Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources

← Back to Stories (view on slashdot.org)

Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources

Posted by samzenpus on Thursday June 13, 2013 @02:35PM from the protect-ya-neck dept.

Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.

159 comments

Min score:

Reason:

Sort:

Moved to deb-multimedia.org by TREE · 2013-06-13 14:38 · Score: 5, Informative

The repository is not gone, it just moved to http://deb-multimedia.org/
1. Re:Moved to deb-multimedia.org by stephanruby · 2013-06-13 15:06 · Score: 3, Informative
  
  Not sure if you're using the debian-multimedia repository? You can easily check it by running:
  grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*
  If you can see debian-multimedia.org line in output, you should remove all the lines including it.
2. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-13 15:16 · Score: 1
  
  You completely and utterly missed the entire point.
  deb-multimedia.org is run by the original maintainters of debian-multimedia.org and is still probably safe.
  debian-multimedia.org is now run by an unknown entity after the debian project told them to stop using their name and they moved and let the domain expire.
3. Re:Moved to deb-multimedia.org by msauve · 2013-06-13 15:32 · Score: 4, Insightful
  
  If you're going to karma whore, you should at least reference the OP.
  
  If you can see debian-multimedia.org lines in output, you might want to change all the lines including it to use deb-multimedia.org instead.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
4. Re:Moved to deb-multimedia.org by jones_supa · 2013-06-13 20:18 · Score: 1
  
  He didn't miss the point. He just commented one aspect of it, which is that the original is now at deb-multimedia.org. Which is correct.
5. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-13 20:19 · Score: 1
  
  For an annual cost of what $10 (?) Debian should probably have just bought the domain when it expired to protect its users. Not that I'm attributing blame, they probably never even knew it was being allowed to expire since debian-multimedia was an entirely separate unofficial group.
6. Re:Moved to deb-multimedia.org by hobarrera · 2013-06-13 21:46 · Score: 0
  
  I must be dreaming. Not only does this first post NOT say "first", but it's actually really informative!
  Did I mistype "slashdot" today? :|
7. Re:Moved to deb-multimedia.org by kju · 2013-06-13 22:20 · Score: 1
  
  If you can see debian-multimedia.org line in output, you should remove all the lines including it.
  Nonsense. Many still working mirrors have "debian-multimedia.org" in the path name, e.g. http://debian.netcologne.de/debian-multimedia.org
8. Re: Moved to deb-multimedia.org by Anonymous Coward · 2013-06-13 23:48 · Score: 1
  
  But what are they mirroring? Do they need to read this article too?
9. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-13 23:51 · Score: 0
  
  They still need to conserve money. Debian has expenses that were, for a long time, paid for out of the pockets of a few of the developers.
10. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-14 00:48 · Score: 0
  
  Thanks--I forgot about /etc/apt/sources.list.d/
11. Re:Moved to deb-multimedia.org by smooth+wombat · 2013-06-14 02:31 · Score: 2
  
  Liar! Everyone knows that if you give software away for free you don't need money.
  That's why you don't have to pay for movies, songs or programs any more. You just go to Pirate Bay and get them for free.
  You must be living in a fantasy world if you think money is needed to make software.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
12. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-14 03:01 · Score: 0
  
  They knew and they pretty much begged for it to be transferred. The original owner simply let it expire instead.
13. Re:Moved to deb-multimedia.org by Zero__Kelvin · 2013-06-14 08:36 · Score: 1
  
  You are better off to just grep for multimedia.org. Then you can see if you are using either repository, and if you need to change it. If nothing shows up, then you might want to consider adding a line for deb-multimedia.org. One subtle thing that a seasoned tech expert learns over time is that searching ' grepping for something a little less specific can sometimes yield far more lucrative results than being (overly) explicit.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
14. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-14 16:15 · Score: 0
  
  Why? Aint deb packages signed like rpm packages and refused on key mimatch?
15. Re:Moved to deb-multimedia.org by Anonymous Coward · 2013-06-16 03:59 · Score: 0
  
  Peenis cockin'. Big rods.
Why not... by ADRA · 2013-06-13 14:51 · Score: 1

Have a patch update install that appends to the hosts file redirecting said offending domain to 127.0.0.1 or the like. At least then you'd be sure most potential users don't get infected..

--
Bye!
1. Re:Why not... by Nutria · 2013-06-13 14:55 · Score: 4, Insightful
  
  (a) Because that's intruding where package management doesn't belong, and
  (b) into which package would you add this patch?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
2. Re:Why not... by Anonymous Coward · 2013-06-13 15:40 · Score: 0
  
  Because doing an ugly hack in /etc/hosts is unnecessary where a simple line cut in /etc/apt/sources.list is sufficient and correct.
3. Re:Why not... by at_slashdot · 2013-06-13 16:01 · Score: 1
  
  (a) Why is that? Why can't package management fix a security problem?
  (b) What package does /etc/apt/sources.list and /etc/apt/sources.d belong to? How about patching that package?
  
  --
  "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
4. Re:Why not... by Anonymous Coward · 2013-06-13 16:05 · Score: 0
  
  They don't belong to any package.
5. Re:Why not... by Anonymous Coward · 2013-06-13 16:17 · Score: 1
  
  ...or just patch apt to ignore the repository, even if it exists in sources.list.
6. Re:Why not... by Anonymous Coward · 2013-06-13 16:25 · Score: 0
  
  They should just put an update to apt in the official repository that doesn't change anything except looking for that in the sources files and replaces it with the new correct one.
7. Re:Why not... by KGIII · 2013-06-13 16:41 · Score: 2
  
  APK, is that you? ;)
  
  --
  "So long and thanks for all the fish."
8. Re: Why not... by Anonymous Coward · 2013-06-13 16:48 · Score: 0
  
  Best response.
9. Re:Why not... by Anonymous Coward · 2013-06-13 17:04 · Score: 0
  
  linux security, fix it yourself or tough shit, gee I wonder why people just dont flock to it
10. Re:Why not... by osu-neko · 2013-06-13 17:40 · Score: 3, Insightful
  
  Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.
  The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.
  
  --
  "Convictions are more dangerous enemies of truth than lies."
11. Re: Why not... by Anonymous Coward · 2013-06-13 18:05 · Score: 1
  
  I have a broken shoelace. Should I replace it or just get some brand new Microsoft shoes? I suppose I could wait until the shoes wear out and then replace everything at tge same time, or I could call out that "shoelace flying doctor" company.
  Trouble is the art of shoelace replacement died out since everyone has told us it is hard and only for experts.
12. Re: Why not... by crutchy · 2013-06-13 20:14 · Score: 2
  
  holy fucking shitbags!!! Microsoft makes shoes!!!! where can i get a pair so i can wear them with my debian t-shirt :)
13. Re:Why not... by crutchy · 2013-06-13 20:15 · Score: 1
  
  nah i can't be... the sentences are intelligible and there's no mention of "open sores"
14. Re:Why not... by Anonymous Coward · 2013-06-13 20:21 · Score: 0
  
  No the right way would be to ask the root next time he runs the upgrade.
15. Re:Why not... by gmack · 2013-06-13 23:40 · Score: 3, Informative
  
  Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.
16. Re:Why not... by julesh · 2013-06-13 23:57 · Score: 1
  
  linux security, fix it yourself or tough shit
  More accurately: Linux security - if a change you made to the system turns out to be insecure, you have to remove it yourself later. It's not like debian is distributed with such third-party update sites listed in apt.sources.
17. Re:Why not... by Anonymous Coward · 2013-06-14 00:51 · Score: 0
  
  This shouldn't be a security problem because debian uses signed packages and users would see the untrusted key and say no.
18. Re:Why not... by x_t0ken_407 · 2013-06-14 00:57 · Score: 1
  
  The audacity to think that sysadmins should be able to handle their system themselves their way. Why would you NOT pay ungodly amounts of money for a company to hold your hand??
19. Re:Why not... by GPLHost-Thomas · 2013-06-14 01:44 · Score: 2
  
  (a) Why is that? Why can't package management fix a security problem?
  For this, we have apt-key. If you blindly trust a non-signed source, that's your fault.
20. Re:Why not... by GPLHost-Thomas · 2013-06-14 01:47 · Score: 1
  
  The Debian community is in fact very concerned by it, but there's very little that we can do. Intrusively hacking the sources.list isn't a nice thing to do. The one to blame is the old owner of debian-multimedia.org, not Debian itself. debian-multimedia.org (and deb-multimedia.org by the way) was non-official anyway, and not supported (and in fact, disliked by the Debian Multimedia team (notice the space instead of the dash...)).
21. Re:Why not... by GPLHost-Thomas · 2013-06-14 01:49 · Score: 1
  
  It's not the role of Debian to back-hack the cruft of a sysadmin. If a sysadmin decided to add a non-official repository, it's his responsibility to maintain it. If the non-official repository goes away this way, Debian isn't to blame.
22. Re:Why not... by grouchyDude · 2013-06-14 02:15 · Score: 1
  
  It's the "role" of the Debian (community) to do the best thing for their users, both for the sake of the people at stake and for the heath and promotion of Debian (and UNIX) as a whole. Doing the "right" thing usually involves difficult compromises and judgement calls, and sticking to a strictly hard-line set of ideals is rarely compatible with the messy real world we all live in... that is my experience running a couple of organizations: people make mistakes and their organizations, or superiors, or "family" often need to clean up after/for them, even if it's not technically their job to do so, for the benefit of all concerned.
  I think the fight over the name, which caused the name change, was a mistake with consequences that could have been predicted. Even if it's the fault of the sysadmins who messed with their systems, finding a non-intrusive way to help them from getting nailed is in everybody's long term interest (except maybe Microsoft or other non-Linux vendors... and even they want a health Internet). In the worst-case scenario that this domains gets acquired by bad people and users get burned by this, it will make UNIX/Deb look bad, cause harm to various individuals, and potentially even lead to more spam or malware.
23. Re:Why not... by x_t0ken_407 · 2013-06-14 03:20 · Score: 1
  
  Agreed...forgot my sarcasm tag? :p
24. Re:Why not... by Anonymous Coward · 2013-06-14 05:09 · Score: 0
  
  It's a mistake, drive by Christian. He was working at odds with the project, and confusing users. His failure to clearly differentiate his repo led to wrongly filed bugs, and his fishing for donations was and remains dubiously vague.
  Follow the discussions that too place. Christian was passive aggressive and entirely disinterested in avoiding this mistake, which is entirely of his making. Even where his repo provided useful packages, the man is an obstinate cunt looking to get some Internet monies in his hands. Debian leadership have been polite and constructive almost to a fault in their dealings with this huckster.
25. Re:Why not... by GPLHost-Thomas · 2013-06-14 05:09 · Score: 1
  
  I think the fight over the name, which caused the name change, was a mistake with consequences that could have been predicted.
  Absolutely not. All Debian Developers were aware of what was going on, and none thought it would end this way.
  
  You might be aware that there are other sites using the word "debian" in the URL. For example www.debian-administration.org. Though we don't care much about them. But here, we had someone working against Debian, and the way he acted shows the DPL did the right thing, especially seeing how much the owner of the site didn't care for its users.
  
  Even if it's the fault of the sysadmins who messed with their systems, finding a non-intrusive way to help them from getting nailed is in everybody's long term interest (except maybe Microsoft or other non-Linux vendors... and even they want a health Internet). In the worst-case scenario that this domains gets acquired by bad people and users get burned by this, it will make UNIX/Deb look bad, cause harm to various individuals, and potentially even lead to more spam or malware.
  Would you hold Microsoft liable for any software that a user downloads from any random site? I'm sure you wouldn't. So why in this case, Debian would be? This makes no sense.
26. Re:Why not... by HiThere · 2013-06-14 06:03 · Score: 1
  
  This is already a third party repository, and many third party repositories don't have proper signing. I don't know what the status was for debian-multimedia.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
27. Re:Why not... by Zero__Kelvin · 2013-06-14 08:44 · Score: 1
  
  The point is that you include as an OS update some code that optionally redirects the website. Something that pops up and explains the danger and then allows the system admin to choose what to do.
  
  One of the major reasons for package management and updates isn't to help close security holes in the system. Saying it is outside the domain of package management to ensure the security of the package management system is, frankly, pretty ludicrous. It is indeed the whole point of having one that possible security holes can be plugged. As far as what package to add the patch, the problem isn't how to do it. The very solvable problem is: which out of the hundreds of ways we can think of off the top of our head should we use?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
28. Re:Why not... by Nutria · 2013-06-14 10:06 · Score: 1
  
  include as an OS update
  Put it in a kernel update? Shirley, you jest!
  It's possible to add a bit of grep(1) and sed(1) to the apt package to comment out references to debian-multiple.org in the /etc/apt tree.
  Honestly, though, this is the responsibility of the owner/sysadmin of the machine. There are dozens and dozens of non-canonical repositories, and Debian Developers can't be responsible for keeping track of all of them. The owner/sysadmin added the 3rd party repositories, and he should be responsible for maintaining them. I say that as a long-time Debian and now Ubuntu user who's added more than a few repositories.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
Just don't ignore any warnings? by fuzzyfuzzyfungus · 2013-06-13 15:00 · Score: 4, Insightful

Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.
1. Re:Just don't ignore any warnings? by BitZtream · 2013-06-13 15:09 · Score: 1
  
  The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
2. Re: Just don't ignore any warnings? by Anonymous Coward · 2013-06-13 16:51 · Score: 0
  
  If someone is ignoring warnings about missing public keys, they probably also have bigger problems.
3. Re:Just don't ignore any warnings? by fuzzyfuzzyfungus · 2013-06-13 17:46 · Score: 3, Informative
  
  The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.
  True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.
4. Re: Just don't ignore any warnings? by jones_supa · 2013-06-13 20:21 · Score: 1
  
  If someone is ignoring warnings about missing public keys, they probably also have bigger problems.
  Alcoholism, depression...
5. Re:Just don't ignore any warnings? by Anonymous Coward · 2013-06-13 20:31 · Score: 1, Insightful
  
  Several attacks are possible if you control the repo but not the package contents though. Debian (and many other Linux "vendors") were supposed to be vaguely addressing this, but it never really got the priority it needed. If you're running a big corporate distro (e.g. RHEL) you are OK because the repos are SSL, so most attacks aren't viable without breaking SSL on top of everything else, but all the volunteer distros like Debian use unencrypted repos so...
  1. The bad guys can refuse to tell you about a security update you actually needed, fooling you into thinking you're secure when actually they have an exploit that you were supposed to be updated against but you aren't.
  2. The bad guys can trickle you a "bad" update that's been superseded, making your security worse. This is a genuine update, made by (in this case) Debian, but which happened to have some bug in it that you'd rather not have. Real repos may have held this update only for a few hours at some point, or even only on some testing server and not on their main repo at all, but if they're signed then you'll never know once the bad guy repo lies to you about how you ought to download the update.
6. Re: Just don't ignore any warnings? by Threni · 2013-06-13 20:32 · Score: 2
  
  Lions, tigers, bears...
7. Re: Just don't ignore any warnings? by sjames · 2013-06-13 22:28 · Score: 1
  
  Oh MY!
8. Re:Just don't ignore any warnings? by GPLHost-Thomas · 2013-06-14 01:58 · Score: 1
  
  but all the volunteer distros like Debian use unencrypted repos so...
  See what I wrote above. This is simply wrong. There's a Release.gpg file which is signed by the FTP masters, and which validates the repository.
  
