The back story
I recently described in a Fedi thread how I was trying to be a good doobie and use Firefox instead of Chrome, but was disappointed with Firefox’s performance on my Ubuntu desktop.
In response, several people said maybe the problem wasn’t Firefox so much as Ubuntu, and recommended Debian as an alternative. However, if the problem were just Ubuntu, then Chrome would be bad too. It is reasonable to hold the developers of Firefox responsible for the fact that their browser doesn’t perform nearly as well as Chrome on the same platform.
However, it’s true that Firefox ships as a snap and Ubuntu heavily encourages third-party packages to use snaps. Mozilla can’t be entirely blamed for packaging Firefox as a snap for Ubuntu, given that encouragement. People in the thread pointed out that there’s a good chance that the snap packaging is a significant contributor to the problems I’m seeing.
I’ve installed Debian occasionally in virtual machines for debugging Debian issues with my own packages [example], but I’d never installed it on real hardware or used it as my desktop. Over 30+ years I went from Slackware, to Red Hat, to Fedora, to Ubuntu. I’ve contemplated trying out Debian before but never felt quite motivated enough. This discussion gave me enough of an incentive, so I spend the weekend reinstalling one of my laptops with Debian. Here are my initial impressions and a detailed inventory of the issues I encountered.
Executive summary
Overall, Debian is a solid, usable operating system which has nearly all the functionality I need. Having said that, I have concerns.
- The Debian installer (the graphical one, at least; I didn’t try the text one) is mediocre and makes a bad initial impression on users wanting a modern user experience.
- Its ancient bug-tracking system also provides a poor user experience and suggests that the Debian project does not invest enough effort into infrastructure and best practices.
- I noted several instances where Debian developers have made demonstrably poor design choices that are at odds with industry best practices and refused to reconsider.
- I don’t think Debian takes security seriously enough.
- The fact that Debian is a decentralized, volunteer-run organization makes it unlikely that these concerns will be addressed.
I am happy enough with Debian that moving forward I will probably choose it over Ubuntu. However, this is only because I am a highly technical user who is capable of fixing any problems I come across. I do not think Debian is a good choice for less technical users looking for a desktop operating system to use instead of Windows or macOS.
On the question that started this all, i.e., Firefox performance, Firefox on Debian appears to be much better than on Ubuntu. However, there is a caveat. The computer where I was having most of the Firefox issues has been upgraded many times, and I’ve run into a number of issues where things didn’t work right there but worked fine on my other Ubuntu computers. Over time computers accumulate cruft, so for all I know, the Firefox issues I was seeing could have been due to that, at least in part. I’ll never know for sure, because I don’t have the time to wipe and reinstall Ubuntu on it just to find out how well Firefox works afterwards.
Noteworthy issues I encountered
TrackPad unusable during installation
The TrackPad on my laptop was unusable during installation. I would move my finger slightly on the pad, and then have to wait several seconds for the mouse pointer to move in response. The lack of visual feedback made it impractical to to use the TrackPad. I ended up doing the entire install with the keyboard. I’ve reported this issue.
Installer prevented me from using my YubiKey for my encryption passphrase
I keep a long, random, secure drive encryption passphrase in my YubiKey. When I plug in the key and press its button for 2.5 seconds, it simulates typing the passphrase followed by the Enter key.
On other installers, when the YubiKey “types” Enter on the first of the two passphrase fields, either the installer moves the cursor to the second field, or it complains that the two fields don’t match and makes me enter the second one. The Debian installer, however, erases the contents of the first passphrase field.
To set my encryption passphrase to what’s in my YubiKey, I had to:
- Take out my phone.
- Open my password manager.
- Search for and find the entry where the passphrase is stored.
- Make it visible in the password manager.
- Laboriously type the 32-character random passphrase character by character, twice, complicated by the fact that there are some ambiguous characters in it.
What should take a few seconds instead took several painstaking minutes.
The Enter key simply should not clear the passphrase field that has already been entered. I reported this issue, and they shrugged and said they wouldn’t fix it.
MongoDB server
I use MongoDB, but there is not yet a community edition of its server for Debian 12. Until there is one I need to hold off on switching my desktop and my other Ubuntu computers to Debian.
Old versions of Firefox and Thunderbird
Debian ships Firefox and Thunderbird Extended Support Releases, which are significantly behind the current production releases of both applications. I ended up adding the Ubuntuzilla APT repository to my system and installing the newer Firefox from there. Unfortunately, that solution doesn’t work for Thunderbird, since the version of Thunderbird in Ubuntuzilla is also old, so ended up downloading and using the Thunderbird tar package from Mozilla.
By the way, I encountered a minor but annoying bug with the Ubuntuzilla Firefox packaging which I submitted a bug report about and they fixed within a day. Big kudos for that!
No AppImageLauncher packages
I use digiKam to manage my photo collection. The maintainers of digiKam recommend the AppImage version as the most reliable one for Linux users. AppImageLauncher makes using AppImages much more bearable, but unfortunately the AppImageLauncher PPA doesn’t have any packages that are compatible with Debian 12. I ended up building and install it myself from source, during which I ran into several issues I had to troubleshoot and fix. I filed a big report to let the developers know what I discovered.
Awful language about passwords in the installer
On the screen where the Debian installer asks you to choose a password, it says:
A good password will contain a mixture of letters, numbers and punctuation and should be changed at regular intervals.
This is advice is at least a decade out-of-date. We know quite well now that:
- Length is more important than character classes.
- Memorable is more important than character classes too.
- The best way to pick a good password that you need to remember is actually the xkcd method.
