Debian 10 with Secure Boot and Apparmor

Since Saturday, July 6th, the tenth stable version of the popular Debian Linux distribution, called "Buster", is available; The eponymous Toy Story was Andy's Christmas present this time.

In addition to the expected software update, Debian 10 brings some technical improvements: The kernel firewall uses the new nftables technology. Nevertheless, firewall users should not rethink: well-known administrative tools continue to work. You can delete iptables commands and they are converted to new technology. Even with the upgrade, the rules preserved with the help of iptables-persist. In the long run, users need to be familiar with the new nft command for nftables, as it facilitates the simultaneous management of IPv4 and IPv6 protocols.

AppArmor now more readily available

AppArmor security technology is now enabled by default. This means that users do not have to worry about the boot configuration first. However, the current AppArmor profile viewers as well as additional profiles must be added manually. Debian 10 initially loads only five profiles. Therefore, it is not immediately shielded with AppArmor, but you must call the security technology itself on the plan. Whoever has worried about the arrogance of such techniques will be delighted.

New modes of installation

As the last major release, Debian can finally be installed on PCs that have UEFI Secure Boot enabled. ISO images read on a USB flash drive when protection is active and configure the operating system. A Microsoft-signed mini-bootloader helps Shim, who then loads the kernel and kernel that signed the Debian project. As long as Secure Boot is enabled, the kernel does not load any post-compiled modules. to change this, you need to disable security technology in the BIOS setup or tips.

For the installation, Debian always uses its own installer, which exists in graphical and plain text version; both are experiencing a dark fashion now. For the live media of Debian, the developers rely on an alternative for installation from the live system: they have built with the installer framework Calamares a simplified installation interface that asks much less questions than the program official installation and is therefore safe for beginners. is easier.

display

Raspberry Pioneer

The operating system of Raspberry Pi called Raspbian is usually based on Debian. There is only one stable version and no extra branches to test or unstable. As a result, Raspi manufacturers generally take their time and publish a new Raspbian several months after a stable release of Debian. With Debian 10, you have been faster. Raspbian on this basis has already come to the Raspberry Pi 4 market on 20.6. out. In this respect, many innovations also affect the Raspi world. The software for Docker contained in Raspbian did not work differently than Buster initially. Until corrected, you can help yourself with Debian Arm packages.

Buster creates the order

Like many other distributions, Debian cleans system directories. Thus, the files of / lib, / sbin and / bin go into the subdirectories of / usr. The links to the original guarantee that the reconstruction measures do not cause any serious incompatibilities: the scripts are running, that they start with #! / Bin / bash or #! / Usr / bin / bash. In practice, such a simplified hierarchy also applies, for example, when the container techniques want to include the read binary files and obtain the desired result with / usr.

Packet management can optionally be enhanced. APT then uses kernel sandboxing to reduce allowed system calls. In addition, Debian is interested in the update strategy: so far, the unattended update package has only implemented security updates. In the future, it will also update published packages in one-time versions, software that appears with Debian 10.1, 10.2, and so on.

Proven and updated software

As a database for standard requirements, Debian stays with MariaDB, which has inherited MySQL in Stretch and has not generated enthusiasm everywhere. German-speaking users can access extended manual pages. they should continue to grow via backports during the support period. For encrypted volumes, Debian now uses the LUKS2 format, which initially requires an unencrypted partition for / boot due to Grub incompatibilities.

Debian 10 inherently configures Gnome as a graphical interface, which no longer works by default with X11 but in Wayland mode. A new theme ensures a refreshed look. Thanks to the new composer, some programs claiming higher rights do not run in the graphical environment without further manipulation, like the Synaptic package manager. If you do not want to use alternatives running in the terminal window, you can start the user interface via the X11 mode connection manager.

Some fairly common packages have not arrived in Debian 10: The phpmyadmin database tool is missing because there was no active maintainer for the package on time. The minimal mail editor ssmtp had to stay because of certificate issues. Users of pbadword manager disclosure should search for a new program. For some other packages, Debian recommends the first changes, while retaining the old version, such as for Icinga 1, Python 2, Mailman 2.1; newer versions are also included.

The Docker container software is included in version 18.09.1, which is quite close to the current development.

If you go from Debian 9 to 10, just wait for a few surprises. PostgreSQL, however, wants to regenerate its indexes. If the system has already been upgraded from version 8, the names of the network cards will finally be changed: the developers have removed the rules that left names such as eth0 or wlan0 unchanged. When updating such devices, obtain a persistent name such as enp0s1 or wlp2s5 – depending on the bus on which they are suspended and the slot in which they are blocked.

Conclusion: not brave, but rock solid

As before, Debian has a lot of basic features for which developers provide security updates. Browser engines, such as webkit and khtml, are exceptions. Developers recommend Firefox and Chromium for visiting unreliable web pages. They also receive security updates by regularly rebuilding their ESR versions. Compared to its predecessor, Debian 10 completes more than 15,000 new packages and totals more than 50,000.

Debian GNU / Linux Manual 10

As always, Debian 10 is not a pyrotechnic fire, but a conservative update of what is now considered a solid cast. As a result, we look in vain for a little comfort, such as mint offers. There, a standard installation with flatpack includes another software installation technique allowing a non-restrictive installation of Visual Studio code. But ultimately, it is not the target group of Debian. And if you want to be more modern, you can still use the Debian test branch for productive work – the risk is manageable.

(Ps)

Linux distribution family
maker	Debian Project, www.debian.org
Period of support	Security updates up to one year after the release of the next release (exception: LTS two for at least five years)
price	free

Downloads, additional notes: ct.de/yn8v

literature

[1] Thorsten Leemhuis, Schleichende Ablöse, Nftables: The new firewall technology for Linux is finally launched, ct 1/2019, p. 148

[2] Thorsten Leemhuis, Face Control, Secure Boot and Linux, ct 5/2013, page 170