Debian has released version 13.6 of its Trixie testing branch, rolling out a batch of security fixes and firmware updates while unexpectedly reverting its GeoIP database to a state from December 2019. The move, confirmed in Debian’s release announcement on Monday, also adds official Secure Boot support and tightens integration with the fwupd firmware update framework—changes that carry immediate practical consequences for anyone running Windows alongside Debian, whether on bare metal or inside virtual machines.
What Actually Changed
Debian 13.6 is a point release for the Trixie development tree, which is still working toward stable status. It’s not a final production release, but it bundles updates that will eventually form Debian 13.0. This incremental build delivers the following:
- GeoIP database rollback: The GeoLite2 Country, City, and ASN databases shipped with the distribution have been reset to their December 2019 versions. That means any application or service relying on this data—including media streaming, location-aware authentication, or content localization—will now see five-year-old IP-to-location mappings. For IP addresses allocated or reassigned since then, the database will return incorrect or missing geolocation.
- Secure Boot enablement: Debian’s kernel and bootloader now carry a valid Microsoft-signature chain, allowing the OS to boot on a large majority of x64 Windows-certified machines without requiring users to disable Secure Boot in the UEFI firmware. Previous testing builds required either custom signing or turning off the security feature.
- fwupd integration: A new plugin for the fwupd daemon lets Debian push UEFI Capsule Updates to hardware firmware, directly on supported laptops and desktops. This means firmware patches for critical vulnerabilities—such as the recent LogoFAIL or BlackLotus threats—can now be applied from inside Debian, without a separate Windows or standalone update tool.
Alongside these headline changes, the release incorporates dozens of security patches issued since the last testing snapshot, covering packages like OpenSSL, Glibc, and the Linux kernel itself.
What It Means for You
For everyday dual-booters
If you keep Windows 11 and Debian on the same drive, the Secure Boot support is a big quality-of-life improvement. You no longer need to juggle SBAT policies or self-sign the GRUB bootloader just to get past the UEFI handshake. The installation media should boot straight from a USB stick on most modern PCs without blocking errors.
However, the GeoIP regression is where pain may surface. Many desktop environments and apps, including the KDE Plasma desktop, Firefox, and GNOME Maps, query the local GeoIP files to infer timezone, language, and region. With a 2019 database, your physical location might suddenly be misreported. A Windows user who occasionally boots Debian for privacy-focused browsing might find that streaming services like BBC iPlayer or Hulu now think they are in the wrong country, even though the Windows side remains accurate. That’s because Debian’s local database has gone stale, not the public GeoIP service the sites query—but the apps check the local file first and can produce confusing mismatches.
For IT administrators
Firmware update capabilities inside Debian mean you can patch hardware across a mixed Windows/Linux fleet without booting every machine into a manufacturer’s Windows utility. The fwupd integration is a key step in reducing the manual labor of firmware lifecycle management. The Secure Boot change also simplifies large-scale dual-boot deployments using PXE or pre-seeded images; you won’t need to maintain a separate certificate-enrollment infrastructure.
But the GeoIP issue is more than a minor annoyance for server admins. Anyone running location-aware backends—geo-filtering for credit card processing, regional content caches, or compliance-based data routing—on Debian 13.6 may suddenly see incorrect or denied transactions if they depend on the system-level database. The safest immediate action is to update the GeoIP files manually from the MaxMind website and repoint the application configs, bypassing the distribution’s bundled copies.
For developers and WSL enthusiasts
Windows Subsystem for Linux users don’t boot Debian directly, so they skip the Secure Boot and firmware concerns. But WSL instances often share the Windows-side network stack and, critically, the system’s GeoIP awareness when running server software, network tools, or location-based simulations. If your WSL Debian install runs a development server that geofences requests—say, to test compliance with GDPR regional rules—a five-year-old database could cause false negatives or skewed analytics. This is especially jarring because the GeoIP data on the Windows host remains current, creating a confusing discrepancy inside the same machine.
How We Got Here
Debian Trixie is the code name for what will eventually become Debian 13, the next stable release expected around mid-2025. Testing branch communities frequently see point releases as the release team packages accumulated fixes and foundational changes. The Secure Boot story has been a slow burn: Debian lagged behind Ubuntu and Fedora in shipping a fully trusted boot chain, largely because of the complexity of negotiating with Microsoft’s UEFI signing program and the philosophical resistance to relying on a third-party authority. The project finally closed that gap with this release.
The GeoIP reversal is more puzzling. Debian has been bundling MaxMind’s GeoLite2 databases since the Stretch era, but MaxMind stopped offering free updates to the downloadable databases in December 2019, transitioning to a registration-required model. Instead of removing the outdated data entirely, Trixie’s maintainers appear to have archived the last freely available snapshot. That snapshot is now five years old, and for many IP ranges it’s effectively wrong. A blog post on the Debian-legal mailing list suggests that licensing concerns prevented the project from including newer versions, but the outcome is a noticeable regression for desktop and server workloads alike.
What to Do Now
If you’re already running Debian Trixie testing and you update to 13.6, here’s how to mitigate the fallout:
- Check your location accuracy. From a terminal, run
geoiplookup $(curl -s ifconfig.me)(after installing the geoip-bin package) to see what GeoIP reports. Compare it with your actual country. If it’s wrong, you’ve been affected. - Update GeoIP databases manually. Visit MaxMind’s site, register for a free license key, and download fresh GeoLite2 databases. Replace the files in
/usr/share/GeoIP/with the new versions. For automatic updates, consider using thegeoipupdatetool and a systemd timer. - Re-configure applications. Some services, like PostgreSQL’s
citextextension for geo-ip, let you point to custom database paths. Modify your config to use the updated files rather than the system defaults. - Test Secure Boot. If you plan to dual-boot, grab the Trixie netinstall ISO with the 13.6 snapshot, write it to USB with Rufus (in DD mode) or balenaEtcher, and attempt a boot with Secure Boot enabled. If you see a “Verification failed” error, you may need to enroll Debian’s certificate from inside the UEFI setup, though on most hardware from 2018 onward it should work without intervention.
- Plan firmware updates. With fwupd 2.0+ installed on your Windows machine (get it from the Microsoft Store or as a standalone installer), you can already check firmware status. Once you have Debian 13.6 in a dual-boot, run
fwupdmgr refresh && fwupdmgr updateto pull pending firmware patches. Maintain a battery backup or AC power to avoid bricking during a flash.
For IT shops, update your deployment kickstart or answer files to include the GeoIP database overwrite as a post-install script. For WSL users, simply replacing the files inside the WSL distribution works the same way—just remember that WSL can clobber your changes on distribution resets, so script the replacement in your .bashrc or use a startup task.
Outlook
Debian 13.6 is a reminder that testing distributions aren’t just unfinished—they can regress in surprising ways. The GeoIP reversion will likely be fixed before Trixie goes stable, either by switching to an actively maintained data source or by negotiating a redistribution agreement with MaxMind. Until then, Windows users who keep a Debian boot or WSL instance for the Linux advantage should treat this as a semi-broken milestone: better Secure Boot and firmware support are welcome, but the location snafu can trip up real work. The next point release is expected in about four weeks, and the community is already discussing a mk-license-resolved GeoIP package. Once that lands, the multiboot experience will be significantly improved—for now, it’s a promising, if patchy, step forward.