
Debian 9 Stretch released - OberstKrueger
https://www.debian.org/News/2017/20170617
======
lamby
Chris Lamb here, Debian Project Leader for 2017. Would love to get your
feedback on the parallel "Ask HN" thread here:

[https://news.ycombinator.com/item?id=14579080](https://news.ycombinator.com/item?id=14579080)

~~~
agumonkey
I don't use debian anymore, was my first linux distro, I align more with arch
but I'm very happy to see you walking steadily.

Happy distrofathersday

~~~
lamby
> I align more with arch

Could you briefly outline why? :)

~~~
agumonkey
These are not perfectly sensical reasons:

\- old arch single config file, with '@' syntax for parallelism got me hooked;
sure it's different in systemd days

\- early problem free systemd adoption

\- simplified, close to upstream distribution (don't want to dig for src, dev,
docs etc)

\- their wiki is the one that speaks the most to my mind, I try to be gentle
and objective, but every time, I find solutions in a short amount of time, and
even more ideas. They hit a very very sweet spot to me. (gentoo was like that
before the data loss)

\- no installer, might seem stupid but it's a bit easier to reason with it; I
don't have to learn an install framework, it's very bare and unixy.

\- very thin tooling from arch, debian does a lot, but it's too heavy for my
mind. Things might have changed since I last live in debian but I run a few
debian live isos and derivatives and it always feels like "too much",
administrative (as the debian documentation)

\- rolling by default, debian has testing but it feels riskier

\- AUR felt simpler (again) than custom apt repos

Also I might add that I distanced myself from the OS quest (or if I could I'd
run a lisp or smalltalk fork or something similar). I'd be happy to hear your
suggestions about my points if you have time for that.

~~~
vacri
> _their wiki is the one that speaks the most to my mind_

I'm a debian user, and I love the arch wiki. The debian wiki is often stale
and/or incomplete, and usually you're told to go to the mailing lists (which
are an awkward way to get info). The arch wiki is great at being clear and
concise and I find arch's mediawiki to be more easily legible than debian's
bare html.

~~~
agumonkey
Not only debian, but all distros so far.

------
RJIb8RBYxzAMX9u
Don't forget to verify the install medium, which is a little more involved
with Debian.

If you're already running a trusted Debian system, then install the debian-
keyring package. Packages are signed and verified, so those keys don't need
further verification.

Otherwise, fetch the keys in [0] with gpg:

    
    
      $ gpg --keyserver keyring.debian.org --recv-keys <...> # e.g. 0x6294BE9B
    

Then, verify the key's fingerprint with [0]:

    
    
      $ gpg --fingerprint
    

Unless you don't trust your CA, this is good enough.

Finally download the checksum and their signature files, and verify their
signatures:

    
    
      $ gpg --verify <...> # e.g. SHA512SUMS.sign
      $ gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify <...> # if using debian-keyring package
    

[0] [https://www.debian.org/CD/verify](https://www.debian.org/CD/verify)

~~~
tlikonen
With files SHA512SUMS and SHA512SUMS.sign in the current directory the
verifying can be as simple as

    
    
        gpg --auto-key-retrieve SHA512SUMS.sign
    

The key is retrieved from user's default keyring or keyservers. The usual
keyserver pool (pool.sks-keyservers.net) has the Debian CD signing key. How we
can trust that the key is the right one is another matter. It is signed by
many Debian developers.

~~~
RJIb8RBYxzAMX9u
Right, if you're already in the WOT then there are better ways, but then
you're probably familiar enough with GPG that you don't need any help. :-)

Most distributions have signed checksum files, but _also_ post those checksums
in a HTTPS location. I, and I suspect most people, just check against that and
call it good. AFAIK Debian don't have that, and between using GPG or thinking
"F* it, I'll take my chances", I suspect many would choose the latter. I was
trying to give people who's security conscious but not paranoid^W^Wlazy an
option.

------
wichert
As a former Debian Project Leader from many years ago: congratulations on
another fine release!

~~~
lamby
Hey Wichert, nice to see you pop up here!

------
TekMol
I have been running a little "Single Server LAMP Lifestyle Business" for 15
years now and it has been happily crunching away on rock solid Debian all the
time :) All in all I spend a few hours per week on it and it pays all my
bills. Thank you, Debian team!

From what I read [1] Debian 8 will be supported until April 2020 and Debian 9
until June 2022.

So in 2020 I will have to decide to either switch to Debian 9 or to Debian 10
which probably will be out by then. Is that correct? My feeling is that it
might make things easier for me to skip Debian 9 and go directly with Debian
10.

I did the same with 7. My server used Debian 6 until I switched to Debian 8.

[1]: [https://wiki.debian.org/LTS](https://wiki.debian.org/LTS)

~~~
voltagex_
I have to wonder - if it runs your business, have you ever donated to Debian?
This isn't having a crack at you, most people haven't donated.

