Debian 12 “Bookworm” was recently released, and there sure does seem to be a lot of hoopla and excitement. I know of a few Ubuntu people that are moving over to it, and when multiple people start making noise like that, I have to take look at well.

My history with previous versions of Debian is not good. Over the years, I’ve tried many Linux distributions, and Debian never made it very high up the list. This is me speaking about it from the perspective of managing several publicly accessible production servers running Ubuntu, although I do have one internal system running Home Assistant on Debian 11. I recently did a blog post about setting up Home Assistant Supervised, and all of the negative things I said involved Debian.

I’m not saying that the decision I made a long time ago to centralize on Ubuntu was the best one, but at the time this was a good fit for my needs. And truthfully I think it still is. But instead of simply dismissing Debian 12 outright, I decided to give it a good look. Besides, as it is getting such positive reviews and I have a somewhat major home server project coming up, I thought I at least needed to revisit it.

The List

I have a quick list of things that I need out of a Linux distribution, based upon either things I have learned or things I’ve needed to support. Here are a few items that are considered critical.

• Ease of use. Early on I’d monitor for when new kernels were released and I’d manually patch them from a private branch of the kernel I’d set up where I’d add in my own modifications. These included security patches from other people as well as a few I wrote myself. After one incident where a system got owned (it did involve a fellow NMRC member and their drinking buddy) because I hadn’t found the time to add the latest patch. It took a while, but as Linus Torvalds got better at adding in more security-related patches into the kernel and the whole package manager thing improved, I felt less and less of a need for this level of detail. I mean, it’s hard enough running one’s own email server, let alone managing kernels by hand, and not doing kernel patching freed up tons of time. So it was either going to be RPMs or DEBs, which seemed the easiest route to consider. The more “it just works out of the box” the better.

• Desktop and server systems. I considered running one distribution for servers, and one for desktops, but thought it might be easier to simply make it mainly one distribution. I say “mainly” because I knew there could potentially be exceptions to that rule, but I wanted to keep things as consistent as possible. So there should be positive experiences on both platforms. Debian was a bit of a struggle at times, usually because of not running the latest versions of packages like OpenOffice which might have features I needed. I am aware flatpak can solve a lot of these issues, but then again we start to leave that straight-out-of-the box ease-of-use territory.

• Getting information. If I needed to do something odd, chances are someone has tried it on Ubuntu and a write-up about it is easily found via search engines. This is invaluable during problem-solving. I had already ran into issues with that during the Home Assistant load where Debian 11 situations weren’t nearly as easy to find, but playing into the “ease of use” angle this idea of being almost instantly find helpful information is hands down an extremely strong item in Ubuntu’s pocket.

• Odd things. I have a few odd things I need to support that are deemed game-changers, such as the ability to handle sendmail, nginx, and whatnot, but I also needed to support Duo Security’s Duo for Unix two factor authentication for remote SSH access. Experimentation showed I had less issues with Ubuntu, it fact I had zero issues with Ubuntu. Debian was not without its challenges, mainly the ability to play nice with libpam using Duo for Unix.

• Security. There needs to be timely patches. I’ve mentioned this elsewhere, but when I was at MITRE and worked on the CVE project, to settle the office argument between Linux nerds about which distribution was the most secure, we monitored the date and time each vendor would release information about when a patch was available. I’d say in well over 95% of the cases, Ubuntu patched quicker. This was verified for several of the distributions by looking at the timestamps on packages, in case email notifications were delayed for whatever reason.

The last item was by far the most important one. And while one can argue that patching within a day is fine (some of the original alerts about patches by Ubuntu would only beat everyone else by a few hours or even minutes), there has been one more aspect to consider - applications are not always the latest versions under Debian, and some of those applications could have security features I wish to take advantage of.

Curiousity

I ran a poll on Mastodon, where I specifically asked about running Debian vs Ubuntu. I was genuinely curious what people though about it, and did this about halfway through my testing. I was genuinely surprised how many people were running Debian (or at least spoke up about it) in my rather non-scientific poll. Here are the results:

This was interesting, as I had no idea Debian was so common amongst security folks (most of my followers on Mastodon are in Infosec), so I was anxious to finishing up testing.

Testing

The load of Debian 12 was conducted on a test system. I was not highly concerned with performance, my main concern was from the list above, with security and ease-of-use the two biggest issues. I loaded up the system with the Gnome desktop and used it for a few days, it was decent, but this required a heavy investment on flatpak to get the latest and greatest of most applications. For example if I wanted to use LibreOffice with the latest features, I have to unload LibreOffice and reinstall it with flatpak.

While this might not seem like a concern for some people, for me I had to consider the fact that if an existing application is updated and Debian’s version is not, if I decide to migrate to flatpak I have to make sure that I know where all of the app’s data is stored and make a backup. Not impossible, but definitely takes away from that “ease of use” requirement.

On the test system I did a fresh load of Debian 11 and did an upgrade to 12, plus I did a fresh install of just 12. I could not uninstall perl-modules, syslog wasn’t loaded (specifically rsyslog), there is no NTP client by default (and finding it was a chore), and it used more RAM with 12 than 11. There were a few errors with DNS as systemd-resolved is not a part of an upgrade. Python 3.11 is a bit of a mess (it is apparently now “externally managed”) as it breaks pip loads, and you have to run it in a virtual environment. I mentioned Duo for Unix as having issues, but I think this is mainly problems with libpam - certain settings didn’t seem to work dealing with switching between public key authentication and password authentication.

I’m not reporting exact errors because I don’t deem my testing to be thorough, I simply took a System76 Lemur Pro and started loading things up for first impressions. The idea is that if I could make a decision fairly quickly, I would, and not waste more time - especially since I already had a tried and true solution in place.

Verdict

I’m sticking with Ubuntu for now for servers. The clincher was the Python issue on Debian 12. I have too much of a dependency on Python 3.11 and I don’t want to rewrite half my Python stuff to use pipx and virtualenv, particularly when a lot of the Python code I run was downloaded from somewhere else. My main Linux laptop is running PopOS which the latest version just works well and I have no issues with. I cannot run Debian 12 on the Home Assistant server (incompatibility, I strongly suspect the Python issues) but will continue to use Debian 11 for that particular deployment as it is pretty much a requirement for running Home Assistant in Supervised mode.

It mainly comes down to security and convenience, and to quote someone from Mastodon, “I’m old and I just want stuff to work so I can have a glass of wine.” In my case, it’s probably tea, but yeah, same basic thing.