Forgot your password?
typodupeerror
Debian Media Security

Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources 159

Posted by samzenpus
from the protect-ya-neck dept.
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
This discussion has been archived. No new comments can be posted.

Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources

Comments Filter:
  • by TREE (9562) * on Thursday June 13, 2013 @10:38PM (#44003531)

    The repository is not gone, it just moved to http://deb-multimedia.org/ [deb-multimedia.org]

    • by stephanruby (542433) on Thursday June 13, 2013 @11:06PM (#44003667)

      Not sure if you're using the debian-multimedia repository? You can easily check it by running:

      grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*

      If you can see debian-multimedia.org line in output, you should remove all the lines including it.

      • by msauve (701917) on Thursday June 13, 2013 @11:32PM (#44003807)
        If you're going to karma whore, you should at least reference the OP.

        If you can see debian-multimedia.org lines in output, you might want to change all the lines including it to use deb-multimedia.org instead.
      • by kju (327)

        If you can see debian-multimedia.org line in output, you should remove all the lines including it.

        Nonsense. Many still working mirrors have "debian-multimedia.org" in the path name, e.g. http://debian.netcologne.de/debian-multimedia.org [netcologne.de]

      • You are better off to just grep for multimedia.org. Then you can see if you are using either repository, and if you need to change it. If nothing shows up, then you might want to consider adding a line for deb-multimedia.org. One subtle thing that a seasoned tech expert learns over time is that searching ' grepping for something a little less specific can sometimes yield far more lucrative results than being (overly) explicit.
    • by Anonymous Coward

      You completely and utterly missed the entire point.

      deb-multimedia.org is run by the original maintainters of debian-multimedia.org and is still probably safe.

      debian-multimedia.org is now run by an unknown entity after the debian project told them to stop using their name and they moved and let the domain expire.

      • He didn't miss the point. He just commented one aspect of it, which is that the original is now at deb-multimedia.org. Which is correct.
  • Have a patch update install that appends to the hosts file redirecting said offending domain to 127.0.0.1 or the like. At least then you'd be sure most potential users don't get infected..

    • Re:Why not... (Score:5, Insightful)

      by Nutria (679911) on Thursday June 13, 2013 @10:55PM (#44003621)

      (a) Because that's intruding where package management doesn't belong, and
      (b) into which package would you add this patch?

      • (a) Why is that? Why can't package management fix a security problem?
        (b) What package does /etc/apt/sources.list and /etc/apt/sources.d belong to? How about patching that package?
         

        • Re: (Score:3, Insightful)

          by osu-neko (2604)

          Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.

          The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.

        • (a) Why is that? Why can't package management fix a security problem?

          For this, we have apt-key. If you blindly trust a non-signed source, that's your fault.

      • The point is that you include as an OS update some code that optionally redirects the website. Something that pops up and explains the danger and then allows the system admin to choose what to do.

        One of the major reasons for package management and updates isn't to help close security holes in the system. Saying it is outside the domain of package management to ensure the security of the package management system is, frankly, pretty ludicrous. It is indeed the whole point of having one that possible secu
        • by Nutria (679911)

          include as an OS update

          Put it in a kernel update? Shirley, you jest!

          It's possible to add a bit of grep(1) and sed(1) to the apt package to comment out references to debian-multiple.org in the /etc/apt tree.

          Honestly, though, this is the responsibility of the owner/sysadmin of the machine. There are dozens and dozens of non-canonical repositories, and Debian Developers can't be responsible for keeping track of all of them. The owner/sysadmin added the 3rd party repositories, and he should be responsible for maintaining them. I

    • by Anonymous Coward

      ...or just patch apt to ignore the repository, even if it exists in sources.list.

    • by KGIII (973947)

      APK, is that you? ;)

      • by crutchy (1949900)

        nah i can't be... the sentences are intelligible and there's no mention of "open sores"

    • Re:Why not... (Score:4, Informative)

      by gmack (197796) <gmack@iPOLLOCKnnerfire.net minus painter> on Friday June 14, 2013 @07:40AM (#44005601) Homepage Journal

      Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.

  • by fuzzyfuzzyfungus (1223518) on Thursday June 13, 2013 @11:00PM (#44003645) Journal

    Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.

    • by BitZtream (692029)

      The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.

      • If the individual packages in the repository are signed but the repository as a whole is not, then there is a problem with how the repository system is designed. The list of files on the repository should be signed with the repository's own key.
        • If the individual packages in the repository are signed but the repository as a whole is not[...]

          man apt-key ...

