Branch P11 Technical Notes
What's new in p11
General changes
- The repository is built against glibc version 2.38, which is pinned for
the entire lifetime of the repository.
- Directories /bin, /sbin, and /lib* are merged with their counterparts in /usr. The migration occurs when the filesystem package is upgraded to the p11 version. When p11 is freshly installed, /bin, /sbin, and /lib* are immediately symlinked to their counterparts in usr/.
- In the indefinite future it is planned to teach the installer to create a recovery partition when installing on a medium of sufficient size. Its creation can be disabled at the administrator's will. This partition can be used by a PC user or administrator to restore the main system.
- The cgroup v1 subsystem is declared obsolete. The Linux kernel we ship still supports cgroup v1, but other components are being phased out or not supported at all. We recommend that application developers use the cgroup version 2 subsystem, and that administrators of applications still dependent on cgroup v1 review the documentation for those application services and work with them at their own risk.
Security mechanisms. Software delivery
- The uid for user nobody has been changed from 99 to a value (65536-2) equal to the value of overflowuid in our kernels.
- Packages with the symbol ~ in version or release are allowed in the repository. The tilde is recognised as lexicographically less than the end of a string by analogy with sort -V and intended to denote release candidate type versions, e.g. 1.2~rc2. This will not affect the upgrade from p10.
- The openssl library as part of the platform has been upgraded to branch 3.1, and the support of branch 1.1 has been discontinued, including by the upstream itself.
- API, ABI and semantics have changed compared to p10. For example, by default the library will refuse to establish TLS 1.0 and TLS 1.1 connections, which will probably look like a communication error to a log-reading user. To regain support, a developer can, for example, call the function SSL_CTX_set_security_level(3)
- For details see the upstream guide.
- The apt-get program has learned to output packages to be installed, removed or upgraded in
columns.
- Before:
The following extra packages will be installed: libOpenUSD0 libPtex2 libalembic1.8 libblosc libcudart libdcmtk18 libdraco libembree4-4 libgflags libharu2.4 libhdf5-310 liblog4cplus libopenCOLLADA libopenexrcore30 libopenimagedenoise2 libopenimageio2.5 libopenpgl0 libopenshadinglanguage1.13 libopensubdiv3.6.0 libopenvdb10.1 libpartio1 libspnav ocl-icd The following NEW packages will be installed: blender libOpenUSD0 libPtex2 libalembic1.8 libblosc libcudart libdcmtk18 libdraco libembree4-4 libgflags libharu2.4 libhdf5-310 liblog4cplus libopenCOLLADA libopenexrcore30 libopenimagedenoise2 libopenimageio2.5 libopenpgl0 libopenshadinglanguage1.13 libopensubdiv3.6.0 libopenvdb10.1 libpartio1 libspnav ocl-icd 0 upgraded, 24 newly installed, 0 removed and 0 not upgraded.
- After:
The following extra packages will be installed: libOpenUSD0 libdraco libopenCOLLADA libopensubdiv3.6.0 libPtex2 libembree4-4 libopenexrcore30 libopenvdb10.1 libalembic1.8 libgflags libopenimagedenoise2 libpartio1 libblosc libharu2.4 libopenimageio2.5 libspnav libcudart libhdf5-310 libopenpgl0 ocl-icd libdcmtk18 liblog4cplus libopenshadinglanguage1.13 The following NEW packages will be installed: blender libdcmtk18 liblog4cplus libopenshadinglanguage1.13 libOpenUSD0 libdraco libopenCOLLADA libopensubdiv3.6.0 libPtex2 libembree4-4 libopenexrcore30 libopenvdb10.1 libalembic1.8 libgflags libopenimagedenoise2 libpartio1 libblosc libharu2.4 libopenimageio2.5 libspnav libcudart libhdf5-310 libopenpgl0 ocl-icd 0 upgraded, 24 newly installed, 0 removed and 0 not upgraded.
System components
- The system /bin/sh script interpreter is now based on Bash 5.2 instead of Bash 4. We recommend that you read the list of changes from the GNU Bash upstream, that may include backwards incompatible changes.