  1. The bad guys can refuse to tell you about a security update you actually needed, fooling you into thinking you're secure when actually they have an exploit that you were supposed to be updated against but you aren't. 2. The bad guys can trickle you a "bad" update that's been superseded, making your security worse. This is a genuine update, made by (in this case) Debian, but which happened to have some bug in it that you'd rather not have. Real repos may have held this update only for a few hours at some point, or even only on some testing server and not on their main repo at all, but if they're signed then you'll never know once the bad guy repo lies to you about how you ought to download the update.
  Please don't spread such non-sense. This can't happen, unless the user choose to dismiss the warnings that apt is shouting...
9. Re:Just don't ignore any warnings? by petermgreen · 2013-06-14 02:20 · Score: 1
  
  Specifically the release file is signed. That contains the secure hashes of the package lists files which in turn contain secure hashes of the actual packages. If files don't match the expected hashes apt will refuse to use them. If the release file is unsigned or signed by an unknown key apt will warn the user and ask them if they want to continue.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
10. Re:Just don't ignore any warnings? by Anonymous Coward · 2013-06-14 03:28 · Score: 0
  
  I am rather certain that a DOS and a replay attack are both possible even with a signed repository.
  There are ways to prevent replay attacks, which I hope that apt-get would employ. DOS is impossible to prevent if you are communicating with an untrusted source, (actually DOS is impossible to entirely prevent in any circumstances).
Ugh, forks by BitZtream · 2013-06-13 15:07 · Score: 4, Interesting

He said (d-m.o) he stopped using the name because she told him to.
She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print ...
He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.
She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.
So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website ... that no one visits after the initial hits because they now have the repository in /etc/apt anyway ... there he tells of the change ...
Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.
After reading everything, I think d-m.o douche could have been a lot more professional.
He could have been a normal person and just done what debian asked ... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.
He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.
This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.
Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
1. Re:Ugh, forks by Anonymous Coward · 2013-06-13 15:16 · Score: 0
  
  Sounds like a good reason to use a distribution that includes such basic functionality in their primary repositories. As a bonus, you can pick a distribution that ships vanilla packages instead of packages that are heavily patched by random idiots (hurr durr I can do crypto better than the OpenSSH developers!).
2. Re:Ugh, forks by Anonymous Coward · 2013-06-13 15:39 · Score: 0
  
  A lot of the language you call scammy and passive aggressive is due to english as a second language.
3. Re:Ugh, forks by BitZtream · 2013-06-13 16:20 · Score: 0
  
  I don't think so. If that were the case he could have just corrected it, which was brought up. He instead claimed that he made it clear and that if you read the page you would know. If that were the case, it wouldn't have come up. He's clearly trying to not make it obvious. Instead of just fixing it, he made a different, clearly passive aggressive move. Using deb-multimedia instead of debian-multimedia ... seriously? Dropping the original domain rather than doing something intelligent like ... using a redirect or error page for a while? FFS, godaddy and register will host a basic page for like $15/year and that includes the cost of the domain if you use a coupon from retailmenot or google.
  He's really just showing his ass, spoken language isn't needed. His actions speak clearly.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
4. Re: Ugh, forks by Anonymous Coward · 2013-06-13 17:06 · Score: 0
  
  If you have a problem with the process and care to help, you are welcome to join. So far, the project seems to be working well. I'm sure you have seen the stories about NASA's Debian expansion, but many other organizations also use them. However, RHEL, CentOS, openSUSE, Ubuntu, and many others are also in great shape, and all of them share package maintainers.
  You are right not to trust anyone absolutely. Compiling from audited source will always be the best practice for those who can. Compiling without auditing is good as well if many eyes can see the source, and using trusted binaries is still acceptable for most. Fortunately, most people now have at least basic security in their software, but there's plenty to do.
5. Re:Ugh, forks by jabuzz · 2013-06-13 20:41 · Score: 2, Insightful
  
  The issue is the Debian team where demanding things that they could not expect. The maintainer of d-m.o was free to do whatever they wanted which includes maintaining separate versions of packages in Debian proper. They pointlessly demanded that he stop using debian in his domain name which achieved nothing. It did not reduce any confusion, and it did not stop him doing what he was doing before. Worse than that the domain expired and some random other person picked it up.
  The Debian team have a habit of being self obsessed holier than though righteous pricks at times. This is one of them.
6. Re:Ugh, forks by Anonymous Coward · 2013-06-13 22:09 · Score: 1
  
  they have a legal obligation to actively protect the trademark so that they do not lose it. deal with it.
7. Re:Ugh, forks by Anonymous Coward · 2013-06-13 23:42 · Score: 0
  
  They could easily uphold trademark by licensing the name to d-m.o. Seems a given considering its run by a Debian project member even. But no, instead they decided to flex their muscle because they didn't like that he rolled competing packages.
8. Re:Ugh, forks by GPLHost-Thomas · 2013-06-14 02:01 · Score: 1
  
  Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it
  Stop the non-sense, and read the man page for apt-key and how the Release.gpg file works.
9. Re:Ugh, forks by GPLHost-Thomas · 2013-06-14 02:04 · Score: 4, Informative
  
  They pointlessly demanded that he stop using debian in his domain name which achieved nothing.
  Not what happened. We asked Christian Marilla (the old owner of debian-multimedia.org) to stop doing things separately, and work with the Debian Multimedia team. He was also asked to stop building packages which are constantly breaking upgrades from one Debian version to the next. But it seems he prefers doing things alone...
10. Re:Ugh, forks by GPLHost-Thomas · 2013-06-14 02:05 · Score: 1
  
  They could easily uphold trademark by licensing the name to d-m.o.
  And by that, supporting a website which provides packages that breaks upgrades in Debian? Thanks but no thanks.
11. Re:Ugh, forks by Anonymous Coward · 2013-06-14 04:22 · Score: 0
  
  Could you stop writing "non-sense"? It's extremely irritating.
12. Re:Ugh, forks by marcosdumay · 2013-06-14 06:32 · Score: 1
  
  From the point of view of a user, it's a hard choice.
  Yeah, d.m.o packages do break upgrades, creating extra work and making the system less stable. But then, the official repository does not carry lots of software that are prohibited by US laws... Well, not the entire world is subject to US laws.
  
