After two years of development Release () available for ten officially supported : Intel IA-32/x86 (i686), AMD64 / x86-64, ARM EABI (armel), 64-bit ARM (arm64), ARMv7 (armhf), MIPS (mips, mipsel, mips64el), PowerPC 64 (ppc64el) and IBM System z (s390x). Updates for Debian 10 will be released for 5 years.
The repository contains 57703 binary packages, which is about 6 more than what was offered in Debian 9. Compared to Debian 9, 13370 new binary packages have been added, 7278 (13%) obsolete or abandoned packages have been removed, and 35532 (62%) packages have been updated. . For 91.5% packages support for repeatable builds, which allows you to confirm that the executable file is built exactly from the declared source code and does not contain extraneous changes, the substitution of which, for example, can be done by attacking the build infrastructure or bookmarks in the compiler.
For DVD images that can be downloaded from , or . Also an unofficial nonfree installation image that includes proprietary firmware. For amd64 and i386 architectures, available in GNOME, KDE, and Xfce flavors, as well as a multi-architecture DVD that combines packages for the amd64 platform with additional packages for the i386 architecture. Added support for network bootable (netboot) images for SD cards and an image that fits on 16 GB USB Flash;
on Debian 10.0:
- support for UEFI Secure Boot, which uses the Shim bootloader, digitally signed by Microsoft (shim-signed), in combination with the certification of the kernel and the grub bootloader (grub-efi-amd64-signed) with the project's own certificate (shim acts as a layer for the distribution to use its own keys). The shim-signed and grub-efi-ARCH-signed packages are included as build dependencies for amd64, i386 and arm64. Bootloader and grub, certified with a working certificate, are included in the EFI images for amd64, i386 and arm64. Recall that initially Secure Boot support was expected in Debian 9, but it did not have time to stabilize before the release and was postponed until the next significant release of the distribution;
- Support for the AppArmor mandatory access control system is enabled by default, which allows you to control the permissions of processes by defining lists of files with the appropriate rights (to read, write, map to memory and run, set a lock on a file, etc.) for each application, as well as control network access (for example, disable the use of ICMP) and manage POSIX capabilities. The main difference between AppArmor and SELinux is that SELinux operates on the labels associated with an object, while AppArmor determines the permissions based on the file path, which greatly simplifies the configuration process. The main package with AppArmor provides protection profiles for only some applications, and for the rest, you should use the apparmor-profiles-extra package or profiles from application-specific packages;
- Replacing iptables, ip6tables, arptables and ebtables nftables packet filter, which is now the default and notable for unifying packet filtering interfaces for IPv4, IPv6, ARP, and network bridges. Nftables provides only a generic, protocol-independent interface at the kernel level that provides basic functions for extracting data from packets, performing operations on data, and controlling flow. The filtering logic itself and the protocol-specific handlers are compiled into user-space bytecode, after which this bytecode is loaded into the kernel using the Netlink interface and executed in a special virtual machine reminiscent of BPF (Berkeley Packet Filters);
By default, the iptables-nft package is installed, which offers a set of iptables compatibility utilities that have the same command line syntax, but translate the resulting rules into nf_tables bytecode that runs in the virtual machine. The iptables-legacy package is optionally available for installation, old implementation based on x_tables. iptables executables are now installed in /usr/sbin instead of /sbin (symlinks are created for compatibility);
- For APT, a sandbox isolation mode is implemented, which is enabled through the APT::Sandbox::Seccomp option and provides filtering of system calls using seccomp-BPF. To fine-tune the white and black lists of system calls, you can use the lists APT::Sandbox::Seccomp::Trap and APT::Sandbox::Seccomp::Allow;
- Linux kernel updated to version 4.19;
- The GNOME desktop has been moved to use Wayland by default, and an X server-based session is offered as an option (X server is still included in the base distribution). Updated graphics stack and user environments: , , Cinnamon 3.8, LXDE 0.99.2, , , and Xfce 4.12. LibreOffice office suite updated to release , and Calligra before release . Updated Evolution 3.30, GIMP 2.10.8, Inkscape 0.92.4, Vim 8.1;
- The distribution includes a compiler for the Rust language (Rustc 1.34 is supplied). Updated GCC 8.3, LLVM/Clang 7.0.1, OpenJDK 11, Perl 5.28, PHP 7.3, Python 3.7.2;
- Updated server applications, including Apache httpd 2.4.38, BIND 9.11, Dovecot 2.3.4, Exim 4.92, Postfix 3.3.2, MariaDB 10.3, nginx 1.14, PostgreSQL 11, Samba 4.9 (SMBv3 support is provided in the kernel);
- In cryptsetup switching to the LUKS2 disk encryption format (previously used LUKS1). LUKS2 is distinguished by a simplified key management system, the ability to use large sectors (4096 instead of 512, reduces the decryption load), symbolic partition identifiers (label) and metadata backup tools with the ability to automatically restore them from a copy in case of damage. During the upgrade process, existing LUKS1 partitions will automatically be converted to a LUKS2-compatible format, but due to header size limitations, not all new features will be available to them;
- The installer now has the ability to use multiple consoles simultaneously during the installation process. Removed support for ReiserFS. Added support for ZSTD (libzstd) compression for Btrfs. Added support for NVMe devices;
- In debootstrap, by default, the "--merged-usr" option is enabled, in which all executable files and libraries from the root directories are transferred to the /usr partition (the /bin, /sbin and /lib* directories are symbolic links to the corresponding directories inside /usr) . The change only applies to new installations, the upgrade process retains the old directory layout;
- In the unattended-upgrades package, in addition to the automatic installation of updates related to the elimination of vulnerabilities, the upgrade to intermediate releases (Debian 10.1, 10.2, etc.) is now also enabled by default;
- Print system components updated to and cups-filters 1.21.6 with full support for AirPrint, DNS-SD (Bonjour) and IPP Everywhere for printing without first installing drivers;
- Added support for boards based on Allwinner A64 processors such as FriendlyARM NanoPi A64, Olimex A64-OLinuXino, TERES-A64, PINE64 PINE A64/A64/A64-LTS, SOPINE, Pinebook, SINOVOIP Banana Pi BPI-M64 and Xunlong Orange Pi Win( Plus);
- The number of med-* metapackages maintained by the Debian Med team has been extended to allow installation of related to biology and medicine;
- Support for Xen guests in PVH mode;
- Support for TLS 1.0 and 1.1 protocols is disabled in OpenSSL, TLS 1.2 is declared as the minimum supported version;
- Removed many obsolete and unmaintained packages, including Qt 4 (leaving only Qt 5), phpmyadmin, ipsec-tools, racoon, ssmtp, ecryptfs-utils, mcelog, revelation. Debian 11 will drop support for Python 2;
- A port has been created for the 64-bit RISC-V architecture, which is not officially supported in Debian 10. Currently, for RISC-V about 90% of the total number of packages;
- Live environments began to use an independently developed modular installer with a Qt-based interface, which is also used to organize the installation of Manjaro, Sabayon, Chakra, NetRunner, KaOS, OpenMandriva and KDE neon distributions. Normal installation builds continue to use debian-installer.
In addition to those previously available, a Live environment has been formed with the LXQt desktop and a Live environment without a graphical interface, only with console utilities that make up the base system. The live console environment can be used to install a distribution very quickly, since unlike traditional installation images, a ready-made directory cut is copied without opening individual packages using dpkg.
Source: opennet.ru