- Most important of all, even if you want to ignore everything I’ve written above, telling people to change their passwords regularly is a bad idea that makes security worse instead of better.
Someone reported these issues to the Debian maintainers over six years ago, and then again nearly two years ago, and and nothing has been done to address them. I sent a followup message to one of those bugs. I am not holding my breath that anything will come of it.
The Debian bug-tracking system breaks email security on an ongoing basis
When you report bugs to the Debian bug-tracking system (BTS), it changes the contents of your emails before forwarding them, but it leaves your email address as the sender. If your address is in a domain with a strict DMARC policy (as mine is), these messages will be bounced by any recipient mail servers which enforce DMARC. Every time I’ve emailed BTS, I’ve received numerous notifications that my messages failed to be delivered to numerous recipients to whom BTS forwarded them.
In short: if you have good email security, then lots of people who are supposed to receive your emails via BTS won’t ever see them because BTS is broken.
Installer makes poor choices for partition sizes
I’ve only been using Debian for a few days, but I’ve already filled up /tmp once, and my root filesystem is already 74% full. It’s ridiculous to make these filesystems so small on a machine with a 1TB drive. Furthermore, it only allocated 1GB to my swap partition, which isn’t nearly enough to support hibernation given that I have 16GB of RAM. These are poor design choices.
I believe the installer gave me the option of adjusting the predetermined partition sizes during the install, but (a) I didn’t look carefully because I assumed it would make good choices (a reasonable assumption, I thought!), and (b) non-technical users certainly wouldn’t think to adjust the recommended partition sizes.
To fix this, I had to reboot in recovery mode, unmount /home, use lvresize to reduce the size of /home, and then reboot in normal mode and install and use KDE partition manager to grow /, /tmp, and swap. This is beyond the ability of most non-technical users.
Miscellaneous other issues
The installer asked me to tell it what kind of security my WiFi network has, and I don’t really understand why. I thought WiFi networks advertise their security type along with their SSIDs. I don’t remember ever being asked this by Ubuntu, Windows, or macOS during installing and configuring the OS.
The installer prompts the user to set a root password. I’m not certain the Ubuntu installer does this, and I don’t think it’s a best practice. Rather, the root account should not have a password at all by default, and instead, the first user account that is created should be given sudo access. The first thing I did after finishing the install was add myself to the sudo group and change the root password to a long, random password generated by my password manager that I didn’t expect to ever use again. [Except he did have to use it to reboot in recovery mode to resize the /home partition as described above. – ed.]
The installer didn’t ask me to remove the install media (i.e., thumb drive) at the end of the install.
The Ubuntu boot process has a nice-looking graphical screen where you enter your drive encryption passphrase. Debian just has a tiny, barely readable prompt with a flashing cursor on the first line of the screen.
An initial Debian install has no firewall enabled and does not offer during the install to enable one. This problem is not unique to Debian; in fact it seems pretty common among Linux distributions (including Ubuntu). I do not understand why, in this day and age, any desktop operating system would ship without a host-based firewall installed and enabled by default.
The add-apt-repository command fails if you try to use it to add a PPA. This issue has been known to the Debian maintainers for over 12 years, and they still haven’t made it work or fixed the tool to provide a useful error message explaining why it doesn’t.
Release upgrades are a little easier on Ubuntu than Debian. (I upgraded from Debian 12 to the pre-release version of Debian 13 to see if a couple of GNOME bugs were fixed, as noted below.)
The Thunderbird GNOME desktop file installed by Debian doesn’t have “Compose New Message” or “Contacts” commands on it like the one installed on Ubuntu, or for that matter like the one installed for Evolution on Debian. I reported this.
Issues that (probably) aren’t Debian’s fault
My volume setting was being reset every time I logged out and logged back in. I upgraded from Debian 12 to the pre-release version of Debian 13 and the problem went away, so apparently it’s fixed in GNOME 44.
In GNOME 43, you can’t click on the speaker icon next to the volume slider in the top bar menu to mute and unmute, which used to work. Again, the problem went away when I upgraded to Debian the Debian 13 pre-release.
I simply do not understand why the default configuration on GNOME has only the window close button in title bars, i.e., no minimize or maximize button. Turning on the minimize and maximize buttons in the Tweaks app is one of the first things I do whenever I’m setting up a new GNOME system. What is up with this?
There’s a setting in the GNOME Tweaks app to disable suspend on lid close, but as far as I can tell it doesn’t actually do anything. If you want to prevent your laptop from suspending when the lid is closed, you have to edit a systemd-logind config file to do it. GNOME fixed this in their source code in July, but their fix, simply removing the setting from GNOME Tweaks, isn’t ideal. It should be possible for this to be a per-user setting, which is impossible when it’s only controllable via a systemd-logind configuration file.
The first time I tried to log into my Google account in the GNOME Settings app, the login dialog got stuck after I entered my password and wouldn’t go any further. I closed it and tried again and it worked fine the second time.
Every time I launched Firefox or Thunderbird when my YubiKey was plugged in, they prompted me to enter the password for the PIV slot on my YubiKey, even though I don’t use the PIV slot on my YubiKey for anything and never have. The workaround I ended up using to make the prompts go away was to uninstall the opensc packages. There really should be a way to tell Firefox and Thunderbird, “Yo, I’m not using this device to authenticate in Firefox or Thunderbird, please don’t ask me about it.”
Flameshot behaves bizarredly in Wayland. I initially thought this was a Debian issue so I reported it to them, but I subsequently discovered that it’s more complicated than that and may be a generic Flameshot with Wayland issue, so I reported it with more details to the Flameshot maintainers.