  --
  Rethinking email
13. Re:Ugh, forks by GPLHost-Thomas · 2013-06-14 17:55 · Score: 1
  
  But then, the official repository does not carry lots of software that are prohibited by US laws... Well, not the entire world is subject to US laws.
  Exactly what software are we talking about here? These days, there's pretty much everything you need from Debian main.
14. Re:Ugh, forks by marcosdumay · 2013-06-15 05:26 · Score: 1
  
  I've just added deb-multimedia again to my PC because of dvdrip. Ok, I was just assuming that it wasn't there because it's illegal at the US, it could be because of several reasons.
  
  --
  Rethinking email
DPL, the ultimate sticklers by MetalliQaZ · 2013-06-13 15:18 · Score: 2, Insightful

Step 1: Make pointless and annoying request
Step 2: Watch as security problem is created in the fallout
Step 3: Be smug

--
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
1. Re:DPL, the ultimate sticklers by Kidbro · 2013-06-13 19:48 · Score: 4, Informative
  
  Except, of course, that the request wasn't pointless:
  http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html
  The name actually caused real problems for Debian maintainers and users.
  
  --
  May we live long and die out
2. Re:DPL, the ultimate sticklers by c · 2013-06-13 22:27 · Score: 1
  
  The name actually caused real problems for Debian maintainers and users.
  Hmmm... well, having scanned through that thread (read it folks, it's not that long), all I can say is that if that's the DPL-approved way of fixing problems, I don't want those idiots anywhere near my plumbing.
  Public ultimatums are not an appropriate or effective technique to use on someone you don't have any functional control over.
  
  --
  Log in or piss off.
3. Re:DPL, the ultimate sticklers by pla · 2013-06-13 22:38 · Score: 1
  
  Except, of course, that the request wasn't pointless
  
  Those do not describe "real" problems.
  
  The first describes why "unofficial" repositories exist in the first place - So we can install non-stock versions of packages. That breaks dependencies? Hey, the user has to choose to add those to his apt sources, so keep your nose out of it, DPL.
  
  And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP at all costs" bullshit, raise your hand? Yeah, thought so.
  
  From Redhat to Ubuntu and now to games like this from Debian, has the entire Linux community sold out?
  
  / Glad I've always preferred Slackware. No games, no GNU/purism, no corporate BS. Just a rock-solid distro that stays true to its roots.
4. Re:DPL, the ultimate sticklers by Hatta · 2013-06-14 01:04 · Score: 1
  
  I don't understand. "Package duplication" should not be a problem for any decent package manager, and it's not. Apt pinning allows you to choose which repository you get your packages from.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:DPL, the ultimate sticklers by Kidbro · 2013-06-14 01:15 · Score: 1
  
  The problem essentially boils down to people reporting bugs in dmo-packages directly to debian itself. Sometimes in obscure ways so that it takes time to identify the mistake. This puts an unneeded burden on debian developers, when it's reports for software that's out of their control.
  All debian wants here is to not take the blame for, and spend unneeded work on resolving issues coming from broken dmo-packages. The risk of that happening decreases if 'debian' in not in the name. One of the bug reports linked in the DPL's post pretty much directly states that since the URL had "debian" in its name, the user thought it was an official debian repo.
  
  --
  May we live long and die out
6. Re:DPL, the ultimate sticklers by Kidbro · 2013-06-14 01:21 · Score: 1
  
  / Glad I've always preferred Slackware. No games, no GNU/purism, no corporate BS. Just a rock-solid distro that stays true to its roots.
  That's cool. How about it if Volkerding had to spend all his time addressing bogus bug reports caused by fucked up packages people found on slackware-coolstuff.org?
  Debian doesn't have a problem with unofficial sources. Heck, they don't even have a problem with broken packages. They only have a problem with having to spend time resolving bugs that turn out not to be theirs. If it was obvious that dmo wasn't an official repo, there wouldn't be a problem. That's exactly what the name change is trying to address.
  
  --
  May we live long and die out
7. Re:DPL, the ultimate sticklers by GPLHost-Thomas · 2013-06-14 02:13 · Score: 2
  
  Reducing what happened with Christian Marillat to only a single thread is deceptive. The issue with his repository breaking upgrades from one version of Debian to the next, and his constant refusal to work within Debian (even though he is a Debian Developer) is all but new.
8. Re:DPL, the ultimate sticklers by GPLHost-Thomas · 2013-06-14 02:15 · Score: 1
  
  And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP at all costs" bullshit, raise your hand? Yeah, thought so.
  The issue wasn't only trademark. It was mainly that Debian users are fooled into believing that this was part of Debian, when it was not, and that this repository was breaking things badly.
9. Re:DPL, the ultimate sticklers by GPLHost-Thomas · 2013-06-14 02:17 · Score: 1
  
  I don't understand. "Package duplication" should not be a problem for any decent package manager, and it's not. Apt pinning allows you to choose which repository you get your packages from.
  That would be right if the d-m.o repository was configured correctly (but it was not), and respecting the version numbering of Debian so you could upgrade correctly (but it did not).
10. Re:DPL, the ultimate sticklers by cjav · 2013-06-14 02:49 · Score: 2
  
  Except, of course, that the request wasn't pointless:
  Not only that, but please go a find a better example of excellent communication skills in an easily flammable thread:
  http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/027482.html
  
  My tip of the hat to Stefano Zacchiroli for keeping it so cool and on point. This looks like a childish behavior that hurts the same project Debian Multimedia maintainer seems to be wanting to help.
11. Re:DPL, the ultimate sticklers by Anonymous Coward · 2013-06-14 03:32 · Score: 0
  
  Not to mention the fact that the debian-multimedia has been in use since 2006 by this guy. It's only a trademark issue after 7 years of use?
  He upset another debian developer and they flexed their muscles, and it doesn't surprise me one bit. This sort of thing is, unfortunately, pretty common.
12. Re:DPL, the ultimate sticklers by c · 2013-06-14 03:35 · Score: 1
  
  Reducing what happened with Christian Marillat to only a single thread is deceptive.
  Probably. It doesn't change my point.
  By forcing a name change, all they've accomplished is to piss off the people who value his service over any breakage that he manages to cause and making him even less likely to give a shit about what the Debian project wants or needs (assuming he could care even less than he already did).
  People use his services to solve a problem with the core Debian distro, and apparently he runs his service well enough that people continue to rely on his stuff. The only way to "get rid of him" is to offer a better solution to the underlying problem, not to play games with names.
  
  --
  Log in or piss off.
13. Re:DPL, the ultimate sticklers by GPLHost-Thomas · 2013-06-14 05:15 · Score: 1
  
  By forcing a name change
  Nobody forced him to change the name. The DPL asked him to stop confusing his users into believing that donations would go to the Debian project. That's very different. And then he twisted it, and changed his domain name, so he wouldn't be bothered. I'm quite sure users will still get confused. Probably that's what he wants.
  
  People use his services to solve a problem with the core Debian distro, and apparently he runs his service well enough that people continue to rely on his stuff. The only way to "get rid of him" is to offer a better solution to the underlying problem, not to play games with names.
  Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been attempted multiple times. Though he didn't seem to care doing that. Please don't blame Debian here.
14. Re:DPL, the ultimate sticklers by c · 2013-06-14 05:49 · Score: 1
  
  Nobody forced him to change the name.
  "Force" is maybe a strong word. It was one of the two options given, presented as if it might be undesirable, and it doesn't look like he wasted much time thinking about it.
  
  Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been attempted multiple times. Though he didn't seem to care doing that.
  Actually, from my read of the situation, a better solution doesn't involve him at all. That's usually the case where you have intractable personalities associated with a problem.
  
  --
  Log in or piss off.
Vulnerability in repo system itself by tepples · 2013-06-13 15:30 · Score: 1

If the individual packages in the repository are signed but the repository as a whole is not, then there is a problem with how the repository system is designed. The list of files on the repository should be signed with the repository's own key.
1. Re: Vulnerability in repo system itself by Anonymous Coward · 2013-06-13 17:44 · Score: 0
  
  Debian repositories have been signed since 2005. http://wiki.debian.org/HowToSetupADebianRepository
2. Re:Vulnerability in repo system itself by Anonymous Coward · 2013-06-14 01:34 · Score: 0
  
  The binary packages (*.deb files) are not signed. It's the "Release" file that is signed. It contains checksums of the "Package" files that contain checksums of the "*.deb" files.
3. Re:Vulnerability in repo system itself by GPLHost-Thomas · 2013-06-14 01:54 · Score: 1
  
  If the individual packages in the repository are signed but the repository as a whole is not[...]
  man apt-key ...
  
  I think here, you are mistaking Debian with RedHat ... Packages are signed individually by their maintainer. But that is used only to validate an upload to the Debian repository. What is in use by Debian users, unlike on a RPM based system, is the Release.gpg file, which is the signature for the repository. This, in the official Debian repositories, is signed by the FTP masters (and the key used to sign the repository is signed by multiple Debian Developer, all in the web of trust).
4. Re:Vulnerability in repo system itself by kasperd · 2013-06-14 04:20 · Score: 1
  
  The binary packages (*.deb files) are not signed. It's the "Release" file that is signed. It contains checksums of the "Package" files that contain checksums of the "*.deb" files.
  Those are probably not checksums, but actually cryptographic hashes. And assuming they are actually cryptographic hashes, then signing the hash or signing the input is pretty much the same thing. You never sign the actual files in the first place (since they are too large to be input into the signing algorithm), you always hash the data to be signed and then sign the hash. Adding more layers of hashing before you sign is really just constructing a hash tree, which is just another way of hashing data before you sign it.
  
  The main difference between a sequential hashing algorithm and a hash tree is that the tree structure allows for parallel computations of the hash, as well as allows for checking just those parts of the data which you are interested in rather than having to work through the entire computation.
  
  --
  
  Do you care about the security of your wireless mouse?
Such a distro would be illegal by tepples · 2013-06-13 15:32 · Score: 1

Sounds like a good reason to use a distribution that includes such basic functionality in their primary repositories.
Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.
1. Re: Such a distro would be illegal by Anonymous Coward · 2013-06-13 15:47 · Score: 0
  
  possibly not. but then, nobody gives a fuck where there distro is "made", so why would that matter?
2. Re: Such a distro would be illegal by Anonymous Coward · 2013-06-13 16:18 · Score: 0
  
  If you make the distro and start distributing software you can't legally distribute in your country, it will open you up to all sorts of legal issues. These start out with a C&D notice that makes it pointless to include the software in the first place and only goes downhill from there.
3. Re:Such a distro would be illegal by tlhIngan · 2013-06-13 17:13 · Score: 1
  
  Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.
  I'm fairly certain at this point that decoders are cheap or already paid for. I remember someone actually doing it, and I know when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arranged it to be royalty free.
  Not that there aren't ways to do it on Linux - Apple gives away the decoder for free with QuickTime. You don't need an iThing to download iTunes or QuickTime, after all, and if you get the Windows version, not a cent went to Apple to pay for it.
  Heck, I think Adobe gives away the decoder as well with their Flash plugin. Granted, the only way now is to use Chrome, but still.
  Of course, the thing is that doing so violates Debian's charter - but that's what the non-free repos are for.
WHOIS by olsmeister · 2013-06-13 15:51 · Score: 1

Domain ID:D168841859-LROR
Domain Name:DEBIAN-MULTIMEDIA.ORG
Created On:01-Jun-2013 14:30:15 UTC
Last Updated On:07-Jun-2013 08:15:23 UTC
Expiration Date:01-Jun-2014 14:30:15 UTC
Sponsoring Registrar:Center of Ukrainian Internet Names dba UKRNAMES (R1787-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:UANS-00000704339
Registrant Name:Mikhail Dashkel
Registrant Street1:Dekhtyarovskaya, 26, 13
Registrant Street2:
Registrant Street3:
Registrant City:Kiev
Registrant State/Province:Kievskaya
Registrant Postal Code:35000
Registrant Country:UA
Registrant Phone:+380.637806963
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:urbanus@bigmir.net
Admin ID:UANS-00000704340
Admin Name:Mikhail Dashkel
Admin Street1:Dekhtyarovskaya, 26, 13
Admin Street2:
Admin Street3:
Admin City:Kiev
Admin State/Province:Kievskaya
Admin Postal Code:35000
Admin Country:UA
Admin Phone:+380.637806963
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:urbanus@bigmir.net
Tech ID:UANS-00000704341
Tech Name:Mikhail Dashkel
Tech Street1:Dekhtyarovskaya, 26, 13
Tech Street2:
Tech Street3:
Tech City:Kiev
Tech State/Province:Kievskaya
Tech Postal Code:35000
Tech Country:UA
Tech Phone:+380.637806963
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:urbanus@bigmir.net
Name Server:NS1.DARTMATS.NET
Name Server:NS2.DARTMATS.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
1. Re:WHOIS by shentino · 2013-06-13 16:01 · Score: 1
  
  somehow I read that as "uranus" instead of "urbanus"
2. Re:WHOIS by jones_supa · 2013-06-13 18:17 · Score: 1
  
  He seems to host some kind of motorcycle website there.
3. Re:WHOIS by LordLimecat · 2013-06-13 18:18 · Score: 1
  
  Oh, Im sure it will be fine. That looks perfectly trustworthy.
4. Re:WHOIS by Trax3001BBS · 2013-06-13 22:51 · Score: 1
  
  Yes, looks like a squatter has set up shop and a very impressive web page it is; If you like motorcycles.
  http://debian-multimedia.org/
  visible DNS info http://dns.robtex.com/debian-multimedia.org.html#records
5. Re:WHOIS by marcosdumay · 2013-06-14 06:38 · Score: 2
  
  Anyway, he's currently serving 404 for requests for the software repository. So, it's not malicious.
  
