Debian 9 feels like home with security upgrades and a flaming vulpine warming your toes
Strong and stable release from conservative distro
Review The Debian Project has released Debian 9 after two years and, as you might expect for a work that's taken so long, it's quite an overhaul.
In addition to major updates and changes to nearly every bit of software, there have been some important policy changes too. This version – dedicated to Ian Murdock, Debian founder and the 'ian in Debian – ships with two apps you won't find in Debian archives unless you go back nearly a decade, Firefox and Thunderbird.
Due to licensing issues, Debian has long shipped Iceweasel and Icedove, instead of Firefox and Thunderbird proper. With the release of Stretch that's no longer true, the full Mozilla-branded versions now ship with Debian 9.
It's also worth noting something significant that didn't make it into Debian 9 – support for Secure Boot. That leaves Debian as the only major release that doesn't support it. That's disappointing since, although Secure Boot has some issues, it's generally a vast security improvement because it prevents unsigned code from running at boot.
Aside from the missing Secure Boot support – which, it's worth noting, may yet arrive at some point – there's much to love in the release. All the major desktops Debian officially supports have been updated, most desktop apps are near their latest release and quite a few low-level components see some major version leaps.
Among the more significant changes is support for the 4.9 Linux kernel, a huge leap from Debian 8.8's kernel, 3.16. Kernel 4.9 means better support for Intel Skylake chips, quite a few improvements to different file systems, especially Btrfs, as well as the usual slew of driver updates and improved support for newer hardware. There's also quite a bit of improvement to ARM support, which is significant for Debian since it supports just about every chip architecture under the sun, including ARM.
Server users will note that this release ditches MySQL for MariaDB, which so far is a drop-in replacement that shouldn't actually change anything in terms of database behaviour. Those using Debian as a web server will be pleased to know that Debian supports PHP 7, which, while hardly new, is a welcome update. Python devs also get support for 3.5 in this release.
Welcome return: Firefox is back in Debian
While Secure Boot did not make the cut, there are many changes in this release that greatly improve the overall security of Debian. Among the most significant, X.Org no longer needs root privileges to run the display server. That eliminates an entire class of attacks that work by going after privilege escalation via X.Org. However, to run X.Org as non-root you'll need to install logind and libpam-systemd and use GDM 3 for your login tool since only GDM 3 supports running it without root privileges.
Another big security change is an update for GnuPG. Debian 9 uses what the GnuPG project refers to as the "modern" branch of GnuPG by default (version 2.1), eliminating the need for GnuPG 1.1 or 2.0. Both are still available in the repos, but the modern branch has much better defaults for generating keys, as well as support for elliptic curve cryptography. It's also what nearly every other distro has long used, which means if you move between distros a lot, there'll be less confusion in GPG commands and behaviour.
Another major tool change is the version of apt.
I threw caution to wind and updated my primary laptop the day Stretch was released – moving from Debian 8.8 – and while I have had no significant problems (even with my software from backports), there are a couple of gotchas worth noting. The biggest is that Network Interface Cards (NICs) are now named using BIOS/firmware and slot. That means, for example, your Ethernet card will be something like ens0 or enp1s1. If you have any scripts that reference, for example, your Wi-Fi card by NIC, they may break.
Also be aware that Debian 9 moves to use the libinput X.Org driver, so if you've got a bunch of customisations that rely on the evdev driver (the default in Debian 8) you'll need to migrate them to use libinput syntax. The other possible rough spot involves GNU GCC 6, which is new in Stretch and offers support for position independent executables. That's a security improvement but it means you need to be on a newer kernel. My advice is update to Debian 8.8 before attempting to update to 9.0. That way you won't encounter any problems.
There are a handful of other known issues with Debian 9 and it's well worth reading through the list before you attempt to upgrade anything that you depend on – although I upgraded my laptop, it'll be a while before I attempt to move any production servers.
The Debian installer offers half a dozen desktops, nearly all of which have seen major updates in this release. The default option is GNOME, which has been updated to GNOME 3.22. Perhaps the best thing about 3.22 is that the GNOME extensions API has been declared "stable". That's mostly good news for extension developers, but it also means that updates will no longer run the risk of breaking all the extensions you rely on to customise GNOME Shell and, let's face it, only masochists use GNOME without customising it.
GNOME 3.22 also sees some big changes in the Software app, especially better support for Flatpak apps. If you haven't had a chance to dive into the world of Flatpak apps yet, you can do so in Debian 9. Flatpaks are still a bit rough around the edges and the very tight sandboxing model that governs them can mean that Flatpak versions of your favourite apps are missing a few features, but they're getting closer to usable status.
The other desktops in the installer are Cinnamon 3.2, KDE 4.16, Mate 1.16, Xfce 4.12, and LXDE.
Overall, there may not be much that's really new in Debian 9 for anyone not using Debian, but it is a significant release for the project, for users and for the wider Linux community.
Without Debian there would be no Ubuntu, no Linux Mint and no elementary OS, to name just a few of the currently popular distros downstream from Debian.
This release should confirm Debian's reputation as a very conservative distro focused on stability over all else. But if you want to try out Debian's bleeding edge right now, right now is about as bleeding as things get. When Debian 9 was declared finished it was moved out of the testing channel where it had been for the last two years. That means that testing is currently more or less the same as "Sid", the rolling version of Debian. That's where the latest releases will live for the next several years before they become Debian 10.
Along the way they'll become Ubuntu 17.10, Ubuntu 18.x, Linux Mint 18.x and 19.x as well as dozens of other distros.
Not all roads in Linux lead back to Debian but for those that do, Debian 9 is a milestone. ®
Sponsored: Becoming a Pragmatic Security Leader