Hacker News new | past | comments | ask | show | jobs | submit login
Debian 6.0 “Squeeze” released (debian.org)
230 points by mariana on Feb 6, 2011 | hide | past | web | favorite | 45 comments

Debian's website also received an upgrade[1]:

> On the occasion of the release of Debian 6.0 Squeeze, the Debian website team is pleased to publish a new design for Debian's web presence. After roughly 13 years with nearly the same design, the layout and design of many of the websites run by Debian changed together with today's release of Debian Squeeze. Debian's main website and its wiki, lists archive, blog aggregator planet and package information system now have a consistent new layout. The new layout is meant to give Debian's web presence a cleaner and more modern look as well as making the web pages easier to use and navigate.

[1]: http://www.debian.org/News/2011/20110205b

I don't have enough expertise in design to articulate why, but it seems to fall quite short of `cleaner and more modern.' Well, maybe it is a bit less '90s than the previous design, but I'd hardly call it clean and modern. The logo off to the left of the banner is odd, the different fonts and sizes aren't pleasing together, the columns of links seem like something you'd see at the bottom of a page rather than in the middle -- I could go on.

Sorry to call someone's baby ugly. Is it just me?

I wouldn't call it `cleaner and more modern' either but I really don't care. The best thing in Debian is that you don't have to visit their website often (or at all), because everything works in it, and everything works from command line.

Debian is made by volunteers and sure here at HN are amazing web designers, so jump to Debian ship and help to make Debian project even greater.

All of the main "volunteer" Linux distribution websites are terrible in terms of design. Gentoo, Slackware, CentOS (ugh!) and Debian all leave a great deal to be desired. Every time I visit the CentOS homepages and have to navigate their ugly menu, I die a little inside.

Debian 6.0 (Squeeze) has been released!


Use torrents for download the isos, please.

You can find the seeds under every architecture in the directories beginning with bt-

For instance:


And keep seeding ’til you’re bleeding ^_^

Edit to add this new Debian-installer page (within a brand new design site):


Does your username have anything to do with Debian?

Nothing officially at all, I'm just a Debian user.

The nick is just a little game because I like to extract Debian's juice in my machines.

Good to see my favorite distro moving forward! I only wish they could have managed to ship Perl 5.12 rather than 5.10.

You can get it from the experimental repo.


More info on it: http://wiki.debian.org/DebianExperimental

I love debian too, but I don't understand why they're so far behind.

OpenSSL in squeeze is v. 0.9.8o-4? http://packages.debian.org/squeeze/openssl

C'mon, guys, the latest current OpenSSL is already at v. 1.2.2

This is why I'm switching to ubuntu.

What Debian released is an stable distribution that is going to be maintained for the next 3 or 4 years. It is better to release something stable and well tested than bleeding edge stuff.

Many people don't get Debian. This is a released aimed for servers and stable workstations. If you want or need bleeding edge stuff you can use Debian testing/unstable or Ubuntu as you suggested.

There also wasn't a lot of time before the freeze--- OpenSSL 1.0.0 was released on March 29, and the Debian "Squeeze" freeze was August 6. Dropping in a new version of OpenSSL four months before the freeze wasn't considered prudent. Even if OpenSSL itself could be tested in that time and considered rock-solid (probably possible), a lot of different packages depend on / link with OpenSSL, and linking them with a new version might expose subtle bugs or incompatibilities in those apps, which you'd want some time to notice/debug/fix, especially since it might require waiting on upstream developers to debug/fix things in their apps.

Post-release, OpenSSL 1.0.0 will now be migrated to unstable, and then any problems that causes or exposes can be found and fixed on a more generous schedule.

I agree. I use Debian not because it has the bleeding edge but because they have the most stable versions and they care about that. I love their system.

Well, you might be disappointed if you switch to ubuntu: http://packages.ubuntu.com/maverick/openssl

edit: the latest OpenSSL release is 1.0.0, not 1.2.2. And development on the 0.9.8-series seems to be still active, as latest version on it was released on the same day that 1.0.0c

edit2: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578376

That seems like a dumb reason to switch to Ubuntu. I'm unaware of any current software that doesn't work fine linked against the OpenSSL version in Debian. SSL/TLS is just not a rapidly moving target, and this version is still actively maintained.

I reckon I prefer stability and predictability over modernity in my encryption and signing libraries.

Out of curiosity, which feature from 1.2.2 do you need that 0.9.8 doesn't have?

PCI compliance audits require at least v. 1.0.0 of OpenSSL.

Interesting, I didn't know that.

Seems like a flaw in the PCI requirements to me, do they really demand the "latest" version instead of the stable, time-tested one?

It certainly can't be in the spirit of these audits to encourage people to move from Debian stable to a distro that's based on Debian unstable...

Well, their solution was to build OpenSSL 1.0.0 (which is stable) from source.

That was easy, but then rebuilding other components which were linked to the original v. 0.9.x was a major PITA.

This is the problem, according to the auditor:

Vulnerability in OpenSSL 0.9.8g Severity: Critical Problem CVE: CVE2008-0891 CVE-2008-1672 CVE-2008-5077 CVE-2009-0590 CVE-2009-0789 CVE-20091377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-3245 CVE-2009-3555 CVE-2010-0433 CVE-2010-0740 Impact: A remote attacker could execute arbitrary commands , cause a buffer overflow, bypass security or create a denial of service. Resolution OpenSSL shouldbe [http://www.openssl.org/source/] upgraded to 1.0.0a or higher.

Those CVE ("Common Vulnerabilities and Exposures") items are explained in more detail at NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-089... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-137... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-074... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-043... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-324...

Well, this ignores the reality of how most linux distributions are maintained.

Version numbers are not supposed to change after the fact in a stable-release, hence security fixes get backported (every distro has a security-team for this).

