June 3rd 2018
Disclaimer: This article is not a complete tutorial, it is simply a set of notes I took down following these instructions.
Today I found out that the debian security team handles oldstable releases only for a year or so, after which the LTS team takes over, which is arguably less secure.
Please see here.
Time to finally dist-upgrade my sturdy kitchenserver, still running on a minimal jessie install!
The release notes for stretch provide copious information on the topic, so that's what I'm going with for now.
According to this, i can use
ssh for the upgrade.
However, the computer is sitting in the next room and I can just walk over during reboots and watch the screen. I'd feel a lot less comfortable if that weren't possible.
I have some jessie-backports on my system and one package that is installed locally.
According to the backports FAQ, there's nothing to worry about.
Nevertheless, I booted into the mainline kernel and purged the backported kernel. Now my only backported packages are
ffmpeg. Oops, I'm not even using ffmpeg anymore. Purged.
Now purge residual configs also.
Change sources: I just removed the jessie-backports section and changed every occurence of
stretch. My /etc/apt/sources.list now looks exactly like this one (only the servers are different).
My blog still works!
Anyhow, after some searching I found this bug report:
So I had to edit /etc/fail2ban/jail.local to replace [ssh] with [sshd] and [ssh-ddos] with [sshd-ddos]. It fixed the problem.
Don't walk away, there's quite a few configurations that require your attention and intervention.
I'm still on the 3.16 kernel. Strange? No, the article tells me what I can do about it.
apt-get autoremove --purge, another reboot.
Everything still works, no red lights anywhere.