Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources 159
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)"
Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
Moved to deb-multimedia.org (Score:5, Informative)
The repository is not gone, it just moved to http://deb-multimedia.org/ [deb-multimedia.org]
Re:Moved to deb-multimedia.org (Score:4, Informative)
Not sure if you're using the debian-multimedia repository? You can easily check it by running:
grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*
If you can see debian-multimedia.org line in output, you should remove all the lines including it.
Re:Moved to deb-multimedia.org (Score:5, Insightful)
If you can see debian-multimedia.org lines in output, you might want to change all the lines including it to use deb-multimedia.org instead.
Re: (Score:2)
Nonsense. Many still working mirrors have "debian-multimedia.org" in the path name, e.g. http://debian.netcologne.de/debian-multimedia.org [netcologne.de]
Re: (Score:2)
Re: (Score:1)
You completely and utterly missed the entire point.
deb-multimedia.org is run by the original maintainters of debian-multimedia.org and is still probably safe.
debian-multimedia.org is now run by an unknown entity after the debian project told them to stop using their name and they moved and let the domain expire.
Re: (Score:2)
Re: (Score:3)
Liar! Everyone knows that if you give software away for free you don't need money.
That's why you don't have to pay for movies, songs or programs any more. You just go to Pirate Bay and get them for free.
You must be living in a fantasy world if you think money is needed to make software.
Why not... (Score:2)
Have a patch update install that appends to the hosts file redirecting said offending domain to 127.0.0.1 or the like. At least then you'd be sure most potential users don't get infected..
Re:Why not... (Score:5, Insightful)
(a) Because that's intruding where package management doesn't belong, and
(b) into which package would you add this patch?
Re: (Score:2)
(a) Why is that? Why can't package management fix a security problem? /etc/apt/sources.list and /etc/apt/sources.d belong to? How about patching that package?
(b) What package does
Re: (Score:3, Insightful)
Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.
The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.
Re: (Score:2)
This is already a third party repository, and many third party repositories don't have proper signing. I don't know what the status was for debian-multimedia.
Re: (Score:3)
(a) Why is that? Why can't package management fix a security problem?
For this, we have apt-key. If you blindly trust a non-signed source, that's your fault.
Use apt-key. (Score:2)
They should just put an update to apt in the official repository that doesn't change anything except looking for that in the sources files and replaces it with the new correct one.
No need for a patch to apt just for this. If you're using signed packages only (as most people do), then all of those from the bogus debian-multimedia will be flagged as unsigned or improperly signed. It's simple to avoid using apt-key... 'nuff said.
Re: (Score:2)
One of the major reasons for package management and updates isn't to help close security holes in the system. Saying it is outside the domain of package management to ensure the security of the package management system is, frankly, pretty ludicrous. It is indeed the whole point of having one that possible secu
Re: (Score:2)
include as an OS update
Put it in a kernel update? Shirley, you jest!
It's possible to add a bit of grep(1) and sed(1) to the apt package to comment out references to debian-multiple.org in the /etc/apt tree.
Honestly, though, this is the responsibility of the owner/sysadmin of the machine. There are dozens and dozens of non-canonical repositories, and Debian Developers can't be responsible for keeping track of all of them. The owner/sysadmin added the 3rd party repositories, and he should be responsible for maintaining them. I
Re: (Score:1)
...or just patch apt to ignore the repository, even if it exists in sources.list.
Re: (Score:3)
APK, is that you? ;)
Re: (Score:1)
nah i can't be... the sentences are intelligible and there's no mention of "open sores"
Re:Why not... (Score:4, Informative)
Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.
Re: Why not... (Score:1)
I have a broken shoelace. Should I replace it or just get some brand new Microsoft shoes? I suppose I could wait until the shoes wear out and then replace everything at tge same time, or I could call out that "shoelace flying doctor" company.
Trouble is the art of shoelace replacement died out since everyone has told us it is hard and only for experts.
Re: (Score:2)
holy fucking shitbags!!! Microsoft makes shoes!!!! where can i get a pair so i can wear them with my debian t-shirt :)
Re: (Score:2)
linux security, fix it yourself or tough shit
More accurately: Linux security - if a change you made to the system turns out to be insecure, you have to remove it yourself later. It's not like debian is distributed with such third-party update sites listed in apt.sources.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think the fight over the name, which caused the name change, was a mistake with consequences that could have been predicted.
Absolutely not. All Debian Developers were aware of what was going on, and none thought it would end this way.
You might be aware that there are other sites using the word "debian" in the URL. For example www.debian-administration.org. Though we don't care much about them. But here, we had someone working against Debian, and the way he acted shows the DPL did the right thing, especially seeing how much the owner of the site didn't care for its users.