~~~
jameskegel
Code contributions are appreciated as well :)

------
rkv
One of my favorite changes:

> If you use debhelper/9.20151219 or newer in Debian, it will generate debug
> symbol packages (as <package>-dbgsym) for you with no additional changes to
> your source package. These packages are not available from the main archive.
> Please fetch these from debian-debug or snapshot.debian.org.

No more shipping -dbg packages with full binaries. And less storage space is
always a win.

~~~
JoshTriplett
-dbg packages never shipped full binaries (with a few exceptions for unusual libraries); they always shipped detached debug symbols. This change just makes them automatic and puts them in a separate archive.

~~~
rkv
Did not know that, thank you. Do you know happen to know how it is done? When
I pull the debian tarball for nginx (which has a -dbg package with symbol
files) I see:

> dh_strip --dbg-package=nginx-$(*)-dbg

Which is the exact same command I use in my rules file. But instead of giving
me a -dbg package with symbol files debuild gives me a -dbg package with the
unstripped binary. Not sure what I am missing. I am following the DebugPackage
guide on the Debian Wiki[1].

1\.
[https://wiki.debian.org/DebugPackage](https://wiki.debian.org/DebugPackage)

~~~
JoshTriplett
With current Debian, you don't need to do anything at all, and in particular
you should not pass --dbg-package. Instead, dh_strip will automatically create
a -dbgsym package containing detached debug symbols, if your package contains
a library or binary.

Also, make sure that you build with debug symbols enabled in the first place;
the default CFLAGS should do that.

~~~
rkv
Sorry, I'm not asking about current Debian. In your previous comment you
mention that the symbol packages are not new. I'm wondering how people have
been creating them on Debian 8.

------
tlikonen
My favourite change is the transition to GnuPG 2.1 as the default
/usr/bin/gpg. Particularly the "trust on first use" (TOFU) trust model is a
really good improvement.

------
scrollaway
Finally! Been eagerly waiting for this. Congrats Debian team.

This is surprising though:

> _Python 2.7.13 and 3.5.3_

I thought 3.6 was in Stretch out of the box. Why 3.5 only (especially on a
LTS)? :\

~~~
vbernat
Including Python 3.6, even as a non-default Python, would have required to
rebuild all Python packages and handle the non-working ones (either fix the
problem or explicitely exclude Python 3.6 support for this package). There was
not enough time to do all that.

~~~
voltagex_
Any bugs I should look at in particular? Does this mean we're stuck with
Python 3.5 for the lifetime of Debian 9?

~~~
warbiscuit
Would love to know this myself.

I'm in process of moving my company's main web app to python 3, and
standardized on 3.5 to match Debian 9.

But python 3.6 has so many cpu & memory improvements (not to mention things
like f'' strings), seriously considering installing custom copy of 3.6...
though not sure if I want the burden of maintaining my own copy of everything
that will affect.

Then again... "Debian stable" being rock solid stable is why I stick with it
for production; if their caution in this is the price I pay, it's worth it.

~~~
voltagex_
I'm not sure how tricky it'd be to maintain your own repo just for Python 3.6.
It may be worth it.

------
ClashTheBunny
It seems you have committed to supporting Python 2.7 for two years longer than
official support. Could you comment on that situation?

~~~
avar
This also applies for the perl version they shipped, perl releases are
supported for 3 years, Debian for 5.

It's inevitable that you're going to get mismatches between OS support and
"official" support for the specific packages that go into that release. Not
all projects provide supported releases over a period of years, so distros
just do their best to patch any issues that upstream has stopped caring about
past that point.

In practice the only thing that's going to be a big worry are new security
issues, which upstream is usually willing to go out of their way to fix for
versions still used in the wild, even for technically "unsupported" releases,
at least the Perl project is, I don't know about Python.

------
emilsedgh
I'd like to know if the Linux server landscape is changing in favor of Debian
due to Docker. It seems most popular packages are based on Debian.

Although Alpine Linux is my personal choice.

~~~
jameskegel
Alpine is the default iirc

~~~
krzyk
Strange, this is the first time I hear about Alpine, most of the server stuff
I work/worked with were either Redhat or Debian.

~~~
devonkim
A lot of people porting older applications that depend upon base OS
assumptions into containers will probably be using more full-featured
containers. With greenfield applications I would expect more use of Alpine or
even the scratch base image for people trying to deploy truly minimal
containers.

------
stephenr
As I mentioned yesterday on the "Upcoming" comment thread
([https://news.ycombinator.com/item?id=14574287](https://news.ycombinator.com/item?id=14574287)),
if you're looking to start using Stretch in your Vagrant dev environment,
we're uploading AMD64 & i386 boxes for both VirtualBox and Parallels providers
to Atlas as I type this. (If you're reading this soon, make sure it's v1.2.0,
v1.1.0 is based on RC5 from a few days ago)

Edit: the uploads are complete, v1.2.0 of debian9-amd64 and debian9-i386 are
released.

