An unstable Debian stable update

A bug in a recent release of systemd's network manager caused headaches for people managing systems that have a virtual LAN (VLAN) interface on a bridge; something one might want to do, for example, when configuring network interfaces for virtual machines. The bug affected several Debian users when upgrading the systemd package from v257.7-1 to v257.8-1. The updated package is part of the Debian 13.1 release, and the bug has snared enough users to cause a minor stir—due in no small part to the maintainer's response as much as the bug itself.

The bug in systemd-networkd was first reported to the systemd project on August 7 by Kenneth J. Miller, who encountered it in an Arch Linux package. The problem is a regression in the systemd 257.8 release; systemd-networkd will crash with a segmentation fault if a system has a bridge interface configured with a VLAN. This is not a common configuration, but it is supported by systemd-networkd and explained in its documentation. Certainly, users who have this configuration working would expect it to continue doing so when updating their system.

The regression found its way into the systemd package version 257.8-1~deb13u1 and was uploaded to the proposed updates repository for testing. Timo Weingärtner filed a bug reporting this problem against the Debian systemd package on August 30, before version 257.8-1 had moved into Debian's stable updates repository.

He explained his setup, offered to provide more detailed configuration information in private, and noted that the upgraded systemd-networkd worked fine on systems without a VLAN configured on a bridge. He added that he was reporting the bug in the hopes of stopping the new package from reaching the stable archive. Luca Boccassi, a systemd developer and one of the maintainers for the Debian package, as well as the most active uploader for it, responded on September 1 and asked Weingärtner to provide more information.

Move to stable

The systemd 257.8-1 package did, unfortunately, move to the stable updates repository, and it was included in the Debian 13.1 release on September 6. That led to several people chiming in on the bug report to confirm that it was an issue and urging Boccassi to increase the severity of the bug. Tim Small asked if there was a way to pull the package from the archive. He also expressed surprise that it had been included in the update since it had been reported "a good week before Debian 13.1 went out".

Adam D. Barratt said that a new updated package was needed; it could be released to the stable-updates repository if the release managers agreed. He noted that the release team had no way of knowing that the 257.8 package should not have been included in 13.1:

It was reported at a non release critical severity, tagged "moreinfo" and neither the submitter nor the maintainer (nor anyone else) raised it to the Release Team's attention

Boccassi set the bug's priority to "minor" and replied that there was no need to disturb the release managers. He also added a somewhat dismissive comment about the impact of the bug itself:

This is just a minor issue with a particular corner case of a custom config of an optional component. Anybody who is unable to deal with that should just stick to the default Debian components. The next stable update in ~2 months will contain a fix.

What Boccassi is referring to is Debian's default method of configuring networking; there are four recommended ways to configure networking for Debian systems. The default for servers is to use /etc/network/interfaces, and NetworkManager is the default for desktop configurations. LWN covered a discussion about those defaults in September 2024.

Response

Kevin Otte called the response insulting and said that "my network failing out from under me during a routine 'apt upgrade'" was hardly a minor issue. He added that the configuration is a normal feature that was introduced with Linux 3.8 and well-documented in the systemd-networkd man page. "This is hardly a corner case nor a custom configuration." Otte also objected to the idea that systemd-networkd is an optional component, since it is part of systemd and included in Debian's base package set.

Any package maintainer that can't adequately maintain their package, especially one as critical as systemd, and essentially tells the user "sucks to be you" should step down.

Others voiced similar sentiments; Jonathan Wiltshire, one of Debian's stable release managers (SRMs), disagreed with Boccassi's position. He pointed out that systemd-networkd is called out in the Debian networking reference, and the configuration that triggers the bug is explicitly included in systemd's documentation. Whether Boccassi intended it or not, maintaining systemd-networkd makes him responsible for a critical component for many people using Debian in a production scenario. "A reasonable user would expect this to work without issue." He also said that this kind of bug was absolutely something the SRMs would want to know about. "We would rather know and disregard than not know at all."

Daniel Baumann sent a message to the debian-devel mailing list about the bug, saying that it had taken several servers offline at his work, "seriously harming the reputation of Debian" and causing his management to question further contributions to Debian during working hours. He said that the fix for the bug was trivial and should be applied as soon as possible, he also asked Boccassi if he had reconsidered the priority of the bug.

On September 8, Boccassi doubled down on his assertion that the configuration in question was a "niche corner case":

Regardless of what one's opinions may be, the fact is that the default in Debian is network-manager for desktops and ifupdown for the rest, so anybody demanding nothing less than perfection would do well to stick to those defaults instead of being adventurous and then throwing abuse when experimental things don't work.

He said that he had already prepared an update with a fix for the bug to go into Debian's proposed updates queue but had not uploaded it due to "incredibly demotivating" comments from other members of the Debian project. He would upload the update when "things calm down to a sensible level". If Wiltshire wanted to push the new package as an update before the 13.2 release, Boccassi said, then he could do so.

Fix uploaded

Philipp Kern—a former Debian SRM—responded on September 9; he reported that a non-maintainer upload with a fix for the bug was due to be installed in Debian's archive. That package is now available in Debian's stable updates repository and has been accepted for 13.2.

It is understandable that users would be upset by such a bug impacting their systems; having to recover a remote system that has lost networking is, after all, not much fun for most people. It might, in fact, ruin one's whole day. However, some of the responses and accusations were out of line—even taking into account the dismissive nature of some of Boccassi's replies.

This is not to say that there is no room for improvement or that it would be a bad idea for other Debian developers to be more active in maintaining such a critical package. There are five other people listed as maintainers of the systemd package aside from Boccassi. He, however, appears to be the only person making regular maintainer uploads for the package in recent times, though the changelog does note a number of contributions from others.

The Debian project strives to provide a stable, high-quality operating system; it succeeds in this the majority of the time. Its distribution is developed by volunteers who typically have day jobs and many competing responsibilities outside of their work on the distribution. Ideally, Debian's maintainers would always respond to bugs effectively, and users could assume that stable updates will, in fact, be stable. It is not reasonable to expect the same level of response from volunteers that one gets from a commercial Linux, though. Negative feedback does not encourage open-source contributors to do better; it puts them on the defensive and creates a hostile atmosphere that too often leads to developer burnout.