Seamless upgrades

One of the core strengths of Debian is its the seamless package upgrades. Whether APTis asked to upgrade a long-runningwoodyserver tosarge, or an upgrade of the currentstablerelease encompasses a number of upgraded packages,APTwill not break a sweat.

An upgraded package is defined as a package with a higher version number than the currently installed package (see chapter 5.7.5). From one Debian release to the next, a package’s version number can increase deliberately, while upgrades within stableare confined to security and non-trivial bug fixes, but may not provide ad-ditional functionality. If a security problem is fixed in a newer upstream version of the packaged software, the security fix itself is backported to the software version instableso as to not introduce any further changes. Debianstableis guaranteed to be stable.

While the set of packages contained instablemay never change, a new Debian release usually contains many additional packages. As a consequence, dependen-cies withinstablenever change, but a new release could contain renamed or split packages, requiring modifications to the dependency relations of packages. For in-stance, thedebconfpackage insargeintroduces a dependency ondebconf-i18n, which was not needed fordebconfinwoody. More precisely,debconf-i18ndoes not exist inwoodyand will never become part of it.

APTprovides a powerful dependency resolution algorithm which can handle up-grades from one Debian release to the next. The algorithm involves complex searches of theAPTdependency graph and thus is not very powerful. Given that the set of packages withinstableis immutable, using this algorithm is overkill for keeping astablerelease up to date. Hence, a simplified version catering specifically for the requirements of Debianstableupdates is also available.

Upgrading a stable system

Let us inspect the simplified version first, but not before updating theAPTpackage database (see chapter 5.4.3).

˜# apt-get update

Get:1 http://security.debian.org woody/updates/main Packages [189kB]

[...]

Reading Package Lists... Done

˜# apt-get --show-ugraded upgrade

Reading Package Lists...

Building Dependency Tree...

The following packages will be upgraded exim perl-base

2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 1256kB of archives. After unpacking 98.3kB will be freed.

Do you want to continue? [Y/n] y

Get:1 http://security.debian.org woody/updates/main perl-base 5.6.1-8.7 [497kB]

Get:2 http://security.debian.org woody/updates/main exim 3.35-1woody3 [7 59kB]

[...]

Setting up perl-base (5.6.1-8.7) ...

Setting up exim (3.35-1woody3) ...

[...]

The simplified algorithm uses package indices downloaded from theAPTsources registered in/etc/apt/sources.listand compares the version numbers for each pack-age that is installed on the local version. In the above example,perl-base was installed with version 5.6.1-8.6 prior to the update. WhenAPTencountered perl-basewhile scanning the locally installed packages, it found that a newer version (5.6.1-8.7) was available onsecurity.debian.organd thus downloaded the corre-sponding DEB file and calleddpkgto install it.

Executing this update/upgrade sequence on a regular basis will keep the system running smoothly and securely. It is even possible to have crondo this for you automatically (see chapter 5.11.4), although I suggest that only on the rarest oc-casions.

Upgrading to a new Debian release

When a new stablerelease comes around, this procedure will not produce the desired effect. Even though it will update a number of packages,APTwill also hold back numerous packages, due to unsatisfiable dependencies. Remember: anAPT upgrade willnotinstall packages previously not present on the system; it only ever updates already installed packages.

˜# sed -i -e s,woody,sarge, /etc/apt/sources.list

˜# apt-get update [...]

˜# apt-get --show-upgraded upgrade Reading Package Lists...

Building Dependency Tree...

The following packages have been kept back:

debconf [...]

The following packages will be upgraded

adduser apt apt-utils base-config base-files base-passwd [...]

APTdoes not upgrade debconfas it would require the installation of debconf-i18n. Thus, thedebconfpackage is “kept back”. The upgrade algorithm thus enacts the requirements and guarantees of Debianstable.

When it is time to upgrade the entire system to sarge(to stick with the above example), you have to useAPT’s sophisticated (and slower) upgrade mechanism:

apt-get dist-upgrade.

˜# apt-get --show-upgraded dist-upgrade Reading Package Lists...

Building Dependency Tree...

The following packages will be REMOVED:

console-tools-libs libdigest-md5-perl libmime-base64-perl [...]

The following NEW packages will be installed:

aptitude coreutils debconf-i18n dselect e2fslibs [...]

The following packages will be upgraded

adduser apt apt-utils base-config base-files base-passwd [...]

[...]

351 packages upgraded, 100 newly installed, 6 to remove and 0 not upgrad ed.

Need to get 200MB of archives. After unpacking 231MB will be used.

Do you want to continue? [Y/n] y

Get:1 http://debian sarge/main libdb1-compat 2.1.3-7 [30.8kB]

Get:2 http://debian sarge/main libc6 2.3.2.ds1-13 [4929kB]

[...]

Setting up libc6 (2.3.2.ds1-13) ...

Setting up libdb1-compat (2.1.3-7) ...

[...]

Withapt-get dist-upgrade,APTcan pull in new packages (likedebconf-i18n) and even remove packages that have been obsoleted. The actual installation of new packages, or the removal of old ones is again handled bydpkg.

A couple of minutes²⁴later, APTwill have upgraded the system fromwoody to sarge. Since dpkgis still responsible for the actual installation, your carefully crafted configuration files will not have been modified (unless you chose to in-stall the new versions). When a newer version of a software requires changes to the configuration files, the Debian maintainers will provide a different package so that you do not have to spend the entire afternoon getting your software to do what it should. For instance,bind9uses a slightly different configuration paradigm thanbind8, and hence a new package is provided²⁵. On the other hand,postfix

24This could also be hours and depends on the speed of the source medium. If you are upgrading Debian over a dialup line, it is probably best to leave it running over night. Of course, you can instead use a CD of the latest release and use that as yourAPTrepository instead.

25In addition, some administrators may prefer to continue usingbindand are thus not forced by APTto switch to a radically new software, but can plan for the migration themselves.

version 2.x works happily and identically with the configuration of a previous 1.x installation. Thus, thepostfixmaintainer deemed it appropriate not to produce a second package.

It should also be noted that an upgrade to the next Debian release does not require a reboot, and can easily be performed over an SSH connection on a remote server²⁶. Note the use of the code nameswoodyandsargerather thanstablein the above examples. By sticking to named versions, the administrator can decide precisely when a system should be updated, rather than having to follow Debian’s schedule.

The previousstablerelease continues to enjoy support by the security team for months (or even years) after the release of a newstableversion. Please refer to chapter 4.3.3 for more information.

Harnessing the ease of upgrades

Debian is not the only system capable of seamless upgrading. However, it seems to be the only one that combines seamless upgrades with the concept of astable archive. We return to this point in chapter 4 so for the time being let us just note that the Debian stablerelease gives you the best of both worlds: on the one hand, you get a rock-solid system with components that have been through months of intensive scrutiny; on the other, you will be able to upgrade to the next stable release without much effort. For those willing to trade off some stability against currentness, thetestingandunstablereleases are available via the package management system in the same way. With the great number of fluctuations in these archives (especially inunstable), the robustness of the package management system becomes more and more important —APTwill not break a sweat.

Debian users with permanent (or at least moderately speedy) Internet connections are notoriously known to make use of the power of seamless upgrades when in-stalling new systems. No matter how old an installation medium is available, if it can install a base system and establish a network connection, it is all downhill from there andAPTcan take over to update the system to the lateststablerelease, or the currentunstableversion.