          I think here, you are mistaking Debian with RedHat ... Packages are signed individually by their maintainer. But that is used only to validate an upload to the Debian repository. What is in use by Debian users, unlike on a RPM based system, is the Release.gpg file, which is the signature for the repository. This, in the official Debian repositories, is signed by the FTP masters (and the key used to sign the repository is signed by multiple Debian Developer, all in the web of trust).

      • by fuzzyfuzzyfungus (1223518) on Friday June 14, 2013 @01:46AM (#44004305) Journal

        The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.

        True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.

      • Specifically the release file is signed. That contains the secure hashes of the package lists files which in turn contain secure hashes of the actual packages. If files don't match the expected hashes apt will refuse to use them. If the release file is unsigned or signed by an unknown key apt will warn the user and ask them if they want to continue.

  • Ugh, forks (Score:4, Interesting)

    by BitZtream (692029) on Thursday June 13, 2013 @11:07PM (#44003669)

    He said (d-m.o) he stopped using the name because she told him to.

    She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print ...

    He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.

    She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.

    So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website ... that no one visits after the initial hits because they now have the repository in /etc/apt anyway ... there he tells of the change ...

    Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.

    After reading everything, I think d-m.o douche could have been a lot more professional.

    He could have been a normal person and just done what debian asked ... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.

    He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.

    This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.

    Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.

    • Re: (Score:3, Insightful)

      by jabuzz (182671)

      The issue is the Debian team where demanding things that they could not expect. The maintainer of d-m.o was free to do whatever they wanted which includes maintaining separate versions of packages in Debian proper. They pointlessly demanded that he stop using debian in his domain name which achieved nothing. It did not reduce any confusion, and it did not stop him doing what he was doing before. Worse than that the domain expired and some random other person picked it up.

      The Debian team have a habit of bein

      • Re:Ugh, forks (Score:5, Informative)

        by GPLHost-Thomas (1330431) on Friday June 14, 2013 @10:04AM (#44006531)

        They pointlessly demanded that he stop using debian in his domain name which achieved nothing.

        Not what happened. We asked Christian Marilla (the old owner of debian-multimedia.org) to stop doing things separately, and work with the Debian Multimedia team. He was also asked to stop building packages which are constantly breaking upgrades from one Debian version to the next. But it seems he prefers doing things alone...

    • Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it

      Stop the non-sense, and read the man page for apt-key and how the Release.gpg file works.

  • by MetalliQaZ (539913) on Thursday June 13, 2013 @11:18PM (#44003739)

    Step 1: Make pointless and annoying request
    Step 2: Watch as security problem is created in the fallout
    Step 3: Be smug

    • break something that's working well just to score correctness points, because in free software, "working well" and "correct" are often not only separate quantities, but orthogonal ones.

      • break something that's working well.

        This is only your view, but not the one of the Debian Multimedia team within Debian. In many ways, d-m.o broke upgrades, disrespecting the version numbers and such.

    • by Kidbro (80868) on Friday June 14, 2013 @03:48AM (#44004765)

      Except, of course, that the request wasn't pointless:
      http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html [debian.org]

      The name actually caused real problems for Debian maintainers and users.

      • by c (8461)

        The name actually caused real problems for Debian maintainers and users.

        Hmmm... well, having scanned through that thread (read it folks, it's not that long), all I can say is that if that's the DPL-approved way of fixing problems, I don't want those idiots anywhere near my plumbing.

        Public ultimatums are not an appropriate or effective technique to use on someone you don't have any functional control over.

        • Reducing what happened with Christian Marillat to only a single thread is deceptive. The issue with his repository breaking upgrades from one version of Debian to the next, and his constant refusal to work within Debian (even though he is a Debian Developer) is all but new.
          • by c (8461)

            Reducing what happened with Christian Marillat to only a single thread is deceptive.

            Probably. It doesn't change my point.

            By forcing a name change, all they've accomplished is to piss off the people who value his service over any breakage that he manages to cause and making him even less likely to give a shit about what the Debian project wants or needs (assuming he could care even less than he already did).

            People use his services to solve a problem with the core Debian distro, and apparently he runs his ser

            • By forcing a name change

              Nobody forced him to change the name. The DPL asked him to stop confusing his users into believing that donations would go to the Debian project. That's very different. And then he twisted it, and changed his domain name, so he wouldn't be bothered. I'm quite sure users will still get confused. Probably that's what he wants.

