Debian Bookworm vs Bullseye: Support, Packages, Upgrades, and When to Choose Each

You are running—or choosing—between Debian 11 “Bullseye” and Debian 12 “Bookworm” on servers, VPS instances, or homelab boxes. Both are Debian stable releases: same apt tooling, same social contract, same general filesystem layout. They are not interchangeable snapshots—OpenSSL, PHP, PostgreSQL, and Python majors jumped between them, and in mid-2026 their support clocks point in different directions.

This guide compares Bookworm and Bullseye honestly for production decisions: what shipped at each release, who still patches what today, upgrade paths toward Debian 13 “Trixie” (current stable), and when staying on the older release is defensible. I ran apt and identity checks on a live Trixie host below—the commands work the same on Bookworm and Bullseye once you account for codenames.

Tested on: Debian GNU/Linux 13 (trixie); kernel 6.12.94+deb13-amd64; apt 3.0.3.

Quick answer: Debian Bookworm vs Bullseye

Pick Debian 12 Bookworm over Bullseye when you must stay on the older pair—Bookworm has newer TLS, PHP 8.2, PostgreSQL 15, and Python 3.11, and its Debian LTS window runs until June 2028.

Avoid new Bullseye deployments in 2026—Bullseye LTS ends 31 August 2026. For new installs today, start with Debian 13 Trixie unless compliance forces you to match an existing Bookworm image; see Debian vs Ubuntu if you are also weighing Noble LTS.

Bookworm vs Bullseye at a glance

Topic	Debian 11 Bullseye	Debian 12 Bookworm
Released	14 August 2021	10 June 2023
Status in mid-2026	oldoldstable; LTS ending Aug 2026	oldstable; full support ends Jul 2026 → LTS to Jun 2028
Superseded by	Bookworm, then Trixie	Trixie (current stable)
Linux kernel (GA)	5.10 LTS	6.1 LTS
OpenSSL	1.1.1	3.0
Python 3	3.9	3.11 (PEP 668 externally managed)
PHP	7.4	8.2
PostgreSQL	13	15
MariaDB	10.5	10.11
OpenJDK (default)	11	17
systemd	247	252
nginx (deb)	1.18	1.22
Package manager	APT / dpkg	APT / dpkg

Sources: Debian releases table, Bookworm release information, Bookworm release notes — what’s new.

Where each release sits in 2026

Debian always maintains stable, testing, and unstable. In June 2026:

Release	Codename	Role
Debian 13	Trixie	Current stable — default for new installs
Debian 12	Bookworm	Oldstable — full support until 11 July 2026, then Debian LTS until 30 June 2028
Debian 11	Bullseye	Oldoldstable — LTS only until 31 August 2026

IMPORTANT

Bullseye LTS ends in August 2026. Bookworm full Debian security support ends 11 July 2026, then Bookworm moves to volunteer LTS. If you are still provisioning Bullseye or treating Bookworm as “current” without a plan, schedule upgrades now.

Full support vs Debian LTS

During full support, the Debian Security Team and the release team cover the broad package set defined for stable. Debian LTS is volunteer- and sponsor-backed: a subset of packages receives security backports—verify your stack is in the LTS coverage set before you assume five more quiet years.

Extended LTS (ELTS) is a separate paid service for archived releases like Buster—not the same as Debian LTS.

Version snapshot: what changed from Bullseye to Bookworm

Debian publishes an official comparison in the Bookworm release notes. Highlights that affect real workloads:

Package	Bullseye (11)	Bookworm (12)
Linux kernel	5.10 series	6.1 series
OpenSSL	1.1.1n	3.0.8
Python 3	3.9.2	3.11.2
PHP	7.4	8.2
PostgreSQL	13	15
MariaDB	10.5	10.11
OpenJDK	11	17
GNU C Library	2.31	2.36
GCC (default)	10.2	12.2
OpenSSH	8.4p1	9.2p1
nginx	1.18	1.22
Apache	2.4.54	2.4.57
systemd	247	252

Patch levels on your host drift with security updates—always verify live:

bash


cat /etc/os-release
uname -r
python3 --version
openssl version
ssh -V 2>&1

On the Trixie lab host used while writing this article (illustrating the commands—not Bookworm/Bullseye versions):

text


PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
6.12.94+deb13-amd64
Python 3.13.5
OpenSSL 3.5.6 7 Apr 2026
OpenSSH_10.0p2 Debian-7+deb13u4, OpenSSL 3.5.6 7 Apr 2026

On Bookworm or Bullseye, VERSION_CODENAME shows bookworm or bullseye instead of trixie.

