Debian 9 Stretch - Reproducible Builds, MariaDB, and the eth0 That Won't Come Back
Debian 9, codename Stretch, went stable on 17 June after twenty-six months of development, and it will be supported for five years. The release is dedicated to Ian Murdock, who founded the project in 1993, wrote the Debian Manifesto in 1994, and died in December 2015. If you run Debian, you run something he started in a university dorm and that now sits underneath several hundred derivative distributions, including the one most people mean when they say "Linux". That is a reasonable thing to pause on for a moment before getting to the changelog.
A Debian release is not exciting the way a product launch is exciting, and that is the entire point. Nobody ships Debian stable to be first. You ship it because in five years it will still boot, still take security updates, and still behave the way it did the day you installed it. The headline features reflect that temperament, and a couple of them are genuinely important rather than merely new.
What actually matters
Reproducible builds crossed 90%. This is the line in the announcement I would frame and hang on a wall, and almost nobody outside the project noticed it. Over ninety percent of the source packages in Stretch now build bit-for-bit identical binaries given the same source. That sounds like a pedantic build-system curiosity. It is actually the foundation of supply-chain trust. The threat it addresses is the one you cannot otherwise detect: a compromised build server, or a backdoored compiler, that produces a malicious binary from clean-looking source. If the build is reproducible, anyone can rebuild the package independently and compare hashes, and a tampered binary stops matching. You no longer have to trust Debian's build infrastructure. You can verify it. In a year where every other security story is about someone slipping code where it should not be, a distribution whose answer is "here, check our math" is doing something most of the industry is not.
GnuPG moves to the modern 2.1 branch by default. Better defaults, elliptic-curve support, a more modular architecture, improved smartcard handling. If you care about your own keys, encrypted mail, or signing your own work, this is the branch you wanted and now do not have to fight the packaging to get.
MariaDB replaces MySQL as the default. Ship a database called mysql-server on Stretch and you get MariaDB 10.1, and an in-place upgrade migrates an existing MySQL 5.5 or 5.6 automatically. The motivation is not technical superiority so much as governance: a large part of the free-software world has never been comfortable with MySQL living inside Oracle, and MariaDB is the fork that stayed free. For most workloads it is a drop-in. The word "automatically" in that migration is doing a lot of work, though, which brings us to the part of this post you actually need.
There is also color worth noting: Firefox and Thunderbird are back under their real names, retiring Iceweasel and Icedove after more than a decade of trademark-driven rebranding. The kernel is 4.9, an LTS series. The X server can now run without root on common setups. UEFI support improved, including 32-bit firmware with a 64-bit kernel. All solid, none of it likely to ruin your evening.
What will ruin your evening
Stretch renames your network interfaces. This is the one that locks people out of remote servers, so read it twice. Stretch makes the so-called Predictable Network Interface Names the default. Your eth0 is now something like enp0s3 or ens18, derived from the device's physical location on the bus rather than the order the kernel happened to probe it. The rationale is sound: probe order is not actually stable across boots on multi-NIC hardware, so eth0 was never the guarantee people treated it as.
The problem is everything you pinned to eth0 and forgot about. Your /etc/network/interfaces stanza. Your iptables rules that match -i eth0. Your firewall scripts, your tc rules, your monitoring. After the upgrade and reboot, the interface those configs name does not exist, so the interface does not come up, so on a headless box in another room you have just locked yourself out with no network and no console.
You have two ways to handle it. The quick revert, when you simply want the old names back, is a kernel command line parameter. Edit /etc/default/grub, add it to the default cmdline, and update GRUB:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
update-grub
The cleaner approach, if you would rather embrace the new scheme, is to find your interface's new name before you reboot into a config that references the old one, and update everything that named eth0 to match. ip link will show you the names systemd intends to use. Either choice is fine. Rebooting without making one of them is how the evening ends in a car trip to wherever the server physically lives.
Back up your databases before the MariaDB migration. The automatic conversion is reliable, right up until the one time it is not, and the cost of a mysqldump of everything before you start is fifteen minutes against the cost of a corrupted production database, which is your weekend.
The upgrade itself
Assuming you have read the release notes, which you have, the mechanics are the usual Debian two-step. Point your sources at Stretch:
sed -i 's/jessie/stretch/g' /etc/apt/sources.list
# and the security line becomes:
# deb http://security.debian.org/ stretch/updates main
Then update, do the minimal upgrade first, then the full one that is allowed to add and remove packages:
apt update
apt upgrade
apt full-upgrade
reboot
The upgrade before full-upgrade is not superstition. It upgrades what it can without restructuring the package set, which keeps the system in a coherent state if something goes wrong partway, before full-upgrade is allowed to make the larger changes. After the reboot, confirm the kernel with uname -r, confirm your interfaces came up with ip a, and confirm the services you care about actually started.
Why this is the distribution worth running
Stretch is not going to trend. There is no growth hack, no keynote, no logo for any of its features. Its flagship achievement this year is that you can mathematically verify the project did not tamper with the binaries it shipped you, and its second most important property is that it will still be quietly taking security patches in 2022 while three generations of trendier things have come and gone.
That is the whole pitch, and after a year of branded vulnerabilities with their own websites, the quiet, boring, reproducible adult in the room is exactly what I want underneath the machines I actually depend on. Read the release notes, back up your databases, find out what your eth0 is called now, and then reboot. Stretch will be there for half a decade. Spend the twenty minutes to land on it properly.