> Even better, there is a little-advertised utility called extrepo that has a curated list of external repositories users might want to enable for Debian. To enable the Mozilla repository, for example, a user only needs to install extrepo, run "extrepo enable mozilla" as root (or with sudo), update the package cache, and look for the regular Firefox package. In all, extrepo includes more than 160 external repositories for applications like Docker CE, Signal, and Syncthing. Unfortunately, the extrepo utility does not have a separate "list" command to show the available repositories, though running "extrepo search" with no search parameter will return all of its DEB822-formatted repository entries.
TIL. What a superpower!
I was thrilled to learn about this, too. I wasn't aware of it even as a long-time Debian user.
However, trying the specific example that was listed in the article, I installed extrepo and enabled the mozilla repo. Unfortunately, firefox is not installable on trixie in it's current form because it depends on libasound2 and the trixie package is called libasound2t64. : (
I learned about extrepo when trying out LibreWolf. Then I realized theres plenty of stuff on extrepo I could install. No more curl installs or third-party package sources for me mostly.
This repo has a list of extrepo stuff - https://salsa.debian.org/extrepo-team/extrepo-data/-/tree/ma...
what's the difference with PPAs?
the main reason i always fall back to Ubuntu is bc everyone has a PPA for it. Sometimes the PPA also works for Debian, but its 50/50 (from what i understand its not an official thing under Debian?)
AppImages have aleviated this.. but appimagelauncher is broken under Ubuntu and theyre annoying to integrate manually
Does it enable access to software-properties-common?
Installed trixie a few days ago and test driving it and it's been going very well. Coming from Ubuntu so it wasn't a big change but initially I went with Ubuntu many years ago due to its reputation in making Debian a more user-friendly distribution. I can say that my experience with trixie was quite friendly. This may have been the case for a few releases but I was invested in the Ubuntu platform so didn't see the need to switch.
Was bummed to see firefox at version 128 as I've been missing features from the more recent versions. I don't know how I'm going to address that yet as I prefer not to add external apt sources, if I can. This is on a desktop system so somewhat recent versions of software is desirable.
What do other people do for desktop systems? Go with testing/unstable or just another distro for desktops?
I work in the refurb division of an ewaste recycling company[0]. Due to the certifications we have (and the lack of MS licensing), we can't install Windows on anything we sell. I started off installing Debian on things I list, but switched to Mint. I've fallen in love with the OEM install option they have[1]. It sets up a pre-OOBE environment, letting me run things like fastfetch to get the system specs, then click the 'prepare for shipping to end user' command to trigger the user and password setup on next boot (so I don't have to set and write a password on a postit note on the laptop, and hope it doesn't get lost).
[0] https://www.ebay.com/str/evolutionecycling
[1] https://linuxmint-installation-guide.readthedocs.io/en/lates...
> bummed to see firefox at version 128
I believe that is because Debian ships Firefox "Extended Support Release" (ESR) as a security precaution, and the firefox-esr package[1] is quite out of date in absolute terms.
If you want the newest Firefox (not ESR), just add Mozilla's own repo instead: https://blog.mozilla.org/en/mozilla/4-reasons-to-try-mozilla...
I tried debian several times over the years, but it was with bookworm (debian 12) that i decided to make the switch on all my PCs and laptops, macbook included.
(mainly, it was the fact that the installer finally included firmwares out of the box which made installing much, much easier on laptops)
Because i want updated packages, the first thing i do is enable backports (otherwise i think that trixie still comes with kicad 5? hugh!) and do a full upgrade.
as for firefox, debian's repositories use firefox esr, which is why you are still on 128. There are instructions on firefox's site on how to switch to the regular release channels, just do that. If you can't trust firefox's own sources i don't know how you can trust debian's.
Debian + KDE is my favourite combo. I don't do anything different for desktop. When there was the debian 13 freeze i simply waited a couple of days, edited the sources to point at trixie and did a full-upgrade and an autoremove to clean old stuff. That's it.