Migrations that hurt if you ignore them

OpenSSL 1.1 → 3.0

Bullseye’s OpenSSL 1.1 line is legacy. Bookworm’s OpenSSL 3.0 changes defaults, providers, and cipher behavior. Applications compiled against 1.1 assumptions, old TLS clients, and custom openssl.cnf tweaks break in ways apt upgrade alone will not document—you need application-level testing.

PHP 7.4 → 8.2

Bullseye’s system PHP is 7.4 (EOL upstream). Bookworm ships PHP 8.2 with language and extension changes. WordPress, Laravel, and legacy CMS code may run on Bookworm only after code updates—plan a staging upgrade, not a Friday night full-upgrade.

PostgreSQL 13 → 15

Major PostgreSQL upgrades require pg_upgrade or dump/restore—not a silent apt upgrade. Our install PostgreSQL on Debian guide covers fresh installs; crossing majors during a release upgrade needs the Bookworm release notes database chapter.

Python 3.9 → 3.11 and PEP 668

Bookworm marks Debian’s Python as externally managed (PEP 668). This command pattern from the Bullseye era often fails on Bookworm:

bash

python3 -m pip install --user somepackage

Typical error shape:

text

error: externally-managed-environment

Use apt install python3-…, python3 -m venv, or pipx instead—documented in Bookworm release notes — Python.

Java 11 → 17

Bookworm defaults to OpenJDK 17. Enterprise apps pinned to Java 11 may need parallel packages or containers after upgrade.

Package management: same APT, different codenames

Both releases use APT and dpkg. Daily workflows are identical; only mirror lines and versions differ.

Check which release you are on:

bash


cat /etc/os-release
grep -E '^deb ' /etc/apt/sources.list /etc/apt/sources.list.d/* 2>/dev/null | head -5

Bullseye mirrors use bullseye and bullseye-security; Bookworm uses bookworm and bookworm-security.

Refresh and audit packages:

bash


sudo apt update
sudo apt upgrade
apt list --installed | wc -l

Deep dive: APT command in Linux. Installed-package audits: list installed packages on Debian.

Backports and third-party repos

bookworm-backports (and historically bullseye-backports) ship newer packages on stable bases. Vendor repos—Docker, Adoptium Temurin, WineHQ—require the correct codename in .list files. Our install Temurin on Debian article uses awk on VERSION_CODENAME so the same steps work on Bullseye, Bookworm, or Trixie.

Flatpak: in main on Bookworm and Trixie; Bullseye often needs bullseye-backports—see install Flatpak on Debian.

Security and support practicalities

Both releases use systemd and commonly AppArmor. Firewalling is still your choice—nftables, ufw, or cloud security groups—not tied to the release codename.

Concern	Bullseye in 2026	Bookworm in 2026
Who patches CVEs	Debian LTS (subset)	Debian Security Team until Jul 2026, then LTS
Time left on calendar	LTS ends Aug 2026	LTS through Jun 2028
OpenSSL/TLS posture	1.1 era	3.0 era
Fit for internet-facing TLS	Poor choice for new work	Acceptable; Trixie preferred for new
Compliance “supported OS”	Hard to justify new installs	Easier; document LTS transition

Enable unattended-upgrades on either release if you want automatic security pulls—test in staging first on LTS transitions.

Bookworm vs Bullseye: workload guide

Workload	Bullseye	Bookworm
New public web stack in 2026	Avoid	Prefer Trixie; Bookworm OK for legacy match
Legacy PHP 7.4 app (unmovable)	Last resort	Requires PHP 8 migration
PostgreSQL 13 only	Frozen major	Upgrade path to 15
Docker host	Works; older kernel	Better kernel; see install Docker on Debian
ARM board long-life	Still on old fleets	Prefer Bookworm or Trixie
CI image pinned to old libs	Expire with Bullseye LTS	Buy time until 2028 LTS
Wine desktop app	Very old Wine in main	Wine 8.0; see install Wine on Debian
riscv64	Bookworm era support expanded	Better than Bullseye

When to stay on Debian 11 Bullseye

Stay on Bullseye only when:

You are mid-migration and need weeks—not years—before Bookworm or Trixie.
A vendor appliance image is certified only on Bullseye and you have a dated exit plan before 31 August 2026.
You understand LTS gaps—packages you rely on may not receive backports.

Do not start new Bullseye installs in 2026.

When to choose Debian 12 Bookworm

Choose Bookworm when:

You must match an existing Bookworm fleet or automation keyed to Debian 12.
You need OpenSSL 3, PHP 8.2, or PostgreSQL 15 but cannot move to Trixie yet.
You want Debian LTS through June 2028 while you plan a Trixie migration.
Third-party .list files or ISV docs still say “Debian 12” explicitly.