Even if it's the fault of the sysadmins who messed with their systems, finding a non-intrusive way to help them from getting nailed is in everybody's long term interest (except maybe Microsoft or other non-Linux vendors... and even they want a health Internet). In the worst-case scenario that this domains gets acquired by bad people and users get burned by this, it will make UNIX/Deb look bad, cause harm to various individuals, and potentially even lead to more spam or malware.
Would you hold Microsoft liable for any software that a u
Just don't ignore any warnings? (Score:5, Insightful)
Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.
Re: (Score:1)
The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.
Vulnerability in repo system itself (Score:2)
Re: (Score:2)
If the individual packages in the repository are signed but the repository as a whole is not[...]
man apt-key ...
... Packages are signed individually by their maintainer. But that is used only to validate an upload to the Debian repository. What is in use by Debian users, unlike on a RPM based system, is the Release.gpg file, which is the signature for the repository. This, in the official Debian repositories, is signed by the FTP masters (and the key used to sign the repository is signed by multiple Debian Developer, all in the web of trust).
I think here, you are mistaking Debian with RedHat
Re: (Score:2)
Those are probably not checksums, but actually cryptographic hashes. And assuming they are actually cryptographic hashes, then signing the hash or signing the input is pretty much the same thing. You never sign the actual files in the first place (since they are too large to be input into the signing algorithm), you always hash the
Re:Just don't ignore any warnings? (Score:4, Informative)
The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.
True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.
Re: (Score:2)
but all the volunteer distros like Debian use unencrypted repos so...
See what I wrote above. This is simply wrong. There's a Release.gpg file which is signed by the FTP masters, and which validates the repository.
1. The bad guys can refuse to tell you about a security update you actually needed, fooling you into thinking you're secure when actually they have an exploit that you were supposed to be updated against but you aren't. 2. The bad guys can trickle you a "bad" update that's been superseded, making your security worse. This is a genuine update, made by (in this case) Debian, but which happened to have some bug in it that you'd rather not have. Real repos may have held this update only for a few hours at some point, or even only on some testing server and not on their main repo at all, but if they're signed then you'll never know once the bad guy repo lies to you about how you ought to download the update.
Please don't spread such non-sense. This can't happen, unless the user choose to dismiss the warnings that apt is shouting...
Re: (Score:2)
Specifically the release file is signed. That contains the secure hashes of the package lists files which in turn contain secure hashes of the actual packages. If files don't match the expected hashes apt will refuse to use them. If the release file is unsigned or signed by an unknown key apt will warn the user and ask them if they want to continue.
Re: (Score:2)
If someone is ignoring warnings about missing public keys, they probably also have bigger problems.
Alcoholism, depression...
Re: (Score:2)
Lions, tigers, bears...
Re: (Score:2)
Oh MY! [gstatic.com]
Ugh, forks (Score:4, Interesting)
He said (d-m.o) he stopped using the name because she told him to.
She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print ...
He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.
She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.
So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website ... that no one visits after the initial hits because they now have the repository in /etc/apt anyway ... there he tells of the change ...
Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.
After reading everything, I think d-m.o douche could have been a lot more professional.
He could have been a normal person and just done what debian asked ... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.
He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.
This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.
Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.
Re: (Score:3, Insightful)
The issue is the Debian team where demanding things that they could not expect. The maintainer of d-m.o was free to do whatever they wanted which includes maintaining separate versions of packages in Debian proper. They pointlessly demanded that he stop using debian in his domain name which achieved nothing. It did not reduce any confusion, and it did not stop him doing what he was doing before. Worse than that the domain expired and some random other person picked it up.
The Debian team have a habit of bein
Re:Ugh, forks (Score:5, Informative)
They pointlessly demanded that he stop using debian in his domain name which achieved nothing.
Not what happened. We asked Christian Marilla (the old owner of debian-multimedia.org) to stop doing things separately, and work with the Debian Multimedia team. He was also asked to stop building packages which are constantly breaking upgrades from one Debian version to the next. But it seems he prefers doing things alone...
Re: (Score:2)
They could easily uphold trademark by licensing the name to d-m.o.
And by that, supporting a website which provides packages that breaks upgrades in Debian? Thanks but no thanks.
Re: (Score:2)
From the point of view of a user, it's a hard choice.
Yeah, d.m.o packages do break upgrades, creating extra work and making the system less stable. But then, the official repository does not carry lots of software that are prohibited by US laws... Well, not the entire world is subject to US laws.