  --
  Rethinking email
Why not automate the fix? by readingaccount · 2013-06-13 15:54 · Score: 1

Given not everyone will know the repo had been moved and the domain is now registered to new owners, the most sensible approach in this case would have been to post an emergency update through the official Debian repositories, such that if the Debian-Multimedia.org is present, it is automatically removed from any source.list files and replaced with deb-multimedia.org. No harm, no foul.
1. Re:Why not automate the fix? by UltraZelda64 · 2013-06-13 16:07 · Score: 1
  
  I agree. If the Debian project wants to cause these possible security problems for stupid trademark/naming issues, then the least they can do is push an update to fix this for all affected users. As it is, they're causing a potential serious security problem for many of their users... and yet, actively doing nothing at all to eliminate the chance of Debian machines getting owned by malicious package installs. I would say that this is a pretty big mistake, on the level of the SSL certificate problem several years ago... but potentially much worse because the people within Debian itself knew the consequences and what could happen by forcing the changing of a major third-party repo after so many years.
2. Re:Why not automate the fix? by BitZtream · 2013-06-13 16:34 · Score: 3, Insightful
  
  No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.
  They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper
  He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, this was discussed on the mailing list and its clear), so he responded in a passive aggressive way.
  This isn't about 'trademarks' or naming, its about integrity and ethical practices. The naming thing is just a way to require an uncooperative asshole into doing what they want. This is EXACTLY THE REASON TRADEMARK LAWS EXIST. To prevent some jackass like this from tricking people into donating to something other than what they think they are donating to.
  The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party, and that leads us to ...
  The big mistake is Linux geeks in general. You don't have signed repositories because you all get so uppity about someone being the 'central authority' that you lose basic functionality and usability ... and end up with the EXACT same flaws you rant on about. Don't let anyone centrally sign things and validate others as being legitimate, make everyone do it themselves! Thats so much better! Power to the people! ... the people who will then put a single line in a relatively obscure configuration file and then forget it for the rest of the install.
  Then you come back ... and solution you propose ... is to have the debian organization function as a clearing house by remapping someone elses domain. Do you want them to run a walled garden or not? Pick one or the other. Just because you don't recognize your request as being a walled garden doesn't make it any less so. You're asking Debian to play moderator, gate keeper.
  You'll then flip the fuck out if it turns out that debian-multimedia.org is owned by someone who is legitimate about it. (not likely, but not impossible, yet)
  No, they shouldn't patch the package manager for the good of others, they should let you get exploited. You added the repository of a douche, your problem. You didn't want them playing gate keepers, remember, thats why you have an unsigned file with out digital signatures as your list of repositories.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
3. Re:Why not automate the fix? by KGIII · 2013-06-13 16:55 · Score: 1
  
  I haven't been following this so I don't know. You're not that clear either. First you say that nobody forced him to change the name. Then you say they "clamped down" on the name bit which, well, means they forced him to change the name unless I'm not getting something. It certainly sounds like they forced him to change the domain name given your description except you preface it by saying they didn't - then you say they did. Like I said, you're not helping.
  Perhaps you can clear up what you wrote?
  
  --
  "So long and thanks for all the fish."
4. Re: Why not automate the fix? by Anonymous Coward · 2013-06-13 17:18 · Score: 0
  
  Having a central authority is not a solution either. It just opens another vector of attack. You fail to mention that this solution has been considered and rejected by others.
  However, there certainly is a flaw. A solution is coming, but no one has implemented yet. I think it may require the ability to create artificial and temporary trusted authorities whose trustworthiness can be validated mathematically.
  We simply do not yet have software advanced enough to validate trustworthiness. Our reliance on trusting other people is still a point of vulnerability, as it has been for all of history. However, we now regularly trust many people we have never met.
  This is the frontier, and we haven't tamed trust yet.
5. Re:Why not automate the fix? by Anonymous Coward · 2013-06-13 17:34 · Score: 0
  
  This is why you never use anything associated with freetards.
6. Re:Why not automate the fix? by osu-neko · 2013-06-13 17:52 · Score: 1
  
  Then you say they "clamped down" on the name bit...
  No, you misread. They didn't "clamp down" on the name. You appear to have missed an "if" that was written above. They probably would have clamped down on the name if he had refused to make it clear that donations to him are not donations to Debian. But it never got that far. All they did do was "ask him to stop soliciting donations in a way that made it look like he was doing it for Debian proper." They made a request, that's all they did, and this was how he responded to the request.
  
  --
  "Convictions are more dangerous enemies of truth than lies."
7. Re:Why not automate the fix? by KGIII · 2013-06-13 18:31 · Score: 1
  
  Ah - but they have this in there:
  "Then if he didn't want to do that, they started clamping down on the name usage in order to..."
  The sentence makes no sense so I read it as they started clamping down on the name usage (which is what it says). If he hadn't changed the name then they WOULD have started clamping down? Did they threaten to clamp down on the name usage? If they threatened then it could still be said that they forced him to change his name (it was the only alternative he had if he didn't want to change his donation crap).
  It isn't that I support the guy. Don't think that. It's that I want to understand the truth, not the nuance but the truth. I want to know what REALLY happened (without needing to go through all the lists) and it appears that people have gone through the lists and they're not being all that informative. Yes, yes I'm lazy but that's the point of being on a site such as this - sharing of information.
  I didn't really misread the "if" I just didn't know if it was in error or intentional or just meant to obscure as the remainder of the sentence says that they DID start clamping down. The two parts of the sentence do not go together. If he didn't do something they started something. It makes no sense.
  
  --
  "So long and thanks for all the fish."
8. Re:Why not automate the fix? by petermgreen · 2013-06-13 21:35 · Score: 1
  
  The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party
  We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.
  1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
  2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
9. Re:Why not automate the fix? by sjames · 2013-06-13 22:38 · Score: 1
  
  So they demanded that he pick one of two options, the least unpalatable of which was changing the domain name.
  So, yes they did force him to change the domain name, even if they were nice about it.
10. Re:Why not automate the fix? by julesh · 2013-06-14 00:07 · Score: 1
  
  The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party
  We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.
  1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
  2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).
  Or, worse still: apt-get install deb-multimedia-keyring as is recommended on the archive's home page.
11. Re:Why not automate the fix? by Anonymous Coward · 2013-06-14 00:59 · Score: 1
  
  Bullshit.
  http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html
  
  Thinking about it, I think we should choose one of the two possible way
  forward:
  1) You and the pkg-multimedia team reach an agreement on
  which-packages-belong-where. One way to settle would be that for
  every package that exist in the official Debian archive, the same
  package should not exist in d-m.o, unless it has a version that does
  not interfere with the official packages in "standard" Debian
  installations. Another way would be to rename packages and sonames.
  I understand that such agreements would give a sort of "advantage" to
  the pkg-multimedia people over d-m.o, but that seems to be warranted
  by the fact that they are doing the official packaging, while you're
  not. If, as I hope, you could start doing your packaging work
  (wherever possible) within Debian as well, things would be different
  and we could consider solving potential technical conflicts in the
  usual Debian way.
  2) You stop using "debian" as part of the domain name of your
  repository, which is confusing for users (e.g. [2,3]). That would
  allow each part to keep on doing what they want in terms of
  packaging, but at least would remove any of the existings doubts
  about the official status of d-m.o.
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660924#20
  [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668308#47
  I can imagine that would be a painful step for you to take, given the
  well established domain name. But it seems fair to ask you to do so
  if we couldn't manage to find an agreement between you and the
  official Debian packaging initiative of software you're maintaining
  in an unofficial repository.
  TLDR version: rename all packages that collide with debian package names or drop the domain name.
12. Re:Why not automate the fix? by jedidiah · 2013-06-14 01:02 · Score: 1
  
  So the alternate if what exactly? Windows download sites that inject their own adware and spam into someone else software?
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
13. Re:Why not automate the fix? by JackieBrown · 2013-06-14 02:31 · Score: 1
  
  I'm not sure if they can. The whole reason for that repo is that it contained packages not legal for Debian to distribute in all countries. Doing your fix would imply that Debian endorses and aids this repo.
14. Re:Why not automate the fix? by tqk · 2013-06-14 04:19 · Score: 1
  
