Freexian Collaborators: Debian Contributions: DebConf 25, OpenSSH upgrades, Cross compilation collaboration and more! (by Anupa Ann Joseph)
Debian Contributions: 2025-07
Contributing to Debian
is part of Freexian s mission. This article
covers the latest achievements of Freexian and their collaborators. All of this
is made possible by organizations subscribing to our Long Term Support contracts
and consulting services.
DebConf 25, by Stefano Rivera and Santiago Ruano Rinc n
In July, DebConf 25 was held in Brest, France.
Freexian was a gold sponsor and most of the Freexian team attended the event.
Many fruitful discussions were had amongst our team and within the Debian
community.
DebConf itself was organized by a local team in Brest, that included Santiago
(who now lives in Uruguay). Stefano was also deeply involved in the
organization, as a DebConf committee member, core video team, and the lead
developer for the conference website. Running the conference took an enormous
amount of work, consuming all of Stefano and Santiago s time for most of July.
Lucas Kanashiro was active in the DebConf content team, reviewing talks and
scheduling them. There were many last-minute changes to make during the event.
Anupa Ann Joseph was part of the Debian publicity team doing live coverage of
DebConf 25 and was part of the DebConf 25 content team reviewing the talks.
She also assisted the local team to procure the lanyards.
Recorded sessions presented by Freexian collaborators, often alongside other
friends in Debian, included:
- Welcome to Debconf 25!
(Santiago, Anupa, and others)
- Debian.net Team BoF
(Stefano and others)
- Publicity Team BoF
(Anupa and others)
- Using Debusine to pre-test your unstable uploads
(Colin)
- Reviving (un)schroot?
(Helmut)
- Debusine Workflow BoF
(Enrico and Colin)
- Debian LTS BoF
(Lucas, Santiago, and others)
- Meet the Technical Committee
(Stefano, Helmut, and others)
- Debian Python BoF
(Stefano)
- Cross building BoF
(Helmut)
- Debian Outreach Session
(Lucas)
- Meet the people behind Debian Artwork
(Anupa and others)
- debian.social BoF
(Stefano and others)
- DebConf Committee BoF
(Stefano and others)
- Salsa CI BoF
(Santiago and others)
- DebConf 27: In your city?
(Stefano and others)
- Closing Ceremony
(Santiago and many others)
OpenSSH upgrades, by Colin Watson
Towards the end of a release cycle, people tend to do more upgrade testing, and
this sometimes results in interesting problems. Manfred Stock reported
No new SSH connections possible during large part of upgrade to Debian Trixie ,
which would have affected many people upgrading from Debian 12 (bookworm), with
potentially severe consequences for people upgrading remote systems. In fact,
there were two independent problems that each led to much the same symptom:
-
As part of hardening the OpenSSH server, OpenSSH 9.8 split the monolithic
sshd listener process into two pieces: a minimal network listener (still
called sshd), and an sshd-session process dealing with each individual
session. Before this change, when sshd received an incoming connection, it
forked and re-executed itself with some special parameters to deal with it;
after this change, it forks and executes sshd-session instead, and sshd no
longer accepts the parameters it used to accept for this.
Debian package upgrades happen (roughly) in two phases: first we unpack the new
files onto disk, and then we run some configuration steps which usually include
things like restarting services. Normally this is fine, because the old service
keeps on working until it s restarted. In this case, unpacking the new files
onto disk immediately stopped new SSH connections from working: the old sshd
received the connection and tried to hand it off to a freshly-executed copy of
the new sshd binary on disk, which no longer supports this. This wasn t much
of a problem when upgrading OpenSSH on its own or with a small number of other
packages, but in release upgrades it left a large gap when you can t SSH to the
system any more, and if anything fails in that interval then you could be in
trouble.
After trying a couple of other approaches, Colin landed on the idea of having
the openssh-server package divert /usr/sbin/sshd to
/usr/sbin/sshd.session-split before the unpack step of an upgrade from before
9.8, then removing the diversion and moving the new file into place once it s
ready to restart the service. This reduces the period when new connections fail
to a minimum.