Re: (Score:2)
But then, the official repository does not carry lots of software that are prohibited by US laws... Well, not the entire world is subject to US laws.
Exactly what software are we talking about here? These days, there's pretty much everything you need from Debian main.
Re: (Score:2)
I've just added deb-multimedia again to my PC because of dvdrip. Ok, I was just assuming that it wasn't there because it's illegal at the US, it could be because of several reasons.
Re: (Score:2)
Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it
Stop the non-sense, and read the man page for apt-key and how the Release.gpg file works.
Such a distro would be illegal (Score:2)
Sounds like a good reason to use a distribution that includes such basic functionality in their primary repositories.
Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.
Re: (Score:2)
I'm fairly certain at this point that decoders are cheap or already paid for. I remember someone actually doing it, and I know when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arr
Garbage (Score:2)
I'm fairly certain at this point that decoders are cheap or already paid for.
If someone is using Ubuntu to replace a Windows installation that will no longer boot or which will soon be no longer supported by Microsoft, then using the decoders that were paid for with Windows
Not that there aren't ways to do it on Linux - Apple gives away the decoder for free with QuickTime. You don't need an iThing to download iTunes or QuickTime, after all, and if you get the Windows version, not a cent went to Apple to pay for it.
The encoder still costs money ("QuickTime Pro"), and the last time I checked, iTunes was rated "garbage" in Wine.
when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arranged it to be royalty free.
The notice that I got stated that it might violate patent law to install those packages. So they're probably hosted in a country with no software patents.
DPL, the ultimate sticklers (Score:3, Insightful)
Step 1: Make pointless and annoying request
Step 2: Watch as security problem is created in the fallout
Step 3: Be smug
Yup, all-too-common free software experience: (Score:2, Insightful)
break something that's working well just to score correctness points, because in free software, "working well" and "correct" are often not only separate quantities, but orthogonal ones.
Re: (Score:2)
break something that's working well.
This is only your view, but not the one of the Debian Multimedia team within Debian. In many ways, d-m.o broke upgrades, disrespecting the version numbers and such.
Re:DPL, the ultimate sticklers (Score:5, Informative)
Except, of course, that the request wasn't pointless:
http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html [debian.org]
The name actually caused real problems for Debian maintainers and users.
Re: (Score:2)
Hmmm... well, having scanned through that thread (read it folks, it's not that long), all I can say is that if that's the DPL-approved way of fixing problems, I don't want those idiots anywhere near my plumbing.
Public ultimatums are not an appropriate or effective technique to use on someone you don't have any functional control over.
Re: (Score:3)
Re: (Score:2)
Probably. It doesn't change my point.
By forcing a name change, all they've accomplished is to piss off the people who value his service over any breakage that he manages to cause and making him even less likely to give a shit about what the Debian project wants or needs (assuming he could care even less than he already did).
People use his services to solve a problem with the core Debian distro, and apparently he runs his ser
Re: (Score:2)
By forcing a name change
Nobody forced him to change the name. The DPL asked him to stop confusing his users into believing that donations would go to the Debian project. That's very different. And then he twisted it, and changed his domain name, so he wouldn't be bothered. I'm quite sure users will still get confused. Probably that's what he wants.
People use his services to solve a problem with the core Debian distro, and apparently he runs his service well enough that people continue to rely on his stuff. The only way to "get rid of him" is to offer a better solution to the underlying problem, not to play games with names.
Such a better solution (which would be: work more with the Debian Multimedia team, and make his repository not needed anymore, with everything directly available in Debian) have been att
Re: (Score:2)
"Force" is maybe a strong word. It was one of the two options given, presented as if it might be undesirable, and it doesn't look like he wasted much time thinking about it.
Actually, from my read of the situation, a better so
Re: (Score:2)
Those do not describe "real" problems.
The first describes why "unofficial" repositories exist in the first place - So we can install non-stock versions of packages. That breaks dependencies? Hey, the user has to choose to add those to his apt sources, so keep your nose out of it, DPL.
And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP a
Re: (Score:2)
/ Glad I've always preferred Slackware. No games, no GNU/purism, no corporate BS. Just a rock-solid distro that stays true to its roots.
That's cool. How about it if Volkerding had to spend all his time addressing bogus bug reports caused by fucked up packages people found on slackware-coolstuff.org?
Debian doesn't have a problem with unofficial sources. Heck, they don't even have a problem with broken packages. They only have a problem with having to spend time resolving bugs that turn out not to be theirs. If it was obvious that dmo wasn't an official repo, there wouldn't be a problem. That's exactly what the name change is trying to addres
Re: (Score:2)
And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP at all costs" bullshit, raise your hand? Yeah, thought so.