How do you find the hardware compatibility to be? I've been keen to switch away from Ubuntu for years now and Debian would be my first choice but I'm wary of having problems e.g. with Nvidia GPUs, random peripheral devices such as printers and scanners, all of which mostly "just work" with Ubuntu. For this reason I'm leaning more towards Linux Mint but I'd like to be persuaded on Debian.
I don't consider outdated packages to be a problem on any distro because I just use Nix (which doesn't interfere with other package managers) whenever I want a more recent package.
I know that's not your point and I'm not saying this to cherry-pick your argument but in case that's particularly relevant to you, Debian Trixie ships with Kicad 9 : https://packages.debian.org/trixie/kicad. If you're stuck with an earlier version, maybe you have a dependency blocking your updates.
You can always work with backports! It's the way Debian has to bring more recent packages to older stable versions.
https://backports.debian.org/Instructions/
If I'm not mistaken, repo is already included by default, so you just need:
''' # apt install -t trixie-backports <package> '''
This will install backported package _and_ dependencies, so you will be good to go :)
I've been happy with Fedora for my personal systems, and it's the only blessed distro at work for those who don't want Windows or Mac.
Heck, I use Fedora Server as my homelab OS to run Incus. Works For Me.
Nothing against Fedora and the rpm-based platforms but I prefer the debian-derived distros. My preference is due to Debian feeling like a community project rather than being driven by corporate interests. Ubuntu was doing for a while but that started changing a few years ago.
> Heck, I use Fedora Server as my homelab OS to run Incus. Works For Me.
In your case I guess it makes sense since you have to run Fedora at work, but I was under the impression that the support for Incus (i.e. official packaging etc) was better on Debian.
if you want a newer firefox use flatpak, don't pollute your system with unofficial debs or source installs
These kinds of statements suit servers with high availability requirements but really shouldn’t be made without context. Adding the Mozilla Debian Firefox repos probably won’t break anything catastrophic, and the time cost / risk of containers is non zero too.
I’ve had more trouble and time wasted with snap Firefox than I’ve had with official Mozilla repos under both Debian and Ubuntu.
flatpak is not snap
I see testing as a better fit for general-purpose desktop setups, stable is a bit too conservative in that regard.
That is true, at least for laptops that came to market after the respective Debian release.
You can however get all stability of a released version with newer packages if you use stable+backports. This would give you a stable system, and allow you to upgrade selected packages to newer versions. This can be tedious, so running testing is also possible.
And well, overall, you can also install other distributions that are bleeding-edge (Arch based?). That's why I like about the distro ecosystem :)
I've been on Debian 11 for a few years and I'm installing 13 on another disk (dual booting until it's ready for my job.)
I did not use the Firefox coming with 11 and I won't use the ESR version in 13. I downloaded the deb from Mozilla's site once and it autoupdated itself up to the current version. No problem at all. I'll do the same on 13.
Mozilla have an apt source you can add. No manual dpkg required.
Doesn’t that give Mozilla the ability to replace any package on one’s computer?
I trust Debian, and I trust the Debian Firefox team to secure Firefox, but I do not trust Mozilla.
Same here. Only stick up is that for those with NVidia GPU's (yes...) for some reason the kernel headers don't install when you install the driver, plus the secure boot signing simply does not work (Ubuntu, Fedora, they all manage OOTB). I see it is generating MOK stuff, but it does not work. Because of that, it's pretty hard to troubleshoot. Plus, Debian-provided drivers do not work/enable at all on Optimus machines, and not a single option (I tried them all, except those no longer available) on the Debian wiki. (Let's hope the Arch colab works out.)
I solved all of the above by switching to the NVidia Cuda repo (well, I did not reenable Secure Boot, so not sure if that would work now).
No mention of backports in this article as an alternative to tracking testing if you want (some) newer packages.
The Libreoffice 5.8 (which was just released very recently) is already packaged in backports for trixie for instance. Did things like updated KDE desktops make it to backports for bookworm?
While being an avid Debian user on both server and desktop, I had never heard of the Extrepo[0] package mentioned in the article. It would be great if the repositories included in there would suggest this way of adding their repo. While it cannot guarantee the safety of added packages, it at least add an extra layer of checks.