-
Most OpenSSH processes, including
sshd, check for a compatible version of
the OpenSSL library when they start up. This check used to be very picky, among
other things requiring both the major and minor part of the version number to
match. OpenSSL 3 has a better versioning policy,
and so OpenSSH 9.4p1 relaxed this check.
Unfortunately, bookworm shipped with OpenSSH 9.2p1, so as soon as you unpacked
the new OpenSSL library during an upgrade, sshd stopped working. This
couldn t be fixed by a change in trixie; we needed to change bookworm in advance
of the upgrade so that it would tolerate newer versions of OpenSSL, and time was
tight if we wanted this to be available before the release of Debian 13.
Fortunately, there s a
stable-updates
mechanism for exactly this sort of thing, and the stable release managers kindly
accepted Colin s proposal to fix this there.
The net result is that if you apply updates to bookworm (including
stable-updates / bookworm-updates, which is enabled by default) before
starting the upgrade to trixie, everything should be fine.
Cross compilation collaboration, by Helmut Grohne
Supporting cross building in Debian packages touches lots of areas of the
archive and quite some of these matters reside in shared responsibility between
different teams. Hence, DebConf was an ideal opportunity to settle long-standing
issues.
- Fortran: agreements reached on how to proceed
(thanks to Alastair McKinstry)
- Go: agreements reached on how to proceed
(thanks to Mathias Gibbens)
- Perl: fixed long-standing pkg-config interaction problem
(thanks to gregor herrmann)
- Python: no conclusion reached regarding dependency duplication
(
python3-dev:any, libpython3-dev) yet
- Qt/KDE: found a way forward for
kconf_update (thanks to Aur lien COUDERC)
- Ruby: fixed problem affecting any ruby extension build
(thanks to Lucas)
The cross building bof
sparked lively discussions as a significant
fraction of developers employ cross builds to get their work done. In the
trixie release, about two thirds of the packages can satisfy their cross
Build-Depends and about half of the packages actually can be cross built.
Miscellaneous contributions
- Rapha l Hertzog updated tracker.debian.org to remove
references to Debian 10 which was moved to
archive.debian.org, and had many fruitful discussions
related to Debusine during DebConf 25.
- Carles Pina prepared some data, questions and information for the DebConf 25
l10n and i18n BoF.
- Carles Pina demoed and discussed possible next steps for
po-debconf-manager
with different teams in DebConf 25. He also reviewed Catalan translations and
sent them to the packages.
- Carles Pina started investigating a django-compressor bug:
reproduced the bug consistently and prepared a PR for django-compressor upstream
(likely more details next month). Looked at packaging
frictionless-py.
- Stefano Rivera triaged Python CVEs against pypy3.
- Stefano prepared an upload of a new upstream release of pypy3 to Debian
experimental (due to the freeze).
- Stefano uploaded python3.14 RC1 to Debian experimental.
- Thorsten Alteholz uploaded a new upstream version of sane-airscan to
experimental. He also started to work on a new upstream version of hplip.
- Colin backported fixes for CVE-2025-50181
and CVE-2025-50182 in python-urllib3, and
fixed several other release-critical or important bugs in Python team packages.
- Lucas uploaded ruby3.4 to experimental as a starting point for the
ruby-defaults transition that will happen after Trixie release.
- Lucas coordinated with the Release team the fix of the remaining RC bugs
involving ruby packages, and got them all fixed.
- Lucas, as part of the Debian Ruby team, kicked off discussions to improve
internal process/tooling.
- Lucas, as part of the Debian Outreach team, engaged in multiple discussions
around internship programs we run and also what else we could do to improve
outreach in the Debian project.
- Lucas joined the Local groups BoF during DebConf 25 and shared all the good
experiences from the Brazilian community and committed to help to document
everything to try to support other groups.
- Helmut spent significant time with Samuel Thibault on improving architecture
cross bootstrap for
hurd-any mostly reviewing Samuel s patches. He proposed a
patch for improving bash s detection of its pipesize
and a change to dpkg-shlibdeps to improve behavior for building cross toolchains.