              People use his services to solve a problem with the core Debian distro, and apparently he runs his service well enough that people continue to rely on his stuff. The only way to "get rid of him" is to offer a better solution to the underlying problem, not to play games with names.

              Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been att

              • by c (8461)

                Nobody forced him to change the name.

                "Force" is maybe a strong word. It was one of the two options given, presented as if it might be undesirable, and it doesn't look like he wasted much time thinking about it.

                Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been attempted multiple times. Though he didn't seem to care doing that.

                Actually, from my read of the situation, a better so

      • by pla (258480)
        Except, of course, that the request wasn't pointless

        Those do not describe "real" problems.

        The first describes why "unofficial" repositories exist in the first place - So we can install non-stock versions of packages. That breaks dependencies? Hey, the user has to choose to add those to his apt sources, so keep your nose out of it, DPL.

        And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP a
        • by Kidbro (80868)

          / Glad I've always preferred Slackware. No games, no GNU/purism, no corporate BS. Just a rock-solid distro that stays true to its roots.

          That's cool. How about it if Volkerding had to spend all his time addressing bogus bug reports caused by fucked up packages people found on slackware-coolstuff.org?

          Debian doesn't have a problem with unofficial sources. Heck, they don't even have a problem with broken packages. They only have a problem with having to spend time resolving bugs that turn out not to be theirs. If it was obvious that dmo wasn't an official repo, there wouldn't be a problem. That's exactly what the name change is trying to addres

        • And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP at all costs" bullshit, raise your hand? Yeah, thought so.

          The issue wasn't only trademark. It was mainly that Debian users are fooled into believing that this was part of Debian, when it was not, and that this repository was breaking things badly.

      • by Hatta (162192)

        I don't understand. "Package duplication" should not be a problem for any decent package manager, and it's not. Apt pinning allows you to choose which repository you get your packages from.

        • by Kidbro (80868)

          The problem essentially boils down to people reporting bugs in dmo-packages directly to debian itself. Sometimes in obscure ways so that it takes time to identify the mistake. This puts an unneeded burden on debian developers, when it's reports for software that's out of their control.

          All debian wants here is to not take the blame for, and spend unneeded work on resolving issues coming from broken dmo-packages. The risk of that happening decreases if 'debian' in not in the name. One of the bug reports linke

        • I don't understand. "Package duplication" should not be a problem for any decent package manager, and it's not. Apt pinning allows you to choose which repository you get your packages from.

          That would be right if the d-m.o repository was configured correctly (but it was not), and respecting the version numbering of Debian so you could upgrade correctly (but it did not).

      • by cjav (1331511)

        Except, of course, that the request wasn't pointless:

        Not only that, but please go a find a better example of excellent communication skills in an easily flammable thread:
        http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/027482.html [debian.org]

        My tip of the hat to Stefano Zacchiroli for keeping it so cool and on point. This looks like a childish behavior that hurts the same project Debian Multimedia maintainer seems to be wanting to help.

  • Domain ID:D168841859-LROR
    Domain Name:DEBIAN-MULTIMEDIA.ORG
    Created On:01-Jun-2013 14:30:15 UTC
    Last Updated On:07-Jun-2013 08:15:23 UTC
    Expiration Date:01-Jun-2014 14:30:15 UTC
    Sponsoring Registrar:Center of Ukrainian Internet Names dba UKRNAMES (R1787-LROR)
    Status:TRANSFER PROHIBITED
    Registrant ID:UANS-00000704339
    Registrant Name:Mikhail Dashkel
    Registrant Street1:Dekhtyarovskaya, 26, 13
    Registrant Street2:
    Registrant Street3:
    Registrant City:Kiev
    Registrant State/Province:Kievskaya
    Registrant Postal Code
  • Given not everyone will know the repo had been moved and the domain is now registered to new owners, the most sensible approach in this case would have been to post an emergency update through the official Debian repositories, such that if the Debian-Multimedia.org is present, it is automatically removed from any source.list files and replaced with deb-multimedia.org. No harm, no foul.

    • I agree. If the Debian project wants to cause these possible security problems for stupid trademark/naming issues, then the least they can do is push an update to fix this for all affected users. As it is, they're causing a potential serious security problem for many of their users... and yet, actively doing nothing at all to eliminate the chance of Debian machines getting owned by malicious package installs. I would say that this is a pretty big mistake, on the level of the SSL certificate problem sever

      • Re: (Score:3, Insightful)

        by BitZtream (692029)

        No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.

