Why you should always have a network connection when installing Debian

This is a simple tip but an important one: when you’re installing Debian, take the time required to ensure the machine is connected to the Internet with a wired connection. If you have DHCP available, the debian-installer will use it to configure the network.

Why not use the wireless connection?

Because debian-installer in Squeeze doesn’t support WPA encryption, but only WEP. So if you’re using WPA, picking the wireless connection will lead to no working network during the installation and this is to be avoided.

If you’re still using WEP, you can go ahead of course.

If you only have a wireless connection with WPA, your might want to help the debian-installer team and add the required support. Matthew Palmer did some work on it a few months ago (see this mail and his branch in the netcfg git repository) but he resigned from the d-i team in the mean time. So WPA support is still not available in the wheezy debian-installer.

Why is the network so important?

  1. The “tasks” that you select during the installation process might suggest installation of supplementary packages that are not available on your installation disc. If you install without network, the resulting system might differ from the expected one since it will be missing some packages that are available in the Debian repositories but not on your installation disc.
  2. Your installation media might be old and there are security updates that have been published. If you do your initial installation with network, the security updates will be installed before the reboot and thus before the services are exposed over the network.
  3. If you’re not installing a desktop with network-manager (Debian’s default GNOME Desktop provides it), the initial network configuration is important since this configuration is kept for the future. And you surely want network connectivity on your machine, don’t you?
  4. Without network, APT’s sources.list will not be properly configured to include an HTTP mirror of your country. And really, I prefer when apt-get install can work without the initial installation disc.

If you want to read more articles like this one, click here to subscribe to my free newsletter. You can also follow me on Identi.ca, Twitter and Facebook.


  1. toobuntu says

    I wonder if you have any comment about the security implications mentioned here: http://www.hermann-uwe.de/blog/towards-a-moderately-paranoid-debian-laptop-setup–part-1-base-system, and if you’d consider posting your thoughts about to set up a new personal desktop machine for running debian testing and setting up your development environment (importing ssh and gpg keys, etc.). Do you have this automated? Off topic, but I’d also really like to see a suggested firewall script that covers both iptables and ip6tables. Even more off topic, I wonder if you have any thoughts about sponsoring or packaging this: https://github.com/dajhorn/pkg-zfs and https://github.com/dajhorn/pkg-spl. As a dkms-added module, the packages should be redistributable.

    • says

      I’m not sure what kind of feedback do you expect from me. The article you link gives some useless recommendations (no network during initial install) but also some useful ones (using SELinux, behavior suggestions, etc.). He’s more paranoid than I am surely.

      I don’t have any specific recommendation to setup my development environment, I do it once every 3-4 years when I buy a new machine and I keep my $HOME. 🙂

      For the firewall, I use “fwbuilder” and it generates a script supporting iptables and ip6tables.

  2. Liam bedford says

    Shouldn’t this be a bug against d-I that not having network during the install gives you such a horribly degraded future experience?

    • says

      It’s not “horribly degraded”. It just works on the expectation that you install in the same configuration that you would use it afterwards. That is if you have no network at install, you probably don’t have one at all. And it does its best with what is available.

      • says

        > don’t have one at all
        well gee thanks but perhaps it should assume otherwise for safety so that one doesn’t end up crippled for life.

    • says

      I don’t think that d-i’s netcfg supports any VPN either. While the installer is important, it’s still something that you use only once in the lifespan of a machine so most people do not care of supporting all types of network connections in d-i as long as it works fine on the installed system…

  3. Andrew says

    Too bad to hear about the WPA support being dead for months. It’s really hard to install debian on my lappy, as the wired card seems to be dead.

  4. says

    Now I found the reason why I was unable to install debian few months back on WPA wireless network. There were also few other problems for installation on my old desktop too. I tried to run windows installer from xp for debian but that installer was not working.

  5. Arthur says

    I install with network connections, but only because I’m behind a hardware firewall (router). If I was connected directly to my ISP via it’s modem I wouldn’t feel comfortable with that. Granted it’s a very short time window of opportunity, and they still have to find a door into the computer, but once they do the debian installer is being run with full-root access and readily available terminals. Last time I read the securing Debian manual, it also recommended installing without being connected to the net (IIRC).

  6. Wilbert says

    I prefer to install Debian from the DVD and I keep the DVD up to date with jigdo (DVD iso boots fine from USB drive too!)
    Sometimes I bother with a wired connection, but other times I leave it unconnected, because my WiFi supports WPA/WPA2.

    If my installation from DVD is incomplete, as you suggest, then I wonder if there is some way to install anything missing after I reboot into the just installed system and setup a WPA/WPA2 connection?

    Would a #task-sel reinstall desktop make sense to download the missing parts?

