Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources 159
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)"
Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
Moved to deb-multimedia.org (Score:5, Informative)
The repository is not gone, it just moved to http://deb-multimedia.org/ [deb-multimedia.org]
Re:Moved to deb-multimedia.org (Score:4, Informative)
Not sure if you're using the debian-multimedia repository? You can easily check it by running:
grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*
If you can see debian-multimedia.org line in output, you should remove all the lines including it.
mostly a non-issue (Score:4, Informative)
I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.
I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.
Re:Just don't ignore any warnings? (Score:4, Informative)
The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.
True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.
Re: Attacks on Package Managers (Score:2, Informative)
Vulnerabilities do not vanish with time, but good geeks adapt. Eight years ago, Debian responded to these problems. http://wiki.debian.org/HowToSetupADebianRepository
Re:DPL, the ultimate sticklers (Score:5, Informative)
Except, of course, that the request wasn't pointless:
http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html [debian.org]
The name actually caused real problems for Debian maintainers and users.
Re:Why not... (Score:4, Informative)
Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.
Re:Ugh, forks (Score:5, Informative)
They pointlessly demanded that he stop using debian in his domain name which achieved nothing.
Not what happened. We asked Christian Marilla (the old owner of debian-multimedia.org) to stop doing things separately, and work with the Debian Multimedia team. He was also asked to stop building packages which are constantly breaking upgrades from one Debian version to the next. But it seems he prefers doing things alone...