[https://atlas.hashicorp.com/koalephant](https://atlas.hashicorp.com/koalephant)

If there is user demand for it, we can look into vmware boxes, and possibly
hyper-v too.

Apologies if anyone feels this is off-topic/opportunistic - AFAIK all other
Debian 9 boxes on Atlas target Virtualbox only, and while projects like
Boxcutter (which we forked from) _do_ support Parallels/etc, they aren't
always the quickest to produce new boxes.

------
partycoder
fyi Debian names their releases after Toy Story characters.

Sid (Debian unstable) is named after the guy that breaks the toys.

~~~
JoshTriplett
And experimental is called "rc-buggy". (Debian has the notion of "Release
Critical" or "RC" bugs, which affect migration from unstable to testing, so I
find the nickname "rc-buggy" for experimental hilarious.)

~~~
glandium
IMHO, rc-buggy would have been a better pun for unstable (which is where
packages with RC bugs are blocked until they can transition to testing).

~~~
JoshTriplett
It would have been, yes, but sid was already named.

------
aorth
Nice! I see it's already available on Linode.

~~~
mysticmode
Oh that's nice. I'm about to deploy things to Linode. Will check now.

------
boondaburrah
Well, my Tangerine iMac will be sad to see debian support go.

~~~
voltagex_
233mhz PowerPC? How long did you keep it going for? How long did you use it
for?

~~~
boondaburrah
Actually a 400 MHz one. Through the help of eBay I upgraded it to 1GB RAM and
160GB HDD. It's currently built into a desktop arcade machine running MAME.

I have an awful habit of re-using old tech instead of throwing it out.
Hopefully I can eventually get rid of the stuff that still works at the MIT
FLEA or something.

------
ausjke
I use debian mainly for servers. Tried Debian 9 this morning for desktop, do
not like the hidden-by-default-activities UI, also D9 does not recognize my
dual LCDs(Ubuntu has no issues with that), so it will be the same for me: All
servers will be upgraded to Debian 9, Ubuntu LTS for the desktop, and ArchWiki
for documentations. Good for now and Thanks for the new release.

------
forlorn
How long does it usually take for things to settle down in Testing after a
stable release? I heard it might take up to several months.

~~~
lamby
I would actually recommend running unstable these days.

~~~
plange
Unstable over testing? Really? Why? :-)

I've been running stretch on a lenovo carbon x1 for the last 2 years and it's
been one of the first problem-free experiences running linux on the desktop
(linux user for.. 18 years). Really awesome. Thanks!

~~~
brusch64
Some years back I was using testing. It was the year they changed over from
Gnome 2 to Gnome 3. I couldn't use the stable release because my mainboard and
cpu wasn't supported.

Boy, was this a hard process. It took some months until my system worked
without GDM crashes. After that I changed over to Arch and been a happy Arch-
er since than. I wouldn't recommend running testing.

I've heard that unstable is more like Arch linux and the rolling release model
of Arch Linux works very well for me.

------
hitlin37
Thanks a ton to the whole debian team. You do amazing job that keeps the
modern computing running day and night.

------
blfr
_Chromium 59.0.3071.86_

How well is Chromium supported on Debian?

I like it as a secondary browser for its excellent support of multiple
profiles but I run Ubuntu and had to switch to Chrome because Chromium doesn't
seem to be updated promptly.

~~~
hansjorg
You should check out the new contextual containers feature in Firefox if you
haven't. Both more convenient and more powerful than profiles.

As someone commented elsewhere in this thread, you can get FF version 52 in
the security repo of Stretch, even if the default browser is Firefox ESR.

[https://testpilot.firefox.com/experiments/containers/](https://testpilot.firefox.com/experiments/containers/)

~~~
blfr
Interesting. Does it also allow different settings/addons per each profile?

~~~
hansjorg
I don't think so, but some addons support per container settings. For example
Cookie AutoDelete where each defined container can have its own whitelist:

[https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)

------
milankragujevic
Downloading it, does anyone know how does Debian work on a MacBook Air 7,2?

~~~
skynode
Why not run it on a new box?

~~~
milankragujevic
I don't understand what you're trying to say. I want to use Debian as my daily
OS because I don't like how macOS does things, and I got a MacBook because
they are good quality and have a good warranty and I can run all 3 platforms
(Win+Lin+Mac) on it if I so desire.

~~~
skynode
You like Apple's hardware but not its OS. I think there are better compromises
out there, but of course, feel free to do your thing.