  So they demanded that he pick one of two options, the least unpalatable of which to him was changing the domain name and to continue to obfuscate for whom he was soliciting donations.
  FTFY.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
15. Re:Why not automate the fix? by tqk · 2013-06-14 04:27 · Score: 1
  
  This is why you never use anything associated with freetards.
  Such as The World Wide Web? Okay, bye! That's one less imbecilic AC we'll need to deal with. You're welcome. :-)
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
16. Re:Why not automate the fix? by sjames · 2013-06-14 04:52 · Score: 1
  
  If I wanted nmy statement politicized, I'd have done it myself.
  As for the 'to him' crack, naturally, were you expecting him to take the action least unpalletable to Ernest Spinkmeyer of Walla Walla Washington instead?
  As a native English speaker and literate, I see nothing obscure about his solicitation for donations. I can see how some *might* have been confused when it was debian-multimedia if they didn't read any of the available documentation. What would you have him call the repo? Blotzig4windows?
17. Re:Why not automate the fix? by tqk · 2013-06-14 07:30 · Score: 1
  
  If I wanted nmy statement politicized, I'd have done it myself.
  Yeah, don't bother to consider that anyone might have thought it already was politicised.
  
  As for the 'to him' crack ...
  Just pointing out that he chose this course of action. He could have just clarified the situation. Instead, ...
  
  As a native English speaker and literate, I see nothing obscure about his solicitation for donations.
  Irrelevant. Debian did think so, and it was their choice to make.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
18. Re:Why not automate the fix? by sjames · 2013-06-14 09:05 · Score: 1
  
  And he took one of the actions they demanded. I didn't claim it was wrong of Debian to demand it at all. But it is disingenuous to claim that he took this action with no prompting and even moreso to lay the current problem (if it even is a problem) at his feet.
Attacks on Package Managers by Anonymous Coward · 2013-06-13 16:05 · Score: 4, Interesting

https://www.cs.arizona.edu/stork/packagemanagersecurity/
Do read it all. It may not apply here but it should be read by everyone who uses package managers.
1. Re:Attacks on Package Managers by Anonymous Coward · 2013-06-13 16:58 · Score: 0
  
  That article is nearly five years old. How can we know how much of it is still relevant?
2. Re: Attacks on Package Managers by Anonymous Coward · 2013-06-13 18:05 · Score: 2, Informative
  
  Vulnerabilities do not vanish with time, but good geeks adapt. Eight years ago, Debian responded to these problems. http://wiki.debian.org/HowToSetupADebianRepository
mostly a non-issue by louden+obscure · 2013-06-13 17:02 · Score: 4, Informative

I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.
I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.

--
Serenity now, insanity later.
1. Re:mostly a non-issue by Anonymous Coward · 2013-06-13 18:34 · Score: 0
  
  I honestly can't tell why Debian insists on using years-old software, and not including basic, commonly-used packages in its repository (e.g., avidemux). I left Debian for Xubuntu a few years ago and made the mistake of installing Debian when I reformatted my work workstation. It may have been stable, but many packages were noticeably outdated (it shipped with OpenOffice 2, Ruby 1.8, and PHP 5.1—all uselessly out of date); it was like running RHEL.
2. Re:mostly a non-issue by Anonymous Coward · 2013-06-13 20:12 · Score: 0
  
  Bullshit.
  Lenny, released in Feb 2009, has ruby 1.9 packages. The php5 version was 5.2.6. Squeeze, released Feb 2011, uses Openoffice 3.2.
  Debian Stable packages are up to a few years old; it's a stable release, not bleeding edge. However, your numbers are laughably wrong, or you just neglected to mention that your experience, and all of your data, is from 5+ years ago. If it's been that long, then your experience, and your numbers, are uselessly out of date.
3. Re:mostly a non-issue by Anonymous Coward · 2013-06-14 01:12 · Score: 0
  
  In my opinion as a long-term outsider, Debian are very careful about possible lawsuits. You have to give them that. They don't need the extra hassle.
4. Re:mostly a non-issue by x_t0ken_407 · 2013-06-14 01:27 · Score: 1
  
  From my understanding, Debian-stable is MEANT to have stable, working packages, much like RHEL intends. Not sure why you were surprised...next time RTFM. I've never used Debian in my life, but even I know that there are different branches you can follow that are intended for different needs (stability, bleeding-edge, etc.)
5. Re:mostly a non-issue by Hatta · 2013-06-14 03:22 · Score: 1
  
  If you want current packages, use the unstable repository. Note that it's the repository that's unstable, not the operating system. Every week there are dozens of updates to the repository, but my system never crashes. Sid makes a great desktop or HTPC. Stable is for servers only.
  
  --
  Give me Classic Slashdot or give me death!
Yup, all-too-common free software experience: by aussersterne · 2013-06-13 17:13 · Score: 1, Insightful

break something that's working well just to score correctness points, because in free software, "working well" and "correct" are often not only separate quantities, but orthogonal ones.

--
STOP . AMERICA . NOW
1. Re:Yup, all-too-common free software experience: by GPLHost-Thomas · 2013-06-14 02:07 · Score: 1
  
  break something that's working well.
  This is only your view, but not the one of the Debian Multimedia team within Debian. In many ways, d-m.o broke upgrades, disrespecting the version numbers and such.
Re:BTW by pinkushun · 2013-06-13 18:13 · Score: 1

Analogous to a Trying-to-post-first-so-I-don't-care-if-my-response-is-half-baked post.
So *not* informative.
Re: multi-media bone headed stupidity! by Anonymous Coward · 2013-06-13 18:22 · Score: 0

I have bad news for you. Most of those porn websites were not running Windows, so while you may think you were stroking yourself while watching Russian co-eds stroke a horses underside, you were actually entering terminal commands for Iranian Occupy Bitcoin miner vegans.
Re: multi-media bone headed stupidity! by Anonymous Coward · 2013-06-13 19:21 · Score: 0, Offtopic

I have bad news for you. Most of those porn websites were not running Windows, so while you may think you were stroking yourself while watching Russian co-eds stroke a horses underside, you were actually entering terminal commands for Iranian Occupy Bitcoin miner vegans.
Funny as hell guy! When you wake up tomorrow and drive into Redmond I hope you think about how stupid the comment you made last night really was. One thing for sure you didn't turn your wife on the way I did after watching the Russians do their thing. Good thing that my e-mail does not get pounded like the idiots who use hotmail while watching the Russians all the time clicking on phoney links with aspx and even activex headers!!!!!
I mean really here we are with the freakin' US government warning people about Microsoft and yet there are still some desperate trolls out there trying to push Windows as a secure method of browsing.
No doubt the recent advertising that Bing is superior prove only one thing. The next move will be free advertising on Bing to screw over Google for good. But we are drifting off topic and I shall return to the topic.
The guys and gals over at Debian cannot and will not endorse software that shows up on a repo using an apt file identifier that is not fully endorsed to be free from patent encumbered codecs. SO BIG FREAKING DEAL.
It is Microshaft and their minions at MPEGLA that are usurping the ability of users to chose which operating system they want to use to watch DVDs on a computer. AND GUESS WHAT STUPID. In my books that is precisely the core of the issue.
ALL pron, RUSSIAN NUDES and the like aside. Microsoft is a convicted monopolist and is manipulating legislators in the West to a disgusting degree.
The only way to fight this bullshit is with the truth and again guess what the truth is that the majority of computer security issues come from the use of modified internet protocol shit from Microsoft that can and does hose system files in Windows.
The last heavily publicized OS hack convention in Vancouver did not even include an Ubuntu machine this time....guess why, the last few times no one was able to pown one even with a stock install! So I guess that just goes to show how well the PR shill idiots from Microsoft are doing at keeping the computer sheep from moving to Linux.
All I have to do is track this thread and again guess what the shills are still there bleating away at any possible chance to claim that Linux is as insecure as Windows. I highly doubt you even understand what an apt/sources list is for in the first place DO YOU? And again all one has to do is see if the source code is available and guess what sucker if the actual source will not build the to the same signature as the binary then chances are the binary in the repo is flawed.
US linux users have been checking code for years and some of us do not even write, but at least we understand why having the ability to confirm a binary is essential from a security point of view!
Re:BTW by crutchy · 2013-06-13 20:10 · Score: 4, Funny