Another useful thing from the article for me was `apt modernize-sources` to update the existing sources.list to the new structure. Now I need to check if scripts like this run automatically on my auto-updating desktop from my parents.
> apt modernize-sources
What I lack with the "modern" `sources.list.d/` file schema is a command to perform common types of edits. Something like `extrepo` but generic and with knowledge of Debian repos/dists. It's a small thing but I want to be able to type commands like
apt-sources available # prints known dists, marked by their support status
apt-sources list # prints all active dists
apt-sources add trixie # or "testing", "unstable", "sid"
apt-sources remove bookworm
apt-sources dist-upgrade # combo of the previous two
I love Debian, but it does have some weaknesses. For example with virtualization, when you enable SR-IOV, apparmor goes bananas. With AlmaLinux + SELinux there are no problems. I use both Debian and AlmaLinux on my servers, and with that combo I feel I get the best of the best. But I think AlmaLinux is more polished and that SELinux is superior to apparmor.
The biggest problem with Debian 13 is not with Debian, it's with people like Google and Cloudflare.
Come on guys, Debian 13 has been in testing for months, and you can't be arsed to update your apt repos from bookworm to trixie by release, or even weeks after release? That's embarrassing.
~ sudo apt update --audit
[...]
Hit:8 https://packages.cloud.google.com/apt google-compute-engine-bookworm-stable InRelease
Hit:10 https://packages.cloud.google.com/apt cloud-sdk-bookworm InRelease
Hit:11 https://pkg.cloudflareclient.com bookworm InRelease
Hit:12 https://pkg.cloudflare.com/cloudflared bookworm InRelease
[...]
Fetched 407 kB in 2s (222 kB/s)
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Warning: https://pkg.cloudflare.com/cloudflared/dists/any/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://pkg.cloudflare.com/cloudflared/dists/any/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on FBA8C0EE63617C5EED695C43254B391D8CACCBF8 is not bound:
No binding signature at time 2025-08-21T15:58:52Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
The Nvidia CUDA repos are still on Debian 12 as well which was a blocker for me. (Some claim it works fine anyways, but not in my experience.)
It's not like the Debian release schedule is a secret, I suspect there's just less corporate pressure to prioritize Debian.
NVidia bookworm repo worked fine on all my machines. What did not work for you? I deduced there wasn't really anything Debian-12 specific in there (it's still a Linux kernel with SystemD).
Can someone explain why we are still using a umask of 022 in ubuntu and debian?
Would it really be so hard to make that switch to a more privacy focused umask?
Because in June 2005 the simple response to the Debian bug filed in September 2004 was to comment the global setting out of /etc/login.defs rather than change it to 0027. And after some back and forth there's now the explanation in /etc/login.defs that you can read today (q.v.).
Doesn't feel like much of an explanation to me.
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.That comment was in Bullseye. In Trixie's /etc/login.defs the comment is gone.
With Trixie, PAM's "User Private Groups" are by default enabled and default umask thus is 002 instead of 022.
(Personally, I'm irritated by the rather silent way this invasive change got introduced -- it is mentioned in /usr/share/doc/libpam-modules/NEWS.Debian.gz together with instructions to restore the old behavior.)
Ah the classic "There is no One True Answer so it's ok to default to a bad answer".
And also, some tools still break when using the non-default umask.
Yes, yes, we all run Postgres in containers, but if you don't, and you upgrade to a new Postgres major version, gladly using the Debian scripts that make it all more comfortable, while using umask 027, you will enjoy your day. Though I don't remember if those upgrade-scripts where from Debian proper or from Postgres.
Since that experience I always wondered what other tools may have such bugs lurking around.
> Truly adventurous users may take their chances with the unstable ("sid") release.
been running "unstable" since 2007 as my daily driver, work-horse, dev-machine, ... Not once faced a "problem" I couldn't recover from. Not once a restore from backup of the main OS due to something the upgrade or OS had caused, no booting from a rescue-image. For something that comes without warranty and has "unstable" in it's name, it's pretty solid.
