Slashdot Mirror
Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)"
Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
The repository is not gone, it just moved to http://deb-multimedia.org/
(a) Because that's intruding where package management doesn't belong, and
(b) into which package would you add this patch?
"I don't know, therefore Aliens" Wafflebox1
Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.
He said (d-m.o) he stopped using the name because she told him to.
She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print ...
He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.
She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.
So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website ... that no one visits after the initial hits because they now have the repository in /etc/apt anyway ... there he tells of the change ...
Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.
After reading everything, I think d-m.o douche could have been a lot more professional.
He could have been a normal person and just done what debian asked ... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.
He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.
This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.
Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Step 1: Make pointless and annoying request
Step 2: Watch as security problem is created in the fallout
Step 3: Be smug
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
https://www.cs.arizona.edu/stork/packagemanagersecurity/
Do read it all. It may not apply here but it should be read by everyone who uses package managers.
No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.
They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper
He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, this was discussed on the mailing list and its clear), so he responded in a passive aggressive way.
This isn't about 'trademarks' or naming, its about integrity and ethical practices. The naming thing is just a way to require an uncooperative asshole into doing what they want. This is EXACTLY THE REASON TRADEMARK LAWS EXIST. To prevent some jackass like this from tricking people into donating to something other than what they think they are donating to.
The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party, and that leads us to ...
The big mistake is Linux geeks in general. You don't have signed repositories because you all get so uppity about someone being the 'central authority' that you lose basic functionality and usability ... and end up with the EXACT same flaws you rant on about. Don't let anyone centrally sign things and validate others as being legitimate, make everyone do it themselves! Thats so much better! Power to the people! ... the people who will then put a single line in a relatively obscure configuration file and then forget it for the rest of the install.
Then you come back ... and solution you propose ... is to have the debian organization function as a clearing house by remapping someone elses domain. Do you want them to run a walled garden or not? Pick one or the other. Just because you don't recognize your request as being a walled garden doesn't make it any less so. You're asking Debian to play moderator, gate keeper.
You'll then flip the fuck out if it turns out that debian-multimedia.org is owned by someone who is legitimate about it. (not likely, but not impossible, yet)
No, they shouldn't patch the package manager for the good of others, they should let you get exploited. You added the repository of a douche, your problem. You didn't want them playing gate keepers, remember, thats why you have an unsigned file with out digital signatures as your list of repositories.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
APK, is that you? ;)
"So long and thanks for all the fish."
I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.
I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.
Serenity now, insanity later.
Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.
The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.
"Convictions are more dangerous enemies of truth than lies."
it was however more informative than your reply
holy fucking shitbags!!! Microsoft makes shoes!!!! where can i get a pair so i can wear them with my debian t-shirt :)
You're welcome.
Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.
It's not a significant problem because the repository is signed with OpenPGP.
aptitude displays a big red warning if there are unknown signatures in in your repository.
Unfortunately, people are likely to respond to this warning by doing what the repository maintainer suggests on the repository's home page:
(a) Why is that? Why can't package management fix a security problem?
For this, we have apt-key. If you blindly trust a non-signed source, that's your fault.
The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox.
I didn't comment the rest of, because that's silly enough, so I'll comment only that one. The problem with Firefox vs Iceweasel is located at the Mozilla foundation, which refuses that someone uses the name Firefox (and it's logo) if patches are added. Other distributions might just ignore that fact, but Debian cares about licenses and trademarks. If you want this to change, then you are welcome to ask Mozilla to change its trademark policy.
Anyway, he's currently serving 404 for requests for the software repository. So, it's not malicious.
Rethinking email