- Helmut reiterated the multiarch policy proposal
with a lot of help from Nattie Mayer-Hutchings, Rhonda D Vine and Stuart Prescott.
- Helmut finished his work on the process based unschroot prototype
that was the main feature of his talk (see above).
- Helmut analyzed a multiarch-related
glibc upgrade failure
induced by a /usr-move mitigation of systemd and sent a patch and regression
fix both of which reached trixie in time. Thanks to Aurelien Jarno and the
release team for their timely cooperation.
- Helmut resurrected an earlier discussion about changing the semantics of
Architecture: all packages in a multiarch context in order to improve the
long-standing interpreter problem. With help from Tollef Fog Heen better
semantics were discovered and agreement was reached with Guillem Jover and
Julian Andres Klode to consider this change. The idea is to record a concrete
architecture for every Architecture: all package in the dpkg database and
enable choosing it as non-native.
- Helmut implemented type hints for piuparts.
- Helmut reviewed and improved
a patch set of Jochen Sprickerhof for
debvm.
- Anupa was involved in discussions with the Debian Women team during DebConf 25.
- Anupa started working for the trixie release coverage and started coordinating
release parties.
- Emilio helped coordinate the release of Debian 13 trixie.
- Welcome to Debconf 25! (Santiago, Anupa, and others)
- Debian.net Team BoF (Stefano and others)
- Publicity Team BoF (Anupa and others)
- Using Debusine to pre-test your unstable uploads (Colin)
- Reviving (un)schroot? (Helmut)
- Debusine Workflow BoF (Enrico and Colin)
- Debian LTS BoF (Lucas, Santiago, and others)
- Meet the Technical Committee (Stefano, Helmut, and others)
- Debian Python BoF (Stefano)
- Cross building BoF (Helmut)
- Debian Outreach Session (Lucas)
- Meet the people behind Debian Artwork (Anupa and others)
- debian.social BoF (Stefano and others)
- DebConf Committee BoF (Stefano and others)
- Salsa CI BoF (Santiago and others)
- DebConf 27: In your city? (Stefano and others)
- Closing Ceremony (Santiago and many others)
OpenSSH upgrades, by Colin Watson
Towards the end of a release cycle, people tend to do more upgrade testing, and
this sometimes results in interesting problems. Manfred Stock reported
No new SSH connections possible during large part of upgrade to Debian Trixie ,
which would have affected many people upgrading from Debian 12 (bookworm), with
potentially severe consequences for people upgrading remote systems. In fact,
there were two independent problems that each led to much the same symptom:
-
As part of hardening the OpenSSH server, OpenSSH 9.8 split the monolithic
sshd listener process into two pieces: a minimal network listener (still
called sshd), and an sshd-session process dealing with each individual
session. Before this change, when sshd received an incoming connection, it
forked and re-executed itself with some special parameters to deal with it;
after this change, it forks and executes sshd-session instead, and sshd no
longer accepts the parameters it used to accept for this.
Debian package upgrades happen (roughly) in two phases: first we unpack the new
files onto disk, and then we run some configuration steps which usually include
things like restarting services. Normally this is fine, because the old service
keeps on working until it s restarted. In this case, unpacking the new files
onto disk immediately stopped new SSH connections from working: the old sshd
received the connection and tried to hand it off to a freshly-executed copy of
the new sshd binary on disk, which no longer supports this. This wasn t much
of a problem when upgrading OpenSSH on its own or with a small number of other
packages, but in release upgrades it left a large gap when you can t SSH to the
system any more, and if anything fails in that interval then you could be in
trouble.
After trying a couple of other approaches, Colin landed on the idea of having
the openssh-server package divert /usr/sbin/sshd to
/usr/sbin/sshd.session-split before the unpack step of an upgrade from before
9.8, then removing the diversion and moving the new file into place once it s
ready to restart the service. This reduces the period when new connections fail
to a minimum.
