LWN: Comments on "Lucky 13: a look at Debian trixie"

sudo user

taladar — Thu, 16 Oct 2025 08:24:12 +0000

It is not even just annoying, it also potentially makes it impossible to figure out what the problem is in the first place since most boot failures happen before logging to persistent media is enabled so you need to know what state the initrd based system is in at the time of failure to figure out what went wrong.

sudo user

rschroev — Tue, 14 Oct 2025 18:11:12 +0000

There are ways around it, but by default you can't login in rescue mode when you didn't set a root password:

"Cannot open access to console, the root account is locked.
See sulogin(8) man page for more details."

AFAIK that's the main reason why people often recommend to set a root password.

sudo user

PhilippWendler — Tue, 14 Oct 2025 16:17:47 +0000

You just get a shell without password prompt.

sudo user

dskoll — Tue, 14 Oct 2025 12:19:58 +0000

If you can't log in as root, then you have to fix a broken boot by booting from external rescue media, I guess. Which can be annoying if your machine is remote, but you have a KVM-over-IP box. So I too always set a root password on my machines.

sudo user

taladar — Tue, 14 Oct 2025 11:34:19 +0000

The main use for a root password is for failed boots, isn't it? How does the sudo setup with a password less root user handle this case? I have never really had a system with a root user without a password.

sudo user

josh — Wed, 01 Oct 2025 12:50:57 +0000

Ideally, I'd have the default (non-expert) install unconditionally install and enable sudo for the initial admin user, not prompt for a root password at all, and let people who want to have a root password run `passwd root` or graphical equivalent.

For an expert-level install, the simplest improvement would be to reorder the prompts. First set up an initial user. If not skipped, prompt for setting up sudo (default yes, skipped and set to no if no initial user). And after that, ask "don't set up a root password (default)"/"use the same password"/"set a different root password", with options disabled depending on previous questions.

sudo user

alx.manpages — Sun, 31 Aug 2025 05:49:22 +0000

So, would you split the question into two separate questions?

- Enter password for root:

- Do you want sudo(8) for the main user?

(Of course, with more wording than that.)

sudo user

josh — Sat, 30 Aug 2025 21:23:04 +0000

Yeah, I have a Debian package that installs the configuration I want for sudo (and other packages for other things).

stable-backports and stable-updates

cpacejo — Fri, 29 Aug 2025 15:51:42 +0000

Indeed, stable-backports is a safer option for those who want "stable, but with specific packages pulled from testing": <https://wiki.debian.org/Backports>

And stable-updates is more conservative still, pulling only from the next point release: <https://wiki.debian.org/StableUpdates>

thanks for the informative article

MKesper — Fri, 29 Aug 2025 13:17:38 +0000

There is an "unattended-upgrades" package that can update packages for you for security reasons.
It's configurable and can also be disabled, if you decide to do so.
I never saw Firefox doing a restart itself, though. It displays a message to restart it myself to be able to continue browsing.

https://packages.debian.org/trixie/unattended-upgrades

TIL about extrepo

kkremitzki — Fri, 29 Aug 2025 12:56:46 +0000

It's super nice to be able to bootstrap trust with extrepo. Just for reference here's a list of repos' GPG keys provided by `extrepo-offline-data`:

https://packages.debian.org/trixie/all/extrepo-offline-da...

sudo user

emorrp1 — Fri, 29 Aug 2025 09:26:55 +0000

Worth noting that this phrasing is new for trixie, it used to be even more misleading

thanks for the informative article

emorrp1 — Fri, 29 Aug 2025 09:21:43 +0000

firefox-esr package is updated, even within a stable release once the previous ESR version drops out of support. That means we can expect v140.3 to be in trixie in late September. https://whattrainisitnow.com/calendar/

https://tracker.debian.org/pkg/firefox-esr/news/?page=3 (for the exact dates we got 128.3)

If you install from outside of debian (e.g. extrepo) then yes obviously it's cycle will be outside of distro control.

testing is for actually testing. unstable is for users who want the bleeding edge

alx.manpages — Fri, 22 Aug 2025 07:19:36 +0000

Sounds good! However, I think that qualifies as an expert installation.

Recommending testing over unstable, saying that testing is for the bleeding edge and unstable is for the adventurous, that's at least a dangerous recommendation.

Such a recommendation would need to come with a disclosure that unstable is safer (even if it might crash more often) and explains how to deal with the security issues in testing.

thanks for the informative article

alison — Fri, 22 Aug 2025 04:52:55 +0000

While Debian users will indeed notice Firefox package updates, at times I've noticed that Firefox restarts itself when I don't recall a recent update. Perhaps some auto-installed security fix has arrived from Debian.

testing is for actually testing. unstable is for users who want the bleeding edge

pabs — Fri, 22 Aug 2025 03:14:26 +0000

You can install most unstable packages on testing, and using pinning and a script, auto-install security updates from unstable on testing:

https://wiki.debian.org/DebianTesting#Best_practices_for_...

I have been using this setup for years, it works great.

thanks for the informative article

pabs — Fri, 22 Aug 2025 03:04:54 +0000

The offline ML-based human-language translation system is still enabled for the Debian builds of Firefox, but it auto-downloads the models though, since Debian doesn't train them, relying on the Mozilla-trained versions.

sudo user

alx.manpages — Thu, 21 Aug 2025 19:07:11 +0000

> Or skip the root password when installing, then after installation set a root password.

Yup, that's an alternative I always thought should be possible.

I never tried it, though. Since I know my approach works, it always felt risky to try it in the other way. :)

Also, I have a sudoers file that I just cp(1) into /etc/sudoers.d and it works, which is easy. (Although it is painful to install and configure sudo(8) until I actually have sudo(8).)