Apples and oranges of course, but it holds up also well compared to Windows (which tbf, has gotten more stable since Win98), or even compared to MacOS that also crashes at times even after version MacOS 9.x (which was when MacOS became usable in the sense of "stability").
> been running "unstable" since 2007 as my daily driver, work-horse, dev-machine, ... Not once faced a "problem" I couldn't recover from.
To be fair, sid had various bugs leading to unbootable systems since then. While it's possible to recover in such situations without re-installation or data loss, I believe that makes the term "unstable" quite fitting.
Yeah, the distro for "Truly adventurous users" has never broken in a decade of use by myself and is essentially as bleeding edge as Arch.
It's just old ideas that get repeated even once they stop being true.
Just to be devil's advocate here, and pedantically point out that Debian Sid is not a "distro", I don't think it's correct to say that Debian unstable is "actually stable", because it's "unstable" from the perspective of Debian, not from a subjective, individual experience.
Debian release cycles have a strong focus on stability, and for those situations where it matters, like running a production server, that is a pretty important feature. Just because your desktop never broke doesn't mean it's not "unstable", it's more of a disclaimer that if you put serious things on top of it and it breaks, that's much more on you because you chose to go against maintainer advice.
For me personally, with exception of the Enterprise Linux family (Alma, Rocky etc.), there's no Linux distribution I'd rather run on a workhorse, production, long term deployment server than Debian.
Well with a lot of packages, including from 3rd party repos, and only seldomly doing upgrades, one can get pretty stuck in resolver hell.. of course, noone to blame for the frankendebian approach but myself xD
Never been a Sid user (occasionally for specific packages) but I do find articles like these amusing - for me the transition from testing to stable is usually where I say goodbye to a Debian release. So farewell Trixie! Onto forky I go.
I’ve had a few instances of X not starting, over the years. Nothing terrible, and that’s as much down to me using nvidia cards as anything.
Isn’t it also unstable in that packages may be removed or updated which could break your workflows?
There’s a small number of packages unavailable in Deb 13 that exist in 12. I assume at some point all of them existed in pre-stable trixie.
(AFAIK that's the only thing "unstable" means: no guarantee any given package will stay there)
Unstable means that updates could change things about your system that you rely on. This could be a package getting removed, but it could also be a package upgrade that necessitates a change to your workflow or code running on the system..
Does it have BBR3? Serious q. Have tried home-brew kernels for bookworm but want factory paint on the car.
As far as I know, BBR3 is not in the mainline Linux kernel, so obviously it will not be in Debian by default.
From https://groups.google.com/g/bbr-dev/c/i-sZpfwPx-I/m/0jmNry0A... :
> To make sure we're all on the same page: currently the TCP BBR code in Linux is BBRv1. We are working on getting BBRv3 upstream into Linux TCP.
> BBRv1 is definitely not ready to be the default on any Linux distribution. Whether BBRv3 is ready to be a distribution default is arguable.
Wish it was a klm. The FreeBSD model is (in that regard) easier to work with, from the Netflix stuff.
I'm running somebody's rebase tracking things. 6.13 I believe. Worked on one box, not on another. Oh well. Doubly irritating is that the sysctl only flags bbr not which version.
I was hoping for a review from a server perspective. That's where Debian shines in my opinion. I feel like the desktop part is a secondary priority for them. That's not a criticism, there's no other distribution I would use in production if it where my choice. On the desktop though they are a bit too stable. Even if one uses testing or unstable the focus on long term versions is still there.
> On the desktop though they are a bit too stable.
You're obviously correct here. But perhaps there are users who prefer stable packages on the desktop too. Corporate users most likely (yes, there are such users too). It helps with their security strategy and a development environment similar to their server.
To be very honest, I think the stable security-oriented approach is better than that of a rapid update distro. You should probably use an overlay package manager like flatpak, mise (for dev tools) or even Nix/Guix for anything modern. Preferably something with minimal installs and good sandboxing features. Please let us know if anybody has better suggestions to offer.
I'm such a user. Been mostly running on debian/stable since the 90-ies. At work and privately. I cheated when I got a new computer in the beginning of August this year and installed Trixie a couple of weeks before release.