-
Most OpenSSH processes, including
sshd, check for a compatible version of
the OpenSSL library when they start up. This check used to be very picky, among
other things requiring both the major and minor part of the version number to
match. OpenSSL 3 has a better versioning policy,
and so OpenSSH 9.4p1 relaxed this check.
Unfortunately, bookworm shipped with OpenSSH 9.2p1, so as soon as you unpacked
the new OpenSSL library during an upgrade, sshd stopped working. This
couldn t be fixed by a change in trixie; we needed to change bookworm in advance
of the upgrade so that it would tolerate newer versions of OpenSSL, and time was
tight if we wanted this to be available before the release of Debian 13.
Fortunately, there s a
stable-updates
mechanism for exactly this sort of thing, and the stable release managers kindly
accepted Colin s proposal to fix this there.
The net result is that if you apply updates to bookworm (including
stable-updates / bookworm-updates, which is enabled by default) before
starting the upgrade to trixie, everything should be fine.
Cross compilation collaboration, by Helmut Grohne
Supporting cross building in Debian packages touches lots of areas of the
archive and quite some of these matters reside in shared responsibility between
different teams. Hence, DebConf was an ideal opportunity to settle long-standing
issues.
- Fortran: agreements reached on how to proceed
(thanks to Alastair McKinstry)
- Go: agreements reached on how to proceed
(thanks to Mathias Gibbens)
- Perl: fixed long-standing pkg-config interaction problem
(thanks to gregor herrmann)
- Python: no conclusion reached regarding dependency duplication
(
python3-dev:any, libpython3-dev) yet
- Qt/KDE: found a way forward for
kconf_update (thanks to Aur lien COUDERC)
- Ruby: fixed problem affecting any ruby extension build
(thanks to Lucas)
The cross building bof
sparked lively discussions as a significant
fraction of developers employ cross builds to get their work done. In the
trixie release, about two thirds of the packages can satisfy their cross
Build-Depends and about half of the packages actually can be cross built.
Miscellaneous contributions
- Rapha l Hertzog updated tracker.debian.org to remove
references to Debian 10 which was moved to
archive.debian.org, and had many fruitful discussions
related to Debusine during DebConf 25.
- Carles Pina prepared some data, questions and information for the DebConf 25
l10n and i18n BoF.
- Carles Pina demoed and discussed possible next steps for
po-debconf-manager
with different teams in DebConf 25. He also reviewed Catalan translations and
sent them to the packages.
- Carles Pina started investigating a django-compressor bug:
reproduced the bug consistently and prepared a PR for django-compressor upstream
(likely more details next month). Looked at packaging
frictionless-py.
- Stefano Rivera triaged Python CVEs against pypy3.
- Stefano prepared an upload of a new upstream release of pypy3 to Debian
experimental (due to the freeze).
- Stefano uploaded python3.14 RC1 to Debian experimental.
- Thorsten Alteholz uploaded a new upstream version of sane-airscan to
experimental. He also started to work on a new upstream version of hplip.
- Colin backported fixes for CVE-2025-50181
and CVE-2025-50182 in python-urllib3, and
fixed several other release-critical or important bugs in Python team packages.
- Lucas uploaded ruby3.4 to experimental as a starting point for the
ruby-defaults transition that will happen after Trixie release.
- Lucas coordinated with the Release team the fix of the remaining RC bugs
involving ruby packages, and got them all fixed.
- Lucas, as part of the Debian Ruby team, kicked off discussions to improve
internal process/tooling.
- Lucas, as part of the Debian Outreach team, engaged in multiple discussions
around internship programs we run and also what else we could do to improve
outreach in the Debian project.
- Lucas joined the Local groups BoF during DebConf 25 and shared all the good
experiences from the Brazilian community and committed to help to document
everything to try to support other groups.
- Helmut spent significant time with Samuel Thibault on improving architecture
cross bootstrap for
hurd-any mostly reviewing Samuel s patches. He proposed a
patch for improving bash s detection of its pipesize
and a change to dpkg-shlibdeps to improve behavior for building cross toolchains.