If PCI requires a less tested newer version over a battle-scarred (patched up) older one then PCI is working against its own stated goal.

It doesn't take much wisdom to realize that it's less likely for new bugs to crop up in the 0.9.8 openssl that Debian ships than in the 1.0.0c that RHEL6 bundles (just one month after release!).

New software has bugs. Old software has less bugs.

You should have explained to your auditor that Debian backports security patches to the shipped version of OpenSSL.

They're so far behind because they're dedicated to release only when they think it's bug-free enough (for all packages, including all dependencies), which can be long after they freeze versions and features.

Another thing is they release the same distrib version on 9 different architectures, not only i386/amd64.

Considering this, and the fact they're volunteers, I don't think they're that far behind.

For those who don't know, Ubuntu is mostly Debian Unstable with a few packages delayed and a few pushed in earlier. In the experience of most people I know, it's normally slower to move than unstable but not that much better.

The debian unstable->testing->stable cycle is vicious, and on a production system it's actually very sensible - by the time a package is allowed to reach stable, it will have been rigourously tested and actually be properly stable.

Debian and Arch are my two favorite Linux distributions. If only Debian distributed a version compiled for an i686 also. I know it probably wont make a huge difference for most programs. But it niggles at my sensibilities that I am not using the architecture to its full. Arch is pretty awesome in that field, but I would be wary of running it on production servers. For me Debian testing has been the best compromise, and I have never faced stability issues with that.

Edit: corrected by removing "and x86-64"

> If only Debian also distributed a version compiled for an i686 and x86-64. I know it probably wont make a huge difference for most programs. But it niggles at my sensibilities that I am not using the architecture to its full.

Um, I think they do have a x64 version...

    $ cat /etc/debian_version 

    $ file /bin/bash
    /bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically link
    ed (uses shared libs), for GNU/Linux 2.6.18, stripped

    $ file /lib/libc-2.11.2.so 
    /lib/libc-2.11.2.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dyn
    amically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

You lucky 64-bit people:

  * cat /etc/debian_version
  * file /bin/bash
  /bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
  * file /lib/libc-2.11.2.so 
 /lib/libc-2.11.2.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
  * grep name /proc/cpuinfo 
  model name      : Intel(R) Pentium(R) 4 CPU 2.40GHz
This used to bother me, but now that a Pentium 4 seems nearly as archaic as an 80386, I guess it's not so much of an issue.

Oops my bad. I know, 'cause I am running one. What the hell was I thinking.

I've always used Debian on my servers, but like you, I also really like Arch Linux. So last year, I decided just to see what it would be like to run an Arch server. I installed it on a VPS using kernel26-lts, and besides having to do some diffs between new and old configs when updating packages, it really hasn't been that bad. I've never had the problem where a program would be completely broken when updating.

Only since last month, Arch includes glibc 2.12.2. Unfortunately, my VPS host only gives a CentOS 5.4 recovery image using kernel 2.6.18, meaning that since the newer glibc requires kernel 2.6.27, I'm unable to chroot into my install if I ever needed to.

Debian and Arch are my favorite too. I just wish Debian had a bit shorter release cycle. But it's a trade off, longer release cycle == stable release.

I use Arch on my workstations. They don't need as stable a platform as my server. And any downtime would be minimal and easy to schedule around.

Until this weekend I was also using Debian on my servers and Arch on my workstation. Recently I've started to manage my servers with Puppet. Since Puppet don't support pacman, I installed Squeeze on my workstation and I'm now managing it with Puppet. I might have to follow testing on my workstation, but the advantage of sharing parts of the configuration with my servers has been huge.

I'm sure I read an article where the author used git as a configuration management tool.

Now that would be fun.

Also don't forget to read the upgrade-guide for the proper upgrade procedure, link: http://www.debian.org/releases/squeeze/amd64/release-notes/c...

Debian userland on top of the FreeBSD kernel? Was there demand for this? Or, was it primarily to sidestep the GPL stuff and incorporate ZFS?

I suspect a developer had an itch to scatch. See http://wiki.debian.org/Debian_GNU/kFreeBSD_why

Thats how Linux started :)

$ apt-get clean; apt-get update; apt-get -u dist-upgrade

782 upgraded, 162 newly installed, 22 to remove.

Darn, all this terrible upgrading work in Debian. Sometimes I wish I had a real OS. Why can't we all just run WinXP - those guys _never_ have to upgrade and they still run the best OS on the planet!

Anyone know if these images work with any of the popular USB key installers?


You can just raw copy (with dd) (most) Squeeze images to an usb-stick, and start installation from there.

Right. Specifically, at least the x86 CD/DVD images use isohybrid, which makes them simultaneously valid as burnable media images and as bootable disk images.

Also, Debian has combined 32-bit and 64-bit x86 images, so you don't have to decide in advance which one you need. Just download the multi-arch image and it will autodetect: http://cdimage.debian.org/debian-cd/6.0.0/multi-arch/iso-cd/...

And this release also coincides with a Debian website redesign, which makes the site both much more usable and much shinier. Notice that http://debian.org/ has a prominent link to the x86 multi-arch image in the upper right corner of the page.

Installing fine from a USB stick here. I grabbed CD1 of the X64 discs, and copied to USB using dd:

dd if=/path/to/thedebian.iso of=/path/to/usbstick/device

(replacing the if and of with your paths of course -- note: all data on the usb stick will be erased, and make sure you've picked the right device!)

Of the distros I have used, only Ubuntu ships images that only boots on CDs. Debian, Arch, OpenSUSE all ship images that boot on "normal" storage (such as USB sticks, HDs, SSDs) and can be DD-ed to them.

I have always installed ubuntu off a USB stick, with no problems.

It works just fine with unetbootin, though I can't vouch for any others.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact