Changes

See: #41990
anarcat · 091c5a30
--- a/policy/tpa-rfc-80-debian-trixie-upgrade-schedule.md
+++ b/policy/tpa-rfc-80-debian-trixie-upgrade-schedule.md
 ---
-title: TPA-RFC-80: Debian trixie upgrade schedule
+title: TPA-RFC-80: Debian 13 ("trixie") upgrade schedule
 costs: staff, 4+ weeks
 approval: TPA, service admins
 affected users: TPA, service admins
-deadline: 2 weeks, 2025-03-18
+deadline: 2 weeks, 2025-04-01
 status: proposed
 discussion: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41990
 ---

-Summary: start upgrading servers during the Debian "trixie" freeze, if
-it goes well, complete most of the fleet upgrade in around June 2025,
-with full completion by the end of 2025, with a 2026 year free of
-major upgrades entirely. Improve automation.
+Summary: start upgrading servers during the Debian 13 ("trixie")
+freeze, if it goes well, complete most of the fleet upgrade in around
+June 2025, with full completion by the end of 2025, with a 2026 year
+free of major upgrades entirely. Improve automation, retire old
+container images.

 # Background

-Debian 13 "trixie", currently "testing" is going into freeze soon, which
+Debian 13 ("trixie"), currently "testing", is going into freeze soon, which
 means we should have a new Debian stable release in 2025. It has been
 a long-standing tradition at TPA to collaborate in the Debian
 development process and part of that process is to upgrade our servers
@@ -30,9 +31,14 @@ The [freeze dates announced by the debian.org release team][] are:
                                    packages without autopkgtests
    To be announced - Milestone 4 - Full Freeze

+We have entered the "transition and toolchain freeze" which locks
+changes on packages like compilers and interpreters unless
+exceptions. See the [Debian freeze policy](https://release.debian.org/testing/freeze_policy.html) for an explanation of
+each step.
+
 Even though we've just completed the Debian 11 ("bullseye") and 12
 ("bookworm") upgrades in late 2024, we feel it's a good idea to start
-*and* complete the trixie upgrades in 2025. That way, we can hope of
+*and* complete the Debian 13 upgrades in 2025. That way, we can hope of
 having a year or two (2026-2027?) *without* any major upgrades.

 This proposal is part of the [Debian 13 trixie upgrade milestone][],
@@ -63,10 +69,46 @@ and a proposal like this one would link against the upstream release
 notes. Unfortunately, at the time writing, upstream hasn't yet
 produced release notes (as we're still in testing).

-We're hoping the procedure will be fine-tuned by the time we're ready
+We're hoping the documentation will be refined by the time we're ready
 to coordinate the second batch of updates, around May 2025, when we
 will send reminders to affected teams.

+We do expect the Debian 13 upgrade to be less disruptive than bookworm,
+mainly because Python 2 is already retired.
+
+## Notable changes
+
+For now, here are some known changes that are already in Debian 13:
+
+| Package            | 12 (bookworm) | 13 (trixie) |
+|--------------------|---------------|-------------|
+| Ansible            | 7.7           | 11.2        |
+| Apache             | 2.4.62        | 2.4.63      |
+| Bash               | 5.2.15        | 5.2.37      |
+| Emacs              | 28.2          | 30.1        |
+| Fish               | 3.6           | 4.0         |
+| Git                | 2.39          | 2.45        |
+| GCC                | 12.2          | 14.2        |
+| Golang             | 1.19          | 1.24        |
+| Linux kernel image | 6.1 series    | 6.12 series |
+| LLVM               | 14            | 19          |
+| MariaDB            | 10.11         | 11.4        |
+| Nginx              | 1.22          | 1.26        |
+| OpenJDK            | 17            | 21          |
+| OpenLDAP           | 2.5.13        | 2.6.9       |
+| OpenSSL            | 3.0           | 3.4         |
+| PHP                | 8.2           | 8.4         |
+| Podman             | 4.3           | 5.4         |
+| PostgreSQL         | 15            | 17          |
+| Prometheus         | 2.42          | 2.53        |
+| Puppet             | 7             | 8           |
+| Python             | 3.11          | 3.13        |
+| Rustc              | 1.63          | 1.85        |
+| Vim                | 9.0           | 9.1         |
+
+Most of those, except "tool chains" (e.g. LLVM/GCC) can still change,
+as we're not in the full freeze yet.
+
 ## Upgrade schedule

 The upgrade is split in multiple batches:
@@ -95,11 +137,22 @@ again.

 ### Upgrade automation and installer changes

-First, we tweak the installers to deploy trixie by default to avoid
+First, we tweak the installers to deploy Debian 13 by default to avoid
 installing further "old" systems. This includes the bare-metal
 installers but also and especially the virtual machine installers and
 container images.

+Concretely, we're planning on changing the `latest` container image
+tag to point to `trixie` in early April. A full *year* later, the
+`bookworm` container images will be retired. Note that we are already
+planning the retirement of the "old stable" (`bullseye`) container
+images, see [tpo/tpa/base-images#19](https://gitlab.torproject.org/tpo/tpa/base-images/-/issues/19), for which you may have
+already been contacted.
+
+New `idle` canary servers will be setup in Debian 13 to test
+integration with the rest of the infrastructure, and future new
+machine installs will be done in Debian 13.
+
 We also want to work on automating the upgrade procedure
 further. We've had catastrophic errors in the PostgreSQL upgrade
 procedure in the past, in particular, but the whole procedure is now
@@ -108,7 +161,7 @@ details.

 [tpo/tpa/team#41485]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41485

-### Batch 1: low complexity, April-May 2025
+### Batch 1: low complexity

 This is scheduled during two weeks: TPA boxes will be upgraded in
 the last week of April, and Tails in the first week of May.
@@ -183,7 +236,7 @@ Feedback and coordination of this batch happens in [issue batch 1][].

 [issue batch 1]:  "https://gitlab.torproject.org/tpo/tpa/team/-/issues/42071"

-### Batch 2: moderate complexity, May-June 2025
+### Batch 2: moderate complexity

 This is scheduled for the last week of may for TPA machines, and the
 first week of June for Tails.
@@ -268,7 +321,7 @@ Feedback and coordination of this batch happens in [issue batch 2][].

 [issue batch 2]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/42070

-### Batch 3: high complexity, 2025 Q3-Q4
+### Batch 3: high complexity

 Those machines are harder to upgrade, or more critical. In the case of
 TPA machines, we typically regroup the Ganeti servers and all the
@@ -339,6 +392,28 @@ up.
 This process has been historically neglected, but we're hoping to wrap
 this up, worst case in 2026.

+## Timeline
+
+- 2025-Q2
+  - W14 (first week of April): default container image changed to
+    `trixie`, installer defaults changed and first tests in
+    production
+  - W18 (last week of April): Batch 1 upgrades, TPA machines
+  - W19 (first week of May): Batch 1 upgrades, Tails machines
+  - W22 (last week of May): Batch 2 upgrades, TPA machines
+  - W23 (first week of June): Batch 2 upgrades, Tails machines
+- 2025-Q3 to Q4: Batch 3 upgrades
+- 2026-Q2: bookworm container image retired
+
+## Deadline
+
+The community has until the beginning of the above timeline to
+manifest concerns or objections.
+
+Two weeks before performing the upgrades of each batch, a new
+announcement will be sent with details of the changes and impacted
+services.
+
 # Alternatives considered

 ## Retirements or rebuilds