        They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper

        He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, thi

        • by KGIII (973947)

          I haven't been following this so I don't know. You're not that clear either. First you say that nobody forced him to change the name. Then you say they "clamped down" on the name bit which, well, means they forced him to change the name unless I'm not getting something. It certainly sounds like they forced him to change the domain name given your description except you preface it by saying they didn't - then you say they did. Like I said, you're not helping.

          Perhaps you can clear up what you wrote?

          • by osu-neko (2604)

            Then you say they "clamped down" on the name bit...

            No, you misread. They didn't "clamp down" on the name. You appear to have missed an "if" that was written above. They probably would have clamped down on the name if he had refused to make it clear that donations to him are not donations to Debian. But it never got that far. All they did do was "ask him to stop soliciting donations in a way that made it look like he was doing it for Debian proper." They made a request, that's all they did, and this was how he responded to the request.

            • by KGIII (973947)

              Ah - but they have this in there:

              "Then if he didn't want to do that, they started clamping down on the name usage in order to..."

              The sentence makes no sense so I read it as they started clamping down on the name usage (which is what it says). If he hadn't changed the name then they WOULD have started clamping down? Did they threaten to clamp down on the name usage? If they threatened then it could still be said that they forced him to change his name (it was the only alternative he had if he didn't want to

            • by sjames (1099)

              So they demanded that he pick one of two options, the least unpalatable of which was changing the domain name.

              So, yes they did force him to change the domain name, even if they were nice about it.

              • by tqk (413719)

                So they demanded that he pick one of two options, the least unpalatable of which to him was changing the domain name and to continue to obfuscate for whom he was soliciting donations.

                FTFY.

                • by sjames (1099)

                  If I wanted nmy statement politicized, I'd have done it myself.

                  As for the 'to him' crack, naturally, were you expecting him to take the action least unpalletable to Ernest Spinkmeyer of Walla Walla Washington instead?

                  As a native English speaker and literate, I see nothing obscure about his solicitation for donations. I can see how some *might* have been confused when it was debian-multimedia if they didn't read any of the available documentation. What would you have him call the repo? Blotzig4windows?

                  • by tqk (413719)

                    If I wanted nmy statement politicized, I'd have done it myself.

                    Yeah, don't bother to consider that anyone might have thought it already was politicised.

                    As for the 'to him' crack ...

                    Just pointing out that he chose this course of action. He could have just clarified the situation. Instead, ...

                    As a native English speaker and literate, I see nothing obscure about his solicitation for donations.

                    Irrelevant. Debian did think so, and it was their choice to make.

                    • by sjames (1099)

                      And he took one of the actions they demanded. I didn't claim it was wrong of Debian to demand it at all. But it is disingenuous to claim that he took this action with no prompting and even moreso to lay the current problem (if it even is a problem) at his feet.

        • The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party

          We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.

          1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
          2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to

          • by julesh (229690)

            The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party

            We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.

            1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
            2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).

            Or, worse still: apt-get install deb-multimedia-keyring as is recommended on the archive's home page.

    • I'm not sure if they can. The whole reason for that repo is that it contained packages not legal for Debian to distribute in all countries. Doing your fix would imply that Debian endorses and aids this repo.

  • by Anonymous Coward on Friday June 14, 2013 @12:05AM (#44003933)

    https://www.cs.arizona.edu/stork/packagemanagersecurity/ [arizona.edu]

    Do read it all. It may not apply here but it should be read by everyone who uses package managers.

  • mostly a non-issue (Score:4, Informative)

    by louden obscure (766926) on Friday June 14, 2013 @01:02AM (#44004129)

    I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.

      I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.

               

  • ). There. (Score:4, Funny)

    by xded (1046894) on Friday June 14, 2013 @04:50AM (#44005065)
    You're welcome [xkcd.com].
  • It's not a significant problem because the repository is signed with OpenPGP.
    aptitude displays a big red warning if there are unknown signatures in in your repository.

    • by julesh (229690)

      It's not a significant problem because the repository is signed with OpenPGP.
      aptitude displays a big red warning if there are unknown signatures in in your repository.

      Unfortunately, people are likely to respond to this warning by doing what the repository maintainer suggests on the repository's home page:

      apt-get install deb-multimedia-keyring

      Since Squeeze you can install this package with apt-get but you need to presse Y when the package ask what to do and do not press return.

"The greatest warriors are the ones who fight for peace." -- Holly Near

Working...