it was however more informative than your reply
Re:BTW by Anonymous Coward · 2013-06-13 20:13 · Score: 0

The file is in /etc/apt.
Cool story, bro.
). There. by xded · 2013-06-13 20:50 · Score: 3, Funny

You're welcome.
1. Re:). There. by Anonymous Coward · 2013-06-13 22:38 · Score: 0
  
  ... but now it's in the wrong place.
2. Re:). There. by Anonymous Coward · 2013-06-14 04:38 · Score: 0
  
  Here, have a few more spares, just to be on the safe side: ) ) } )) ] ).
What problems? by Anonymous Coward · 2013-06-13 21:24 · Score: 0

The only problems listed where invalid whines of a overly pedantic assholes who are just looking to pick a fight. How dare someone create an 3rd party archive that has the same package names. How dare someone create a domain name with the word debian in it. It's just so fucking confusing for people who are completely clueless. The concept of a PPA or third party repository is just too complicated for the high and mighty debian developers to handle. They would rather attempt to threaten anyone who dare threatens their pristine virgin OS by creating their own software repositories and sharing them with the public.
Some people in the Debian project define success in how many packages they can get REMOVED from the repositories. The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox. They simply do it for the lulz.
1. Re:What problems? by Anonymous Coward · 2013-06-13 22:02 · Score: 1
  
  you are an ignorant fool of a troll, but I'll answer anyway in case
  you are just plain ignorant.
  debian-multimedia was primarily renamed to deb-multimedia to protect
  the debian trademark, which the law says must be protected if you want
  to keep it.
  firefox was renamed iceweasel at the request of mozilla, after they
  removed their permission for debian to use their trademark on debian
  security packages. this is why on ubuntu you get new firefox versions
  in the LTS, and on debian you get bug and security fixes to the existing
  version without head-first upgrades to the next version.
2. Re:What problems? by GPLHost-Thomas · 2013-06-14 02:11 · Score: 3, Interesting
  
  The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox.
  I didn't comment the rest of, because that's silly enough, so I'll comment only that one. The problem with Firefox vs Iceweasel is located at the Mozilla foundation, which refuses that someone uses the name Firefox (and it's logo) if patches are added. Other distributions might just ignore that fact, but Debian cares about licenses and trademarks. If you want this to change, then you are welcome to ask Mozilla to change its trademark policy.
3. Re:What problems? by petermgreen · 2013-06-16 23:23 · Score: 1
  
  Afaict there were two issues.
  1: Mozilla didn't like the use of the firefox name with the "unbranded" logos and debian considered the copyright license of the "branded" logos non-free.
  2: Mozilla wanted to be asked for aproval for every patch.
  Personally I say kudos to debian for not rolling over to these demands.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
4. Re:What problems? by GPLHost-Thomas · 2013-06-17 05:01 · Score: 1
  
  Yeah, exactly. Mozilla asking for approval for every single patch is a violation of the Debian Free Software Guidelines paragraph 3 as seen here: http://www.debian.org/social_contract and which every DD has signed off. Mozilla is evil here, not Debian.
As bad as Windows by J_Darnley · 2013-06-13 21:46 · Score: 0

So if it is no longer safe, does this just prove that Linux is just as bad as Windows when it comes to installing software from a random website?
1. Re:As bad as Windows by Anonymous Coward · 2013-06-14 00:49 · Score: 0
  
  No.
ahh.... by Anonymous Coward · 2013-06-13 21:56 · Score: 0

Just let it be and see what great software will infest your machine shortly :)
Not a huge problem by xororand · 2013-06-13 23:52 · Score: 1

It's not a significant problem because the repository is signed with OpenPGP.
aptitude displays a big red warning if there are unknown signatures in in your repository.
1. Re:Not a huge problem by julesh · 2013-06-14 00:10 · Score: 2
  
  It's not a significant problem because the repository is signed with OpenPGP.
  aptitude displays a big red warning if there are unknown signatures in in your repository.
  Unfortunately, people are likely to respond to this warning by doing what the repository maintainer suggests on the repository's home page:
  
  apt-get install deb-multimedia-keyring
  Since Squeeze you can install this package with apt-get but you need to presse Y when the package ask what to do and do not press return.
Re:BTW by Stevebro · 2013-06-14 00:11 · Score: 1

You are absolutely right http://workfinished.com/
Re:BTW by JackieBrown · 2013-06-14 01:00 · Score: 1

Yeah - I hate it when those Anonymous Cowards try to karma whore.
Thank you USA by Anonymous Coward · 2013-06-14 01:01 · Score: 0

True!

A long time ago, Debian used to have a "non-US" repo that was for this stuff. But for some reason (worldwide law "harmonization"?) they got rid of it so things like Lame and libdvdcss and libtxc_dxtn are not *in* Debian anymore, but outside in the more or less dodgy deb-multimedia, and the reason for this is IMHO (watchout I'm gonna shout)

STUPID
BLOODY
SOFTWARE
PATENTS

Heh that feels better..

And this is why it is difficult (using plain Debian) to play a DVD, rip a CD to MP3, or play commercial games with compressed textures.
Garbage by tepples · 2013-06-14 01:58 · Score: 1

I'm fairly certain at this point that decoders are cheap or already paid for.
If someone is using Ubuntu to replace a Windows installation that will no longer boot or which will soon be no longer supported by Microsoft, then using the decoders that were paid for with Windows

Not that there aren't ways to do it on Linux - Apple gives away the decoder for free with QuickTime. You don't need an iThing to download iTunes or QuickTime, after all, and if you get the Windows version, not a cent went to Apple to pay for it.
The encoder still costs money ("QuickTime Pro"), and the last time I checked, iTunes was rated "garbage" in Wine.

when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arranged it to be royalty free.
The notice that I got stated that it might violate patent law to install those packages. So they're probably hosted in a country with no software patents.
Use apt-key. by AliasMarlowe · 2013-06-14 05:50 · Score: 1

They should just put an update to apt in the official repository that doesn't change anything except looking for that in the sources files and replaces it with the new correct one.
No need for a patch to apt just for this. If you're using signed packages only (as most people do), then all of those from the bogus debian-multimedia will be flagged as unsigned or improperly signed. It's simple to avoid using apt-key... 'nuff said.

--
Those who can make you believe absurdities can make you commit atrocities. - Voltaire