TIL about extrepo

tcabot — Thu, 21 Aug 2025 14:22:40 +0000

Thank you for mentioning extrepo. It knows about most of the third-party repos that I had been managing ad hoc.

thanks for the informative article

jzb — Thu, 21 Aug 2025 13:59:06 +0000

If you're getting Firefox ESR from the Debian repositories, then it is updated by the Debian packagers with a number of patches applied. You can examine the patches applied to various versions here: https://sources.debian.org/patches/firefox-esr/.

The new ML features postdate Firefox 128, I believe, so it's unclear right now if they'll turn those off or not. I wouldn't be surprised if they do... If you want current-ish Firefox without some of the AI-type stuff, you might check out LibreWolf or other forks.

sudo user

rschroev — Thu, 21 Aug 2025 12:43:45 +0000

Or skip the root password when installing, then after installation set a root password.

sudo user

Karellen — Thu, 21 Aug 2025 11:40:11 +0000

Yeah, I think I missed that for ages too, as it came after 2 or 3 previous walls of text which effectively say "make sure you set a strong password for root". At that point, I was mostly thinking "yes, I know, and I get it, set a strong password for root! Can we get to the input box where I type that in now, please?", and missed that the last one says "actually, you can just use an empty password and we'll do something different! (lol)"

testing is for actually testing. unstable is for users who want the bleeding edge

alx.manpages — Thu, 21 Aug 2025 11:25:56 +0000

> Users who prefer to live on the edge will want to run another distribution or follow Debian development by running the testing release that previews the next stable version—Debian 14 ("forky"). Truly adventurous users may take their chances with the unstable ("sid") release.

This is not recommended. testing is the least secure flavour of Debian, as bug fixes are applied to stable (if appropriate), and also arrive at unstable (Sid) as normal patches, but due to migration policies, they can take months to arrive at testing.

See <https://www.debian.org/doc/manuals/debian-faq/choosing.en...>.

sudo user

alx.manpages — Thu, 21 Aug 2025 10:55:52 +0000

Could you please separate it into two questions?

I want a root password for login as root,
and I also want sudo(8) for my primary account.

Which means that with the current installer I currently am forced to set up sudo(8) after installation.

thanks for the informative article

alison — Thu, 21 Aug 2025 04:17:55 +0000

Although I've run Debian testing for years, I did not know about extrepo and the possibility of flatpak. I'm puzzled by Firefox, which I believed updated itself outside distro control. Is that not true? Chapeau to Debian if they have turned of the new automatically enabled ML features of Firefox.

aptly named

josh — Wed, 20 Aug 2025 17:48:46 +0000

"aptly named"

I see what you did there.

sudo user

josh — Wed, 20 Aug 2025 17:48:20 +0000

There's a description, but ideally I'd want to switch this around to a yes/no prompt about setting a password, default "no". "Press enter to use the default configuration of an admin account that has sudo access, or choose 'Set a root password' to create a password for the root user to directly log in.

64-bit time_t

cjwatson — Wed, 20 Aug 2025 16:06:14 +0000

It's also possibly worth noting that Y2038 isn't only relevant once the current time ticks past that point; it's also relevant for some programs that need to reason about times in the future (expiry dates, calendar items, and so forth).

sudo user

rschroev — Wed, 20 Aug 2025 14:17:53 +0000

I failed to notice that text as well for a long time, until a comment I saw somewhere made me look better the next time I installed Debian (I tend to install Debian quite regularly in VMs for testing stuff in isolation).

sudo user

jzb — Wed, 20 Aug 2025 14:14:51 +0000

Thanks all for the corrections - I have amended the article.

sudo user

smcv — Wed, 20 Aug 2025 14:11:12 +0000

Yes, that is how it works. Reference: https://salsa.debian.org/installer-team/user-setup/-/blob...

> To allow direct password-based access via the 'root' account,
> you can set the password for that account here.
> .
> Alternatively, you can lock the root account's password
> by leaving this setting empty, and
> instead use the system's initial user account
> (which will be set up in the next step)
> to gain administrative privileges.
> This will be enabled for you
> by adding that initial user to the 'sudo' group.

sudo user

jzb — Wed, 20 Aug 2025 14:11:07 +0000

Ah, appears there is text for it and I missed it. Thanks!

sudo user

jzb — Wed, 20 Aug 2025 14:09:54 +0000

Is that so? I didn't try that, obviously. I'll have to run the install again to see if there's text that informs the user they can do that. If so, I missed it. If there's not, I'll see about submitting a bug report or pull request to add it.

sudo user

rschroev — Wed, 20 Aug 2025 14:07:26 +0000

You are correct. The installer has some text about it, on the page where it asks for the root password:

> Alternatively, you can lock the root account's password by leaving this setting empty, and instead use the system's initial user account (which will be set up in the next step) to gain administrative privileges. This will be enabled for you by adding that initial user to the 'sudo' group.

Admittedly it's quite a wall of text.

If you do leave the root password empty (and only then) is sudo installed automatically, with a config file that grants sudo access to users in the sudo group, in addition to putting the initial user in that sudo group.

sudo user

bluca — Wed, 20 Aug 2025 13:54:19 +0000

> For example, many desktop distributions have eliminated the step of setting a password for the root user—instead, it is generally assumed that the primary user will also be the system administrator, so the default is to give the primary user sudo privileges instead. Debian does not take that approach; in fact, there is no way to give a user sudo privileges during installation. Setting up sudo has to be done manually after the installation is completed.

It's been a while, but IIRC if you skip setting a root password in the installer, then the created user will be added automatically to the sudo group