Os Debian 12

Key Features

Non-Free Firmware Policy Change

The single largest policy shift in Debian history. Bookworm officially bundles non-free firmware in the installer and adds non-free-firmware as a separate archive component.

# Check if non-free-firmware is enabled
grep -r "non-free-firmware" /etc/apt/sources.list /etc/apt/sources.list.d/

# Enable it (add to components)
# deb http://deb.debian.org/debian bookworm main contrib non-free-firmware

# Install common firmware
apt update && apt install firmware-linux firmware-linux-nonfree

Previously, non-free firmware required a separate "unofficial" ISO. This change means:

• Official ISOs now include hardware firmware (Wi-Fi, GPU, NIC)
• non-free-firmware is a separate component from non-free
• Systems upgraded from Bullseye may need to add this component manually

Secure Boot on ARM64

Extended Secure Boot signing to the ARM64 architecture (previously x86_64 only).

# Check Secure Boot state
mokutil --sb-state

# Check architecture
uname -m  # aarch64 for ARM64

# Verify shim is installed
dpkg -l shim-signed

Merged /usr

/bin, /sbin, /lib are now symlinks into /usr:

/bin  -> /usr/bin
/sbin -> /usr/sbin
/lib  -> /usr/lib

Unmerged systems are deprecated. This aligns Debian with most modern Linux distributions.

PipeWire Default Audio

PipeWire replaces PulseAudio as the default audio stack for desktop installs:

# Check if PipeWire is running
systemctl --user status pipewire pipewire-pulse wireplumber

# PulseAudio compatibility layer
pactl info  # should show PipeWire as server name

OpenSSL 3.0

Major version jump from 1.1.1. Legacy algorithms disabled by default:

openssl version                      # should show 3.x
openssl list -providers              # show loaded providers

# Check for lingering libssl1.1
ldconfig -p | grep libssl.so.1.1     # should be absent on clean install

Applications using the deprecated ENGINE API must be updated to the provider model.

deb822 Sources Format

Modern preferred format for APT sources (/etc/apt/sources.list.d/*.sources):

Types: deb deb-src
URIs: http://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Supports per-repo Signed-By, Architectures, Languages, and Enabled: no toggles.

Common Pitfalls

1. Not adding non-free-firmware after upgrading from Bullseye -- hardware may lack firmware updates
2. Assuming non-free and non-free-firmware are the same -- they are separate components
3. Scripts with hardcoded paths to /bin or /sbin -- work due to symlinks but should be updated
4. OpenSSL ENGINE-based applications breaking -- must migrate to 3.0 provider model
5. PulseAudio-specific configs not working -- PipeWire's PulseAudio compatibility is good but not perfect
6. Ignoring deb822 format -- legacy sources.list still works but lacks Signed-By per-repo
7. Not checking dmesg for firmware failures -- missing firmware shows as direct firmware load errors
8. ARM64 Secure Boot key enrollment issues -- verify shim-signed is installed

Version Boundaries

• Kernel: 6.1 LTS
• Python: 3.11
• OpenSSL: 3.0
• systemd: 252
• Audio: PipeWire (default desktop)
• /usr merge: default
• non-free-firmware: new archive component
• Sources format: deb822 preferred; legacy supported
• Status: standard security support until ~June 2026

Reference Files

Load for deep knowledge:

• ../references/architecture.md -- package management, release process
• ../references/diagnostics.md -- apt diagnostics, debsecan, reportbug
• ../references/best-practices.md -- hardening, backports, upgrades