    • Wilbert says

      Thinking more about this, perhaps it’s a better appraoch to install base system only from CD/DVD
      Reboot into the base system, activate WPA/WPA2 (install wpasupplicant first) and update the source.list to include a mirror.
      And THEN install the desktop witrh #task-sel install desktop. That way it would be complete, right?

      • says

        Yes, that would work.

        Redoing “tasksel install <task>” certainly can’t hurt but it’s unlikely to pick up Recommends that were not installed during the initial installation.

  7. says

    Go ahead, get used to always having the network handy when installing.
    Don’t debug why things screw up otherwise.
    Don’t be surprised one day when you end up in the headlines of Risks Digest.

    • says

      This fear is unfounded, when the machine is not yet installed and not yet running any network-exposed service, the chances of being compromised are ridiculously small. Compare this with the time you’ll be exposed after your first reboot until you apply the security updates and you’ll see that it’s safer to install with the network than without the network.

      • says

        Please note I am not one bit concerned about security. I am just
        warning against e.g., people putting all their mail on Gmail, and one
        day when Gmail is down, they can’t get a single thing done.

        And let’s say in order to get on the Internet one needs to configure
        one thing, but say to configure that thing, one needs to install a
        certain package. However to install that package successfully, one
        needs an Internet connection. Etc. Etc. You never know.

        Or say you arrive at base camp with all your parts, and are in charge
        of setting up the whole computer infrastructure. Base camp will have
        Internet connectivity, but that will be next week. In the meantime you
        have a whole week to get everything ready. That’s fine, because all of
        the beginning part doesn’t need the Internet. However surprise
        surprise, nobody tested the software, so most of your week is wasted
        because some silly parts assumed an Internet connection. Etc.

  8. Wilbert says

    jidanni, to me it seems that you are concerned with human practice, more than technical issues.
    Gmail, for example, let’s you download all your messages to your computer without a problem, it also lets you forward all the messages (ALL of them) to another server (hotmail, yahoo, GMX, anywhere you prefer) It’s up to you to take the measures that feel right.

    This article is about the possible different system setup that result from installing Debian with or without internet connection. If ‘recommended packages’ are not installed during an offline procedure, then I would like to know how to install them after I got internet access setup.

    In general I have learned that what works best for me, does not automatically work well for anyone else. We all follow our own paths.

    • toobuntu says

      Wouldn’t tasksel –new-install do the trick? In other words, do a minimal install (no “tasks,” not even “base system”) without a network connection. Then configure your firewall and networking. Then tasksel –new-install. That’s what I do, but now I’m not sure if it picks up recommends. See http://wiki.debian.org/Gnome: “The option –new-install ensure [sic] we end-up with what DebianInstaller would have installed”

      From the same wiki article, perhaps the following, for example, would be necessary in place of tasksel to get a standard Debian gnome desktop: aptitude -q –with-recommends -o APT::Install-Recommends=yes -y install ~t^desktop$ ~t^gnome-desktop$

    • says

      Well OK, I haven’t actually ever used Gmail.
      Anyway, I hate when one takes all the Debian components on a camping trip, only to find they don’t fit together because nobody ever tested them without a network connection. Of course I haven’t actually tried it, but you get my idea.

      • Wilbert says

        Speaking for myself, I don’t mind getting into this kind of trouble, I learned most from getting to the solution, even with the ‘detours’.

        They say ‘a calm sea doesn’t make a skilled sailor’

  9. Wilbert says

    tasksel install desktop performs this line:
    aptitude -q -y install ~t^desktop$ ~t^kazakh-desktop$ ~t^kde-desktop$

    tasksel install desktop –new-install performs this line:
    aptitude -q -y install ~t^desktop$ ~t^kazakh-desktop$ ~t^kde-desktop$ ~pstandard ~prequired ~pimportant

  10. says


    Thanks for this good summary. I ran into the problem of missing supplementary packages and wonder if there is a way to install them afterwards.

    Atm. applications like empathy simply do not start (I guess due to missing deps).


    • says

      You can try rerunning “tasksel” but not sure it’s going to catch all missing recommends. There must be some way to identify recommended packages that are not installed but I haven’t looked how yet.

  11. Has F. S. (hhh) says

    I know I’m late posting here but I just started reading your fine blog.

    I’ve been using Debian for a few trouble-free months, thanks to the Debian Live builds which have made installing Debian fairly idiot proof (I’m not a programmer, probably not much more than an intermediate user). But this week I decided to tackle the problem of doing a netinst.iso install over a WPA encrypted wireless connection, and discovered it’s not that hard. It can be done using a single 256MB USB drive using wpa_supplicant. I wrote a tutorial that even a novice could follow at the #! forums…

    I hope that helps somebody, and keep up the fine work.