/Debian 10: Playing catch-up with the rest of the Linux world (that’s a good thing)

Debian 10: Playing catch-up with the rest of the Linux world (that’s a good thing)


Buster is a good boy, but is he a good Linux distro release?
Enlarge
/ Buster is a good boy, but is he a good Linux distro release?

Pixar / Disney

The Debian project, the upstream mother of countless Linux distributions, has released Debian 10, also known as “Buster.” And yes, that’s a reference to the character from Toy Story. All Debian releases are named after Toy Story characters.

Over the years, Debian has built a well-deserved reputation as a rock-solid distro for those who don’t want the latest and greatest and instead prefer the stability that comes from sticking with what works. Naturally, Debian gets security updates, bug fixes, and maintenance releases like any distro, but don’t expect major updates to applications or desktop environments with this Linux flavor.

Right now, as with every release, Debian is pretty close to up to date with what the rest of the Linux world is doing. But Buster will be supported for five years, and Debian 11 won’t arrive for at least two years (Buster comes just 26 months after Debian 9, though it has been five years since the big tweaks of Debian 8). So as time goes on, Buster will look increasingly outdated.

But wait, isn’t Ubuntu based on Debian? That’s not out of date, right? Ubuntu pulls its Debian base from what Debian calls the Testing Channel. Debian Linux consists of three major development branches: Stable, Testing, and Unstable. Work on new versions progresses through each, starting life in Unstable and eventually ending up in Stable. Ubuntu plucks its base from the middle, in Testing. But from Debian’s point of view, that’s only about half-baked. (Like I said, Debian is conservative.)

All that said, I have never had Debian break on me in decades of using it. I am still running several Debian 8 servers, and they continue to chug along with very little input from me. They’re set to automatically update to pull in security and bug fixes, and they continue to just work.

In a desktop, though, that kind of stability can be a mixed bag for users. Sure, your system is unlikely to break, but you’re also unlikely to get the latest version of applications, which means you may find yourself waiting on new features in GIMP or Darktable long after every other distro has rolled them out.

I used to hope that Flatpaks—an application packaging method that separates an app from the underlying system—would mitigate this somewhat, allowing Debian fans to run stable systems but still get the latest versions of key applications. In practice, I have not been able to make this work for me to date. But after spending some testing time with Debian 10 recently, I may give that another try. Debian 10 could be that rare Goldilocks release with just the right amount of stability and bleeding-edge.

What’s new?

Debian is always a tough distro to get excited about because, while there’s a ton of new things in this release, most of these updates long ago arrived in nearly every other distro. Debian releases look like the distro is playing catch-up with the rest of the Linux world. And in some ways, that’s exactly what’s happening.

This time around, though, it feels like there’s more to the new Debian release than that. Most of the major updates in Debian 10 involve security in one way or another, making Buster feel a bit like “Debian, hardened.”

A good example is one of the headlining features of Debian 10, support for Secure Boot. Debian 10 can now, in most cases, install without a hitch on UEFI-enabled laptops. Lack of Secure Boot support has long been a stumbling block for anyone wanting to use Debian with all the features of modern machines. But now that that’s out of the way, Debian feels like a much more viable choice for larger institutions with existing security policies.

That’s also true of the move to enable AppArmor by default. AppArmor is a framework for managing application access; you create policies that restrict which apps can access which documents. This is particularly strong on servers where it can be used, for example, to make sure that a flaw in a PHP file can’t be used to access anything outside of a Web root. While Debian has long supported AppArmor and offered it in the repos, Buster is the first release to ship with it enabled by default.

The third security-related update in this release is the ability to sandbox the Apt package manager. This one is a bit complicated and not enabled by default, but instructions to enable it can be found in the Debian release documents. Once you turn this option on, you can restrict the list of allowed system calls and send anything not allowed to SIGSYS.

For most, those three updates alone make Debian 10 worth the update, especially if deployed on a server where frequent attacks make something like AppArmor a must-have.

There are some other changes that will affect server users, though, and not necessarily in a good way. The move from iptables to nftables for managing your firewall comes to mind first. While nftables is in many respects better than iptables—the syntax for creating rules is simpler, it’s faster, and it offers live tracing—it is still different. That change will require sysadmins to adjust their workflow and possibly re-write any scripts they have.

The other change that strikes me as potentially problematic is the move to automatic upgrades to point releases when you enable Debian’s unattended-upgrades package. In the past, unattended-upgrades defaulted to installing only upgrades that came from the security suite. With Buster, that’s expanded to include upgrading to the latest stable point release.

Now part of the stability of Debian comes from infrequent changes, but the other part of this distro’s stability comes from its very extensive testing process. Debian releases sometimes spend longer in a frozen state (just testing package updates) than Ubuntu spends on an entire release. That means stable point releases are unlikely to produce problems. Still, if you used unattended-upgrades to keep your systems up to date with security fixes in the past, be aware that you’ll need to tweak your configuration if you want the same behavior going forward. See the file NEWS.Debian in unattended-upgrades for more details.

Another notable change in this release is support for driverless printing via any AirPrint-enabled printer (most printers made within the last few years are AirPrint ready). This feature comes courtesy of the upgrade to CUPS 2.2.10.

For one final note, Buster has finally accomplished the merging of /usr, which Debian has been working on for a long time. That means that on a fresh install of Buster, the directories /bin, /sbin, and /lib are now aliased to /usr/bin, /usr/sbin, and /usr/lib, respectively.