- Helmut reiterated the multiarch policy proposal
with a lot of help from Nattie Mayer-Hutchings, Rhonda D Vine and Stuart Prescott.
- Helmut finished his work on the process based unschroot prototype
that was the main feature of his talk (see above).
- Helmut analyzed a multiarch-related
glibc upgrade failure
induced by a /usr-move mitigation of systemd and sent a patch and regression
fix both of which reached trixie in time. Thanks to Aurelien Jarno and the
release team for their timely cooperation.
- Helmut resurrected an earlier discussion about changing the semantics of
Architecture: all packages in a multiarch context in order to improve the
long-standing interpreter problem. With help from Tollef Fog Heen better
semantics were discovered and agreement was reached with Guillem Jover and
Julian Andres Klode to consider this change. The idea is to record a concrete
architecture for every Architecture: all package in the dpkg database and
enable choosing it as non-native.
- Helmut implemented type hints for piuparts.
- Helmut reviewed and improved
a patch set of Jochen Sprickerhof for
debvm.
- Anupa was involved in discussions with the Debian Women team during DebConf 25.
- Anupa started working for the trixie release coverage and started coordinating
release parties.
- Emilio helped coordinate the release of Debian 13 trixie.
sshd listener process into two pieces: a minimal network listener (still
called sshd), and an sshd-session process dealing with each individual
session. Before this change, when sshd received an incoming connection, it
forked and re-executed itself with some special parameters to deal with it;
after this change, it forks and executes sshd-session instead, and sshd no
longer accepts the parameters it used to accept for this.Debian package upgrades happen (roughly) in two phases: first we unpack the new files onto disk, and then we run some configuration steps which usually include things like restarting services. Normally this is fine, because the old service keeps on working until it s restarted. In this case, unpacking the new files onto disk immediately stopped new SSH connections from working: the old
sshd
received the connection and tried to hand it off to a freshly-executed copy of
the new sshd binary on disk, which no longer supports this. This wasn t much
of a problem when upgrading OpenSSH on its own or with a small number of other
packages, but in release upgrades it left a large gap when you can t SSH to the
system any more, and if anything fails in that interval then you could be in
trouble.After trying a couple of other approaches, Colin landed on the idea of having the
openssh-server package divert /usr/sbin/sshd to
/usr/sbin/sshd.session-split before the unpack step of an upgrade from before
9.8, then removing the diversion and moving the new file into place once it s
ready to restart the service. This reduces the period when new connections fail
to a minimum.
sshd, check for a compatible version of
the OpenSSL library when they start up. This check used to be very picky, among
other things requiring both the major and minor part of the version number to
match. OpenSSL 3 has a better versioning policy,
and so OpenSSH 9.4p1 relaxed this check.Unfortunately, bookworm shipped with OpenSSH 9.2p1, so as soon as you unpacked the new OpenSSL library during an upgrade,
sshd stopped working. This
couldn t be fixed by a change in trixie; we needed to change bookworm in advance
of the upgrade so that it would tolerate newer versions of OpenSSL, and time was
tight if we wanted this to be available before the release of Debian 13.Fortunately, there s a
stable-updates
mechanism for exactly this sort of thing, and the stable release managers kindly
accepted Colin s proposal to fix this there.
- Fortran: agreements reached on how to proceed (thanks to Alastair McKinstry)
- Go: agreements reached on how to proceed (thanks to Mathias Gibbens)
- Perl: fixed long-standing pkg-config interaction problem (thanks to gregor herrmann)
- Python: no conclusion reached regarding dependency duplication
(
python3-dev:any, libpython3-dev) yet - Qt/KDE: found a way forward for
kconf_update(thanks to Aur lien COUDERC) - Ruby: fixed problem affecting any ruby extension build (thanks to Lucas)
trixie release, about two thirds of the packages can satisfy their cross
Build-Depends and about half of the packages actually can be cross built.
Miscellaneous contributions
- Rapha l Hertzog updated tracker.debian.org to remove
references to Debian 10 which was moved to
archive.debian.org, and had many fruitful discussions
related to Debusine during DebConf 25.
