Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources

Posted by samzenpus on from the protect-ya-neck dept.

Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.

17 of 159 comments (clear)

  1. Moved to deb-multimedia.org by TREE · · Score: 5, Informative

    The repository is not gone, it just moved to http://deb-multimedia.org/

    1. Re:Moved to deb-multimedia.org by stephanruby · · Score: 3, Informative

      Not sure if you're using the debian-multimedia repository? You can easily check it by running:

      grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*

      If you can see debian-multimedia.org line in output, you should remove all the lines including it.

    2. Re:Moved to deb-multimedia.org by msauve · · Score: 4, Insightful

      If you're going to karma whore, you should at least reference the OP.

      If you can see debian-multimedia.org lines in output, you might want to change all the lines including it to use deb-multimedia.org instead.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Re:Why not... by Nutria · · Score: 4, Insightful

    (a) Because that's intruding where package management doesn't belong, and
    (b) into which package would you add this patch?

    --
    "I don't know, therefore Aliens" Wafflebox1
  3. Just don't ignore any warnings? by fuzzyfuzzyfungus · · Score: 4, Insightful

    Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.

    1. Re:Just don't ignore any warnings? by fuzzyfuzzyfungus · · Score: 3, Informative

      The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.

      True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.

  4. Ugh, forks by BitZtream · · Score: 4, Interesting

    He said (d-m.o) he stopped using the name because she told him to.

    She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print ...

    He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.

    She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.

    So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website ... that no one visits after the initial hits because they now have the repository in /etc/apt anyway ... there he tells of the change ...

    Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.

    After reading everything, I think d-m.o douche could have been a lot more professional.

    He could have been a normal person and just done what debian asked ... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.

    He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.

    This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.

    Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    1. Re:Ugh, forks by GPLHost-Thomas · · Score: 4, Informative

      They pointlessly demanded that he stop using debian in his domain name which achieved nothing.

      Not what happened. We asked Christian Marilla (the old owner of debian-multimedia.org) to stop doing things separately, and work with the Debian Multimedia team. He was also asked to stop building packages which are constantly breaking upgrades from one Debian version to the next. But it seems he prefers doing things alone...

  5. Attacks on Package Managers by Anonymous Coward · · Score: 4, Interesting

    https://www.cs.arizona.edu/stork/packagemanagersecurity/

    Do read it all. It may not apply here but it should be read by everyone who uses package managers.

  6. Re:Why not automate the fix? by BitZtream · · Score: 3, Insightful

    No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.

    They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper

    He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, this was discussed on the mailing list and its clear), so he responded in a passive aggressive way.

    This isn't about 'trademarks' or naming, its about integrity and ethical practices. The naming thing is just a way to require an uncooperative asshole into doing what they want. This is EXACTLY THE REASON TRADEMARK LAWS EXIST. To prevent some jackass like this from tricking people into donating to something other than what they think they are donating to.

    The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party, and that leads us to ...

    The big mistake is Linux geeks in general. You don't have signed repositories because you all get so uppity about someone being the 'central authority' that you lose basic functionality and usability ... and end up with the EXACT same flaws you rant on about. Don't let anyone centrally sign things and validate others as being legitimate, make everyone do it themselves! Thats so much better! Power to the people! ... the people who will then put a single line in a relatively obscure configuration file and then forget it for the rest of the install.

    Then you come back ... and solution you propose ... is to have the debian organization function as a clearing house by remapping someone elses domain. Do you want them to run a walled garden or not? Pick one or the other. Just because you don't recognize your request as being a walled garden doesn't make it any less so. You're asking Debian to play moderator, gate keeper.

    You'll then flip the fuck out if it turns out that debian-multimedia.org is owned by someone who is legitimate about it. (not likely, but not impossible, yet)

    No, they shouldn't patch the package manager for the good of others, they should let you get exploited. You added the repository of a douche, your problem. You didn't want them playing gate keepers, remember, thats why you have an unsigned file with out digital signatures as your list of repositories.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  7. mostly a non-issue by louden+obscure · · Score: 4, Informative

    I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.

      I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.

               

    --
    Serenity now, insanity later.
  8. Re:Why not... by osu-neko · · Score: 3, Insightful

    Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.

    The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.

    --
    "Convictions are more dangerous enemies of truth than lies."
  9. Re:DPL, the ultimate sticklers by Kidbro · · Score: 4, Informative

    Except, of course, that the request wasn't pointless:
    http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html

    The name actually caused real problems for Debian maintainers and users.

    --
    May we live long and die out
  10. Re:BTW by crutchy · · Score: 4, Funny

    it was however more informative than your reply

  11. ). There. by xded · · Score: 3, Funny

    You're welcome.

  12. Re:Why not... by gmack · · Score: 3, Informative

    Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.

  13. Re:What problems? by GPLHost-Thomas · · Score: 3, Interesting

    The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox.

    I didn't comment the rest of, because that's silly enough, so I'll comment only that one. The problem with Firefox vs Iceweasel is located at the Mozilla foundation, which refuses that someone uses the name Firefox (and it's logo) if patches are added. Other distributions might just ignore that fact, but Debian cares about licenses and trademarks. If you want this to change, then you are welcome to ask Mozilla to change its trademark policy.