The issue wasn't only trademark. It was mainly that Debian users are fooled into believing that this was part of Debian, when it was not, and that this repository was breaking things badly.
Re: (Score:2)
I don't understand. "Package duplication" should not be a problem for any decent package manager, and it's not. Apt pinning allows you to choose which repository you get your packages from.
Re: (Score:2)
The problem essentially boils down to people reporting bugs in dmo-packages directly to debian itself. Sometimes in obscure ways so that it takes time to identify the mistake. This puts an unneeded burden on debian developers, when it's reports for software that's out of their control.
All debian wants here is to not take the blame for, and spend unneeded work on resolving issues coming from broken dmo-packages. The risk of that happening decreases if 'debian' in not in the name. One of the bug reports linke
Re: (Score:2)
I don't understand. "Package duplication" should not be a problem for any decent package manager, and it's not. Apt pinning allows you to choose which repository you get your packages from.
That would be right if the d-m.o repository was configured correctly (but it was not), and respecting the version numbering of Debian so you could upgrade correctly (but it did not).
Re: (Score:2)
Except, of course, that the request wasn't pointless:
Not only that, but please go a find a better example of excellent communication skills in an easily flammable thread:
http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/027482.html [debian.org]
My tip of the hat to Stefano Zacchiroli for keeping it so cool and on point. This looks like a childish behavior that hurts the same project Debian Multimedia maintainer seems to be wanting to help.
Re:What problems? (Score:4, Interesting)
The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox.
I didn't comment the rest of, because that's silly enough, so I'll comment only that one. The problem with Firefox vs Iceweasel is located at the Mozilla foundation, which refuses that someone uses the name Firefox (and it's logo) if patches are added. Other distributions might just ignore that fact, but Debian cares about licenses and trademarks. If you want this to change, then you are welcome to ask Mozilla to change its trademark policy.
Re: (Score:2)
Afaict there were two issues.
1: Mozilla didn't like the use of the firefox name with the "unbranded" logos and debian considered the copyright license of the "branded" logos non-free.
2: Mozilla wanted to be asked for aproval for every patch.
Personally I say kudos to debian for not rolling over to these demands.
Re: (Score:2)
WHOIS (Score:1)
Domain Name:DEBIAN-MULTIMEDIA.ORG
Created On:01-Jun-2013 14:30:15 UTC
Last Updated On:07-Jun-2013 08:15:23 UTC
Expiration Date:01-Jun-2014 14:30:15 UTC
Sponsoring Registrar:Center of Ukrainian Internet Names dba UKRNAMES (R1787-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:UANS-00000704339
Registrant Name:Mikhail Dashkel
Registrant Street1:Dekhtyarovskaya, 26, 13
Registrant Street2:
Registrant Street3:
Registrant City:Kiev
Registrant State/Province:Kievskaya
Registrant Postal Code
Re: (Score:2)
somehow I read that as "uranus" instead of "urbanus"
Re: (Score:2)
Re: (Score:2)
Oh, Im sure it will be fine. That looks perfectly trustworthy.
Re: (Score:2)
Yes, looks like a squatter has set up shop and a very impressive web page it is; If you like motorcycles.
http://debian-multimedia.org/ [debian-multimedia.org]
visible DNS info http://dns.robtex.com/debian-multimedia.org.html#records [robtex.com]
Re: (Score:3)
Anyway, he's currently serving 404 for requests for the software repository. So, it's not malicious.
Why not automate the fix? (Score:1)
Given not everyone will know the repo had been moved and the domain is now registered to new owners, the most sensible approach in this case would have been to post an emergency update through the official Debian repositories, such that if the Debian-Multimedia.org is present, it is automatically removed from any source.list files and replaced with deb-multimedia.org. No harm, no foul.
Re: (Score:1)
I agree. If the Debian project wants to cause these possible security problems for stupid trademark/naming issues, then the least they can do is push an update to fix this for all affected users. As it is, they're causing a potential serious security problem for many of their users... and yet, actively doing nothing at all to eliminate the chance of Debian machines getting owned by malicious package installs. I would say that this is a pretty big mistake, on the level of the SSL certificate problem sever
Re: (Score:3, Insightful)
No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.
They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper
He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, thi
Re: (Score:2)
I haven't been following this so I don't know. You're not that clear either. First you say that nobody forced him to change the name. Then you say they "clamped down" on the name bit which, well, means they forced him to change the name unless I'm not getting something. It certainly sounds like they forced him to change the domain name given your description except you preface it by saying they didn't - then you say they did. Like I said, you're not helping.