- Carles Pina prepared some data, questions and information for the DebConf 25
l10n and i18n BoF.
- Carles Pina demoed and discussed possible next steps for
po-debconf-manager
with different teams in DebConf 25. He also reviewed Catalan translations and
sent them to the packages.
- Carles Pina started investigating a django-compressor bug:
reproduced the bug consistently and prepared a PR for django-compressor upstream
(likely more details next month). Looked at packaging
frictionless-py.
- Stefano Rivera triaged Python CVEs against pypy3.
- Stefano prepared an upload of a new upstream release of pypy3 to Debian
experimental (due to the freeze).
- Stefano uploaded python3.14 RC1 to Debian experimental.
- Thorsten Alteholz uploaded a new upstream version of sane-airscan to
experimental. He also started to work on a new upstream version of hplip.
- Colin backported fixes for CVE-2025-50181
and CVE-2025-50182 in python-urllib3, and
fixed several other release-critical or important bugs in Python team packages.
- Lucas uploaded ruby3.4 to experimental as a starting point for the
ruby-defaults transition that will happen after Trixie release.
- Lucas coordinated with the Release team the fix of the remaining RC bugs
involving ruby packages, and got them all fixed.
- Lucas, as part of the Debian Ruby team, kicked off discussions to improve
internal process/tooling.
- Lucas, as part of the Debian Outreach team, engaged in multiple discussions
around internship programs we run and also what else we could do to improve
outreach in the Debian project.
- Lucas joined the Local groups BoF during DebConf 25 and shared all the good
experiences from the Brazilian community and committed to help to document
everything to try to support other groups.
- Helmut spent significant time with Samuel Thibault on improving architecture
cross bootstrap for
hurd-any mostly reviewing Samuel s patches. He proposed a
patch for improving bash s detection of its pipesize
and a change to dpkg-shlibdeps to improve behavior for building cross toolchains.
- Helmut reiterated the multiarch policy proposal
with a lot of help from Nattie Mayer-Hutchings, Rhonda D Vine and Stuart Prescott.
- Helmut finished his work on the process based unschroot prototype
that was the main feature of his talk (see above).
- Helmut analyzed a multiarch-related
glibc upgrade failure
induced by a /usr-move mitigation of systemd and sent a patch and regression
fix both of which reached trixie in time. Thanks to Aurelien Jarno and the
release team for their timely cooperation.
- Helmut resurrected an earlier discussion about changing the semantics of
Architecture: all packages in a multiarch context in order to improve the
long-standing interpreter problem. With help from Tollef Fog Heen better
semantics were discovered and agreement was reached with Guillem Jover and
Julian Andres Klode to consider this change. The idea is to record a concrete
architecture for every Architecture: all package in the dpkg database and
enable choosing it as non-native.
- Helmut implemented type hints for piuparts.
- Helmut reviewed and improved
a patch set of Jochen Sprickerhof for
debvm.
- Anupa was involved in discussions with the Debian Women team during DebConf 25.
- Anupa started working for the trixie release coverage and started coordinating
release parties.
- Emilio helped coordinate the release of Debian 13 trixie.
hurd-any mostly reviewing Samuel s patches. He proposed a
patch for improving bash s detection of its pipesize
and a change to dpkg-shlibdeps to improve behavior for building cross toolchains.glibc upgrade failure
induced by a /usr-move mitigation of systemd and sent a patch and regression
fix both of which reached trixie in time. Thanks to Aurelien Jarno and the
release team for their timely cooperation.Architecture: all packages in a multiarch context in order to improve the
long-standing interpreter problem. With help from Tollef Fog Heen better
semantics were discovered and agreement was reached with Guillem Jover and
Julian Andres Klode to consider this change. The idea is to record a concrete
architecture for every Architecture: all package in the dpkg database and
enable choosing it as non-native.debvm.
This is the report for the 
This month, the Reproducible Builds project restarted our IRC meetings, managing to convene twice: the first time on October 12th (
as zack has