨となったコンポーネント
次のリリースである Debian 14 (コードネーム forky) では、いくつかの機能が非推奨となります。14 へ更新する際にトラブルを防ぐためには、ユーザーは他の選択肢へ移行する必要があります。
これには以下の機能が含まれます:
The sudo-ldap package will be removed in forky. The Debian sudo team has decided to discontinue it due to maintenance difficulties and limited use. New and existing systems should use libsss-sudo instead.
Upgrading Debian trixie to forky without completing this migration may result in the loss of intended privilege escalation.
For further details, please refer to bug 1033728 and to the NEWS file in the sudo package.
The sudo_logsrvd feature, used for sudo input/output logging, may be removed in Debian forky unless a maintainer steps forward. This component is of limited use within the Debian context, and maintaining it adds unnecessary complexity to the basic sudo package.
For ongoing discussions, see bug 1101451 and the NEWS file in the sudo package.
The libnss-docker package is no longer developed upstream and requires version 1.21 of the Docker API. That deprecated API version is still supported by Docker Engine v26 (shipped by Debian trixie) but will be removed in Docker Engine v27+ (shipped by Debian forky). Unless upstream development resumes, the package will be removed in Debian forky.
The openssh-client and openssh-server packages currently support GSS-API authentication and key exchange, which is usually used to authenticate to Kerberos services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian's main OpenSSH packages will therefore stop supporting it starting with forky.
If you are using GSS-API authentication or key exchange (look for options starting with
GSSAPIin your OpenSSH configuration files) then you should install the openssh-client-gssapi (on clients) or openssh-server-gssapi (on servers) package now. On trixie, these are empty packages depending on openssh-client and openssh-server respectively; on forky, they will be built separately.sbuild-debian-developer-setup has been deprecated in favor of sbuild+unshare
sbuild, the tool to build Debian packages in a minimal environment, has had a major upgrade and should work out of the box now. As a result the package sbuild-debian-developer-setup is no longer needed and has been deprecated. You can try the new version with:
$ sbuild --chroot-mode=unshare --dist=unstable hello
The fcitx packages have been deprecated in favor of fcitx5
The fcitx input method framework, also known as fcitx4 or fcitx 4.x, is no longer maintained upstream. As a result, all related input method packages are now deprecated. The package fcitx and packages with names beginning with fcitx- will be removed in Debian forky.
Existing fcitx users are encouraged to switch to fcitx5 following the fcitx upstream migration guide and Debian Wiki page.
5.4. 既知の重大なバグ
Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing trixie can be found in the Debian Bug Tracking System. The following bugs were affecting trixie at the time of the release and worth mentioning in this document:
バグ番号 |
パッケージ名 (ソースあるいはバイナリ) |
説明 |
|---|---|---|
akonadi-backend-mysql |
akonadi server fails to start since it cannot connect to mysql database |
|
faketime |
faketime が (i386 では) 動作しない |
|
src:fuse3 |
provide upgrade path fuse -> fuse3 for bookworm |
|
g++-12 |
tree-vectorize: O2 レベルで間違ったコードが生成される (-fno-tree-vectorize は動作している) |
|
src:gluegen2 |
non-free なヘッダを含む |