Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources 159
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)"
Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
Re:Why not... (Score:5, Insightful)
(a) Because that's intruding where package management doesn't belong, and
(b) into which package would you add this patch?
Just don't ignore any warnings? (Score:5, Insightful)
Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.
DPL, the ultimate sticklers (Score:3, Insightful)
Step 1: Make pointless and annoying request
Step 2: Watch as security problem is created in the fallout
Step 3: Be smug
Re:Moved to deb-multimedia.org (Score:5, Insightful)
If you can see debian-multimedia.org lines in output, you might want to change all the lines including it to use deb-multimedia.org instead.
Re:Why not automate the fix? (Score:3, Insightful)
No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.
They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper
He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, this was discussed on the mailing list and its clear), so he responded in a passive aggressive way.
This isn't about 'trademarks' or naming, its about integrity and ethical practices. The naming thing is just a way to require an uncooperative asshole into doing what they want. This is EXACTLY THE REASON TRADEMARK LAWS EXIST. To prevent some jackass like this from tricking people into donating to something other than what they think they are donating to.
The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party, and that leads us to ...
The big mistake is Linux geeks in general. You don't have signed repositories because you all get so uppity about someone being the 'central authority' that you lose basic functionality and usability ... and end up with the EXACT same flaws you rant on about. Don't let anyone centrally sign things and validate others as being legitimate, make everyone do it themselves! Thats so much better! Power to the people! ... the people who will then put a single line in a relatively obscure configuration file and then forget it for the rest of the install.
Then you come back ... and solution you propose ... is to have the debian organization function as a clearing house by remapping someone elses domain. Do you want them to run a walled garden or not? Pick one or the other. Just because you don't recognize your request as being a walled garden doesn't make it any less so. You're asking Debian to play moderator, gate keeper.
You'll then flip the fuck out if it turns out that debian-multimedia.org is owned by someone who is legitimate about it. (not likely, but not impossible, yet)
No, they shouldn't patch the package manager for the good of others, they should let you get exploited. You added the repository of a douche, your problem. You didn't want them playing gate keepers, remember, thats why you have an unsigned file with out digital signatures as your list of repositories.
Yup, all-too-common free software experience: (Score:2, Insightful)
break something that's working well just to score correctness points, because in free software, "working well" and "correct" are often not only separate quantities, but orthogonal ones.
Re:Why not... (Score:3, Insightful)
Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.
The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.
Re:Just don't ignore any warnings? (Score:1, Insightful)
Several attacks are possible if you control the repo but not the package contents though. Debian (and many other Linux "vendors") were supposed to be vaguely addressing this, but it never really got the priority it needed. If you're running a big corporate distro (e.g. RHEL) you are OK because the repos are SSL, so most attacks aren't viable without breaking SSL on top of everything else, but all the volunteer distros like Debian use unencrypted repos so...
1. The bad guys can refuse to tell you about a security update you actually needed, fooling you into thinking you're secure when actually they have an exploit that you were supposed to be updated against but you aren't.
2. The bad guys can trickle you a "bad" update that's been superseded, making your security worse. This is a genuine update, made by (in this case) Debian, but which happened to have some bug in it that you'd rather not have. Real repos may have held this update only for a few hours at some point, or even only on some testing server and not on their main repo at all, but if they're signed then you'll never know once the bad guy repo lies to you about how you ought to download the update.
Re:Ugh, forks (Score:3, Insightful)
The issue is the Debian team where demanding things that they could not expect. The maintainer of d-m.o was free to do whatever they wanted which includes maintaining separate versions of packages in Debian proper. They pointlessly demanded that he stop using debian in his domain name which achieved nothing. It did not reduce any confusion, and it did not stop him doing what he was doing before. Worse than that the domain expired and some random other person picked it up.
The Debian team have a habit of being self obsessed holier than though righteous pricks at times. This is one of them.