- The systemd package has been upgraded to version 255. List of changes from the upstream
- The UEFI shim program has been upgraded. On UEFI-bootable machines with Secure Boot enabled and Microsoft-signed UEFI platform keys, the new boot loader will stop loading kernels from p10 and earlier platforms. Note: Don't forget to install the kernel from p11 after upgrading packages! Also, do not spot upgrade packages that are part of the trusted boot chain: shim-signed, grub-efi, fwupd-efi, kernel-image-*; they should be upgraded synchronously.
User interface. Web browsers. Means of communication
- The GNOME desktop environment and application package have been upgraded to branch 46.
- The Plasma desktop environment and the KDE application package have been upgraded to version 5.115.0. Plasma 6, released in spring 2024, is not planned in the p11 platform.
- MATE has been upgraded to 1.28.0.
- The default dialog shell /bin/bash has been upgraded to Bash 5.2.
- The PipeWire multimedia handling server has been upgraded to 1.0.7.
- Mesa has been upgraded to version 24.0.6.
- Firefox has been upgraded to 125.0.1; a conservative option of Firefox ESR 115.10 is available.
- Chromium has been upgraded to 124.0.6367.118.
- Firefox and Chromium web browsers are actively maintained as part of the repository lifecycle.
- Chromium-gost has been upgraded to 124.0.6367.78.
- The platform contains the official client for the Telegram messenger telegram-desktop version 5.0.0. Most likely, it is planned to be updated as part of the platform's life cycle
Network connections and services
- iproute2 has been upgraded to version 6.8.
- Support for the rudimentary Template:Term action Template:Term} has been removed from kernels and iproute2.
- mtr has been upgraded to version 0.95.
- Now both versions of mtr, with and without the gtk interface, use one separate service program to send trace packages and do not use the set-uid bit. Both programs are affected by the control switch {mtr; the separate control for xmtr has been abolished.
- NetworkManager has been upgraded to version 1.46.0.
- NetworkManager now can get hostname from reverse DNS records and tries to use the systemd-resolved API for this purpose. If the latter is not present in the system, NM runs the nm-daemon-helper program, which will make a query via the NSS module Template:Term.
- Support for configuring IPv4 NAT in distribution mode via Template:Term has been added. NM by default checks if /usr/sbin/nft and /usr/sbin/iptables are installed, uses whichever tool is on the system, preferring Template:Term.
- You can now enable a random MAC address selection algorithm for a particular Wi-Fi network connection that depends on the SSID of the Wi-Fi network by setting
wifi.cloned-mac-address=stable-ssid
. - Multiple improvements to the DHCPv4 and DHCPv6 clients, including DHCPv6 Prefix Delegation, have been made.
- Multipath TCP support has been added. The parameter
connection.mptcp-flags
allows IP addresses to be used in MPTCP connections. NetworkManager does not manage MPTCP unless it is enabled in sysctl of the kernel /proc/sys/net/mptcp/enabled; this setting is left to the administrator. The strict Template:Term mode interferes with MPTCP in some cases, so NetworkManager will switch the Template:Term setting to 2 when it manages MPTCP; otherwise it does not apply to Template:Term. - For details see the upstream guide.
- The DPDK framework has been upgraded to version 23.11.0.
- The dynamic routing server BIRD has been upgraded to 2.15.
- The domain extension server nsd has been upgraded to 4.9.1.
- The multifunctional DNS server BIND has been upgraded to 9.18.26.
- ISC DHCP support has been discontinued following upstream in favor of Kea. DHCP service administrators are encouraged to migrate their systems off the ISC DHCP server if possible.
- nginx with modules has been upgraded to version 1.24.0.
- Apache Template:Term has been upgraded to version 2.4.59.
- postfix has been upgraded to version 3.8.3.
Integrated solutions for group work
- The stable version of Samba 4.20 contains all upgrades of the source, and additional options:
- Parameter specifying smbd socket read timeout in milliseconds.
- Support (Heimdal only) for the global option “ignore requester SID” has been added to make trust relationships work correctly with older versions of MS AD.
- The "client Force DNS canonicalize Hostname" parameter allows the client library to attempt to resolve the canonical name. This feature allows you to communicate via Kerberos with services using CNAME records without adding an SPN for a specific service on the host.
- Kerberos version 1.21.