~~~
milankragujevic
I don't wanna argue, but keep in mind that I'm in Serbia and that I bought the
MacBook with a "special financing plan" which the Apple reseller offered but
not any of the generic stores that carry such ultrabooks as the XPS 13 or the
Spectre...

~~~
jameskegel
I am not sure I understand

~~~
s_kilk
Basically their material circumstances have lead to a particular outcome.

------
mayhew
I've been running Stretch for 6 months and can't remember a single crash or
issue. Amazingly stable release, kudos and thanks to everyone involved.

------
stevekemp
Nice to see this release; I'd already started upgrading some of my lightly-
loaded servers over the past few weeks but the "real" ones will wait a little
longer.

One thing that is new in this release is the availability of mod_http2, for
Apache. I'm looking forward to seeing if that will increase the response-time
of my various websites.

------
shmerl
At last the freeze is over. It started to be a bit annoying to build Mesa from
source when stuff like newer llvm and libdrm are hard to squeeze into frozen
Debian testing.

I suppose the idea of reducing freeze time with "always releasable testing"
didn't really work out (lack of resources?).

~~~
LeoPanthera
Testing is usually a bad distribution to use for anything in production. If
something breaks, it will stay broken for quite a long time until the fix
makes it out of Unstable.

Unstable is almost always a better choice. Things may occasionally break, but
fixes will arrive very quickly.

~~~
TomatoTomato
Serious question...

Can't you make the same argument against using stable for the same reason?

> If something breaks, it will stay broken for quite a long time until the fix
> makes it out of unstable [and testing].

~~~
shmerl
Stable usually doesn't get such issues. They are related to transitions.
Sometimes it happens, that some packages are stuck in unstable for example,
because they don't build on some arch, while their related packages go
through. In result, testing gets an inconsistent combination, while unstable
is OK. It happens when someone didn't take care to specify that these packages
should only move to testing together.

This won't happen with stable, since it will get the consistent result in the
end.

------
mlcdf
Firefox is back.

Me: Yay!

In version 45 (released on March 8, 2016)

Me: WTF.

~~~
bonyt
It's Firefox-esr in the repo, which is the extended support release,
[https://www.mozilla.org/en-
US/firefox/organizations/](https://www.mozilla.org/en-
US/firefox/organizations/)

I think 52 is in the security repo now, though

~~~
mlcdf
Oh okay. Thank you!

------
tamalsaha001
Really looking forward to this release. We run Kubernetes with Debian 8. One
of the big pain points has been needing to enable Docker memory accounting. I
read that memory accounting will be enabled by default in Debian 9. Is that
still the case?

------
wvh
Happy to report I updated last week already and even my cubox-i (arm) booted
just fine on first attempt. Thanks and congratulations!

------
hitlin37
Anyone else tried to get debian running on Macbook pro late 2016?

------
donatj
Golang 1.7... 1.9 is due out soon. Sigh, this is why I end up installing
things myself without a package manager.

~~~
mappu
Debian stable releases have a 2+ year lifespan so even 1.9 would be out of
date for most of the distro's life.

Luckily Go is quite easy to install and use from an isolated directory, and
the majority of Debian usage here would be as a target OS where the Go
compiler version doesn't matter.

Also jessie shipped Go 1.3 but it was updated to Go 1.7 in jessie-backports,
so you can probably expect further Go updates in stretch-backports when it's
released.

~~~
shmerl
You don't need to use stable. Debian testing is rolling and only stalls during
release freeze period.

~~~
kfrzcode
I use unstable in my day to day and have had minimal problems.

~~~
icebraining
Same here, my laptop as been on unstable for over five years and it's been
fine.

~~~
ReverseCold
Unless you need Debian for some reason, why not use one of the arch based
distributions or fedora/some other redhat based one? Those always have the
latest packages.

~~~
icebraining
I don't get the question. I already have the latest packages on Unstable, why
would I switch?

------
ensiferum
Does it support USB yet? ;-)

------
rxlim
Congratulations. The return of Firefox branding makes me feel nostalgic. I
remember using Firefox 1.04 on Debian in the early 00's. This was in the
golden age of Firefox, when every new release was an improvement and it was a
lean non-bloated alternative to other browsers.

In the past Debian was considered to be one of the most stable Linux
distributions available. Stability and quality was a priority above anything
else. However, around 2014 something changed when systemd was forced into
Debian in a way that would never have happened before the new generation of
developers took over the project.

Maybe this is just something we have to get used to, young developers seems to
value ease above quality and stability, this also explains the current flood
of Electron apps.

~~~
vbernat
Half of the technical committee chose systemd. None of them are new comers.
The casting vote in favor of systemd was done by Bdale who is a Debian
developer since the very beginning.

~~~
rxlim
systemd was just a symptom. Multiple developers that had been working on
Debian for many years, left the project in that period for various of reasons.