My reasoning is quite simple: I really don't need the latest versions of everything. Were computers useful two years ago? Yeah? OK then, then a computer is obviously useful today with software that is two years old. I'll get the new software eventually, with most of the kinks ironed out. And I've had time to read up on the changes before they just hit me in the face.
Sure, it was a bit painful with hardware support some twenty years ago or so, but I can barely remember the last time that was an issue.
For the very few select pieces of software where stable doesn't quite cut it there's backports, fasttrack and other side channels.
I prefer stable packages on my desktop and laptop, both for professional and for personal use. I hate the current Javascript/Python/Rust bleeding-edge, left-pad, if you haven updated to yesterday’s latest version which breaks compatibility with everything culture.
I like to build things which last. I like to craft a software system and then use it for decades, moving it from machine to machine and intentionally upgrading the components at my pace.
I use Debian Stable on my laptop and workstation. Most packages you don't need newer versions. I don't need the latest version of Gnome or Gedit or whatever.
I don't understand why people like the rigmarole of constantly updating their systems. The only things that come down the wire are security updates.
Installer newer software can be managed. I use the following strategy:
- For Discord / Slack / <something that needs to be the newest>. I can normally use Flatpak.
- Use a third party repo. For Brave, Node and some other things. I use their repository.
- Open source stuff. For smaller stuff that is easy to compile from source e.g. vim / neo-vim I just compile from source so I have the newest versions.
- Python Apps / NPM tooling. I install them in my local user directory.
- Docker is installed in rootless mode.
> On the desktop though they are a bit too stable.
>> You're obviously correct here.
It's neither obvious nor correct, the "stability vs. features" expected is completely subjective. I run Debian Stable on my desktop because I've almost never encountered needing newer versions of anything, and when I did I could usually jump to testing (i.e. the upcoming release) rather than unstable, and even then the next release usually wasn't that far away, so it was still very stable.
As other commenters have pointed out, you can run Debian Sid (unstable), but I'll also agree that if that is what you want long-term then maybe running something like Arch makes more sense anyway.
I'm one of those users, but only because I don't need the be on the bleeding edge.
The only problem I had on Debian 11 desktop was related to the new openssh libraries. I could not install the latest nodes and rubies because 11 had older libraries. However there are workarounds related to providing some environment variables (from memory: some legacy_providers_*) so after a little googling I made them work on my dev machine (and on some old server from a customer of mine.) I'm installing Debian 13 in these days so no more workarounds, for a few years.
Everything else worked fine. I don't install much on this machine: no flatpacks, no appimages, no snaps (I left Ubuntu because of them.) Only debs and docker images. I install languages through their language manager, never through the OS: I could have only one version of them, which is useless. Same about databases. There are hardly two projects on the same language and db version. I could be using LibreOffice and GIMP from 20 years ago: they already had all the features I need.
In my experience, corporate users have moved on to using containers(or VMs) for their development environments.
It's a tricky thing to solve. One the one hand, you don't want your system to stop working due to an update but also want to keep the software you use updated, both in terms of security and functionality.
Mark Shuttleworth talked about this many years ago before snaps were introduced as a solution to this. The idea at the time was that a rolling release distro is too much of a hassle to maintain and even the 6-month cycle was getting to be too much. So he talked about having a stable core with a long release cycle and rolling releases for software that need to be frequently updated, both desktop and server software. The idea was great but the details of the execution left a bitter taste for many users.
Indeed, with the tmpfs move (tmp in RAM) however it sounds like they have more Desktops in mind.
You don't want to use RAM for tmp files for which you probably can't do capacity planning, and you don't to enable swap on server either.
I honestly don't understand that change, as most desktops are RAM limited as well, especially as Debian is regularly used for older machines, which aren't supported by Windows 11 anymore.
Is it common for scripts to download multiple gigabytes to /tmp?
I sometimes manually changed the /tmp to be in memory, or used /dev/shm which by default is in memory. Did not run into any problems just yet, but then again it's just a home server.
[dead]