Virtualization
- libvirt has been upgraded to version 10.2.0.
- The PVE virtualization system (Proxmox Virtual Environment) has been updated to version 8.1.
- Among other things, it now provides direct import of virtual machines from VMWare.
- The Open VSwitch support package has been upgraded to 3.3.0.
- The OVN virtual network and network services controller has been upgraded to 24.03.1.
- The OCI container launcher tool runc has been upgraded to version 1.1.12.
- Support for the following major branches of Kubernetes is available in the platform: 1.28, 1.27, 1.26, 1.25, 1.23.
- The OpenUDS remote access toolkit has been upgraded to version 3.6.0.
Multimedia
- PipeWire has been upgraded to 1.0.7.
- In p11, the PipeWire package can act not only as a screen capture broker for xdg-desktop-portal, but also as an audio I/O server, e.g. instead of PulseAudio.
- The JACK audio I/O server has been removed from the repository in favor of pipewire-jack, the JACK compatibility layer for PipeWire.
- The Ardour digital audio workstation has been upgraded to version 8.6.
- The Audacity sound data editor has been upgraded to version 3.4.2.
- The FFmpeg codec and remuxer package has been upgraded to 6.1.1.
Developer tools
- The Rust toolchain has been upgraded to version 1.77.
- Two versions of LLVM toolkits are available: 18 and 17. LLVM and Clang version 18 are used by default; including when building firefox, chromium, telegram-desktop and other platform packages for which GCC gives worse results.
- The repository provides support for parallel installation of multiple major branches of the LLVM project at the same time. Utilities, like the gcc project, are installed with a suffix containing the version number (e.g. clang-17). A wrapper with a name without a suffix that invokes the command of the desired version is available. More
- The set of GCC compilers, including the system compiler, has been upgraded to 13.2.
- binutils+gdb have been upgraded to 2.41.
- The system version of Python is now 3.12; all modules in the repository run on it.
- The Perl interpreter has been upgraded to branch 5.38.
- JDK branches 21, 17, and 11 are provided.
- The set of popular C++ libraries boost has been upgraded to 1.85.
- The toolchain for Golang programming language has been upgraded to 1.22; new versions will be released as the platform is maintained.
- Vulkan SDK has been upgraded to 1.3.277.
- docker-engine has been upgraded to version 26.1.0.
In-house developments
During the development of the p10 branch the in-house developments have been actively carried out: the ADMC and GPUI utilities, and the gpupdate group policy application mechanism. At the moment in p10 and p11 application versions are synchronized (we expect to keep synchronizing). We plan to maintain this set of applications for the p10 for a longer period of time.
- The ADMC utility creates a convenient domain management environment. The application's technology stack includes a graphical shell, directory service configuration, client management, error protection, administrator tool invocation, and secure requests via Kerberos. The application retrieves domain information and communicates with controllers. Switching between domain controllers is available. FSMO roles can be reassigned in the application.
- The GPUI application allows you to edit created policies in a Samba domain in the same way as in Windows.
- The gpupdate application tool, starting with version 0.10, uses dconf to store application system data obtained from Group Policy Objects. A general idea of gpupdate's functionality can be obtained from the list of its mechanisms; the developers have created more than 20 types of gpupdate mechanisms for the computer and users. You can customize the desktop environment, system services and scripts, process method access restrictions, environment variables, browsers, and so on.
New tools
- ALT Diagnostic Tool is a graphical utility for OS diagnosing. ADT 0.1.3 uses the pre-prepared test suite, provides the ability for the user to run tests without additional privileges and a single view of the test report. You can also add a custom test suite to ADT.
- alterator-manager (provided in version 0.1.19) is an ADT component and modular service designed for configuration via D-Bus.
- alterator-module-executor is an ADT component and Alterator module for processing .backend files and running executables.
- libdomain is a versatile C library designed to simplify interactions with various LDAP servers, including FreeIPA, Samba/AD, and OpenLDAP. libdomain 0.9.13 features initial samba support, a test suite for samba, tests for TLS, tests for adding and removing, modifying and renaming computers in OpenLDAP.
- alterator-browser 0.1.3 is a GUI to configure the system via D-Bus. It can display and run installed Alterator modules.