For greenfield servers with no Bookworm constraint, Debian 13 Trixie is the current stable default.

Upgrading: Bullseye → Bookworm → Trixie

Debian supports in-place upgrades between consecutive stable releases. The high-level path:

Back up or snapshot the system.
Read Bullseye → Bookworm release notes or Bookworm → Trixie release notes.
Update sources.list codenames (bullseye → bookworm → trixie) and security suites.
Run sudo apt update, then sudo apt full-upgrade (often in stages per release notes).
Reboot, verify services, run application smoke tests.

You can skip Bookworm and go Bullseye → Trixie only if release notes document a supported path—usually you upgrade one major at a time.

Check codename after upgrade:

bash

cat /etc/os-release | grep -E 'VERSION|CODENAME|PRETTY'

Common mistakes when comparing Bookworm and Bullseye

Provisioning Bullseye in 2026 because “Debian is Debian.”
Assuming Bookworm still has full security support all year in 2026—it enters LTS after 11 July 2026.
Running pip install --user on Bookworm like Bullseye days—use venv or pipx.
Expecting apt upgrade to jump PostgreSQL majors without a planned migration.
Copying Trixie or Ubuntu tutorials onto Bookworm without checking package versions.
Ignoring LTS package coverage for niche daemons you compiled yourself.
Staying on Bullseye for OpenSSL 1.1 compatibility instead of fixing apps or using containers.

Summary

Debian 12 Bookworm and Debian 11 Bullseye share APT and Debian’s stable philosophy, but they target different eras. Bullseye is end-of-life on the LTS calendar in August 2026 with OpenSSL 1.1, PHP 7.4, and PostgreSQL 13. Bookworm is the stronger of the two—OpenSSL 3, modern PHP, PostgreSQL 15, Python 3.11—but in mid-2026 it is oldstable entering LTS, not the default for new servers.

New installs: use Debian 13 Trixie. Existing Bullseye: upgrade to Bookworm or Trixie before August 2026. Existing Bookworm: plan Trixie during the 2026–2028 LTS window. For how Debian 12 compares outside the Debian family, read Debian vs Ubuntu or Debian vs Red Hat.

References

Frequently Asked Questions

1. Should I use Debian 12 Bookworm or Debian 11 Bullseye in 2026?

For new installs in mid-2026, use Debian 13 Trixie (current stable) unless you have a hard reason to match an existing Bookworm fleet. Between Bookworm and Bullseye only: choose Bookworm—Bullseye LTS ends August 2026 and it ships older OpenSSL, Python, and PostgreSQL majors. Bookworm enters Debian LTS after July 2026 and is the better base until you upgrade to Trixie.

2. What is the main difference between Debian Bookworm and Bullseye?

Bookworm (Debian 12) ships Linux 6.1, Python 3.11, OpenSSL 3.0, PHP 8.2, and PostgreSQL 15. Bullseye (Debian 11) shipped 5.10, Python 3.9, OpenSSL 1.1, PHP 7.4, and PostgreSQL 13. Both use APT and systemd, but Bookworm’s stack matches modern TLS, PHP, and database requirements Bullseye cannot meet without backports or containers.

3. Is Debian 11 Bullseye still supported?

Bullseye full Debian security support ended in August 2024. It is on volunteer Debian LTS until August 31, 2026—not every package receives the same attention as stable. After that date, plan a migration to Bookworm, Trixie, or paid Extended LTS (ELTS) for select packages.

4. Is Debian 12 Bookworm still supported?

Bookworm full support runs until July 11, 2026, then Debian LTS until June 30, 2028. In mid-2026 it is oldstable—valid for existing fleets, but greenfield servers should evaluate Debian 13 Trixie first.

5. Can I upgrade from Bullseye to Bookworm in place?

Yes. Debian documents supported in-place upgrades between consecutive stable releases—Bullseye to Bookworm, then Bookworm to Trixie. Read the release notes, refresh sources.list, run apt full-upgrade, and reboot. Snapshot or back up first; major jumps touch OpenSSL, PHP, and database majors.

6. Do Bookworm and Bullseye use the same apt commands?

Yes. apt install, apt upgrade, apt full-upgrade, and dpkg -l work the same way. Repository codenames differ—bullseye, bookworm, trixie—and package versions frozen at each release differ, so playbooks must match the release you run.

7. Why did pip install break on Bookworm but not Bullseye?

Bookworm marks the system Python as externally managed (PEP 668). pip refuses to install into the system interpreter unless you use a venv, pipx, or --break-system-packages. Bullseye’s Python 3.9 era allowed more casual pip --user installs—migrating automation must switch to virtual environments.