Perhaps you can clear up what you wrote?
Re: (Score:1)
Then you say they "clamped down" on the name bit...
No, you misread. They didn't "clamp down" on the name. You appear to have missed an "if" that was written above. They probably would have clamped down on the name if he had refused to make it clear that donations to him are not donations to Debian. But it never got that far. All they did do was "ask him to stop soliciting donations in a way that made it look like he was doing it for Debian proper." They made a request, that's all they did, and this was how he responded to the request.
Re: (Score:2)
Ah - but they have this in there:
"Then if he didn't want to do that, they started clamping down on the name usage in order to..."
The sentence makes no sense so I read it as they started clamping down on the name usage (which is what it says). If he hadn't changed the name then they WOULD have started clamping down? Did they threaten to clamp down on the name usage? If they threatened then it could still be said that they forced him to change his name (it was the only alternative he had if he didn't want to
Re: (Score:2)
So they demanded that he pick one of two options, the least unpalatable of which was changing the domain name.
So, yes they did force him to change the domain name, even if they were nice about it.
Re: (Score:2)
So they demanded that he pick one of two options, the least unpalatable of which to him was changing the domain name and to continue to obfuscate for whom he was soliciting donations.
FTFY.
Re: (Score:2)
If I wanted nmy statement politicized, I'd have done it myself.
As for the 'to him' crack, naturally, were you expecting him to take the action least unpalletable to Ernest Spinkmeyer of Walla Walla Washington instead?
As a native English speaker and literate, I see nothing obscure about his solicitation for donations. I can see how some *might* have been confused when it was debian-multimedia if they didn't read any of the available documentation. What would you have him call the repo? Blotzig4windows?
Re: (Score:2)
If I wanted nmy statement politicized, I'd have done it myself.
Yeah, don't bother to consider that anyone might have thought it already was politicised.
As for the 'to him' crack ...
Just pointing out that he chose this course of action. He could have just clarified the situation. Instead, ...
As a native English speaker and literate, I see nothing obscure about his solicitation for donations.
Irrelevant. Debian did think so, and it was their choice to make.
Re: (Score:2)
And he took one of the actions they demanded. I didn't claim it was wrong of Debian to demand it at all. But it is disingenuous to claim that he took this action with no prompting and even moreso to lay the current problem (if it even is a problem) at his feet.
Re: (Score:2)
The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party
We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.
1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to
Re: (Score:2)
The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party
We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.
1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).
Or, worse still: apt-get install deb-multimedia-keyring as is recommended on the archive's home page.
Re: (Score:2)
So the alternate if what exactly? Windows download sites that inject their own adware and spam into someone else software?
Re: (Score:2)
This is why you never use anything associated with freetards.
Such as The World Wide Web? Okay, bye! That's one less imbecilic AC we'll need to deal with. You're welcome. :-)
Re: (Score:2)
I'm not sure if they can. The whole reason for that repo is that it contained packages not legal for Debian to distribute in all countries. Doing your fix would imply that Debian endorses and aids this repo.
Attacks on Package Managers (Score:4, Interesting)
https://www.cs.arizona.edu/stork/packagemanagersecurity/ [arizona.edu]
Do read it all. It may not apply here but it should be read by everyone who uses package managers.
Re: Attacks on Package Managers (Score:2, Informative)
Vulnerabilities do not vanish with time, but good geeks adapt. Eight years ago, Debian responded to these problems. http://wiki.debian.org/HowToSetupADebianRepository
mostly a non-issue (Score:4, Informative)
I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.
I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.
Re: (Score:2)
If you want current packages, use the unstable repository. Note that it's the repository that's unstable, not the operating system. Every week there are dozens of updates to the repository, but my system never crashes. Sid makes a great desktop or HTPC. Stable is for servers only.
). There. (Score:4, Funny)
Not a huge problem (Score:2)
It's not a significant problem because the repository is signed with OpenPGP.
aptitude displays a big red warning if there are unknown signatures in in your repository.
Re: (Score:3)
It's not a significant problem because the repository is signed with OpenPGP.
aptitude displays a big red warning if there are unknown signatures in in your repository.
Unfortunately, people are likely to respond to this warning by doing what the repository maintainer suggests on the repository's home page:
Re: (Score:2)
Analogous to a Trying-to-post-first-so-I-don't-care-if-my-response-is-half-baked post.
So *not* informative.
Re:BTW (Score:4, Funny)
it was however more informative than your reply
Re: (Score:2)
Yeah - I hate it when those Anonymous Cowards try to karma whore.