topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 9:42 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: *ALERT* Debian warns its users to remove the Debian Multimedia repository  (Read 5876 times)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
pen.jpg

This may end up being a tempest in a teacup. But for now, Debian is very concerned about one of its unnofficial software repositories and is now warning Debian users of a potential security problem should they install software from it.

Heise Online website posted this:

Users warned to remove Debian Multimedia repository

The Debian project is warning users that the unofficial Debian Multimedia repository now has to be considered unsafe. According to the Debian maintainers, the debian-multimedia.org domain is not being used by the maintainers of the unofficial repository any more and is now registered to a party unknown to the Debian project. This means that the repository is no longer safe to use and users should remove it from their sources.list file as soon as possible.

In its announcement, the Debian project is recommending that users check their systems by running

grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*

which will show debian-multimedia.org in its output if the user has the untrustworthy repository enabled. Meanwhile, Debian developer Steve Kemp has asked the community to create a tool for the distribution to easily manipulate entries in the sources.list file as Debian currently does not ship such a tool. At the moment, users have to edit their repository sources with a text editor.

Using unofficial repositories always represents a security risk and this example clearly shows one of the reasons, as the project usually does not have any control over such repositories. Since the new owners of the debian-multimedia.org domain are unlikely to have access to the signing keys for the expired repository, the security risk is somewhat mitigated as long as users do not install unsigned packages. In any case, removing the repository from one's sources file as Debian recommends is the best procedure to follow.

The official Debian announcement can be read here.
 :o
« Last Edit: June 14, 2013, 07:44 AM by 40hz »

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member

Slashdot's copy of this story adds a "Debian is not so innocent" wrinkle though:

"If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name."

http://lists.alioth....2012-May/026678.html

So ... if you tell a maintainer to stop using the Debian name ... they just might!?


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
The issue Debian has here isn't with the deb-multimedia.org repository per se. The problem is that whoever is currently the owner of debian-multimedia.org is not anyone who is known to Debian.

From Debian's announcement:

The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! ;) )

debian-multiedia.org may still be found in many user's software source lists. So Debian is concerned since it's no longer the location of what may now be found at deb-multimedia.org.

debian-multimedia.org is now owned by somebody called Mikhail Dashkel over in Russia. Apparently they have attempted to contact him and haven't received any response. So I think it's understandable that the powers at Debian are more than a little concerned about it right now. Especially considering the questionable legality of registering a domain with Debian's name in it.

I also don't really see where Debian is much at fault. They attempted to work out the maintenance and duplication problems cropping up between the d-m-o repository and Debian's official ones.

Debian said:

It's kinda long

Dear Christian,
  as you probably are aware of, there are recurring discussions on the
package duplication between the official Debian archive and the
debian-multimedia.org ("d-m.o" from now on) that you maintain.

AFAIK, the Debian team in charge of maintaining multimedia packages
(that I'm Cc:-ing) is not happy about the duplication and has approached
you about that [1], providing some evidence of the troubles that it
causes to them and to Debian users that also happen to use d-m.o. OTOH
I'm sure you are maintaining d-m.o to provide a useful service to Debian
users, when some of the packages you distribute are not available in
Debian proper.

[1] http://lists.alioth....12-March/025498.html

Personally, I think that principle is fine, but I'm worried about the
duplication part. Not only due to the troubles that it might cause to
users, but also for the apparent waste of maintenance energies. Energies
that could be put into better use if you and the pkg-multimedia team
could find a way to collaborate, and to do so contributing to the
*official* Debian packaging of the concerned software.

I have no specific opinion on the technical claims that d-m.o causes
trouble to official Debian packages. That might be true or not. Ditto
for your allegations of conflict of interest in the maintenance of
ffmpeg or libav in Debian. But I observe that *in* Debian we do have
mechanisms to solve that kind of issues, if and when they arise. As long
as you keep on doing your work outside Debian instead of raising your
concerns within Debian, we'll have to keep on assuming that what is
being done in Debian is fine and is entitled to the official status that
come with the name "Debian".

Thinking about it, I think we should choose one of the two possible way
forward:

1) You and the pkg-multimedia team reach an agreement on
   which-packages-belong-where. One way to settle would be that for
   every package that exist in the official Debian archive, the same
   package should not exist in d-m.o, unless it has a version that does
   not interfere with the official packages in "standard" Debian
   installations. Another way would be to rename packages and sonames.

   I understand that such agreements would give a sort of "advantage" to
   the pkg-multimedia people over d-m.o, but that seems to be warranted
   by the fact that they are doing the official packaging, while you're
   not.  If, as I hope, you could start doing your packaging work
   (wherever possible) within Debian as well, things would be different
   and we could consider solving potential technical conflicts in the
   usual Debian way.

2) You stop using "debian" as part of the domain name of your
   repository, which is confusing for users (e.g. [2,3]). That would
   allow each part to keep on doing what they want in terms of
   packaging, but at least would remove any of the existings doubts
   about the official status of d-m.o.

   [2] http://bugs.debian.o...rt.cgi?bug=660924#20
   [3] http://bugs.debian.o...rt.cgi?bug=668308#47

   I can imagine that would be a painful step for you to take, given the
   well established domain name. But it seems fair to ask you to do so
   if we couldn't manage to find an agreement between you and the
   official Debian packaging initiative of software you're maintaining
   in an unofficial repository.

We could also consider various in-between solutions, such as adding
suitable prominent disclaimers on your website explaining that your
initiative is not affiliated with the Debian Project, that it might
cause technical incompatibilities with official packages, and that the
donations you're collecting are for you personally and not for the
Debian Project.

I hope we can reach an agreement on (some variants of) point (1). I'm
personally convinced d-m.o could offer a very useful service to Debian
users, for packages that are not part of the official archive. But d-m.o
really needs to do so in a way that doesn't get in the way of official
packaging activities, otherwise it will remain a perennial source of
conflicts, to the detriment of both parties.

What do you think?

Cheers.

PS we really want this discussion to be public, so please keep the
   pkg-multimedia-maintainers list Cc:-ed, as requested with my M-F-T
   header. I'll otherwise take the liberty to forward your replies to
   the list myself.



And they got back this very terse reply from the people responsible for d-m-o:

Spoiler
> Dear Christian,

Hi,

[...]

> We could also consider various in-between solutions, such as adding
> suitable prominent disclaimers on your website explaining that your
> initiative is not affiliated with the Debian Project, that it might
> cause technical incompatibilities with official packages, and that the
> donations you're collecting are for you personally and not for the
> Debian Project.

Did you read the donate page ? There is no ambiguity.

http://www.debian-multimedia.org/donate

> I hope we can reach an agreement on (some variants of) point (1). I'm
> personally convinced d-m.o could offer a very useful service to Debian
> users, for packages that are not part of the official archive. But d-m.o
> really needs to do so in a way that doesn't get in the way of official
> packaging activities, otherwise it will remain a perennial source of
> conflicts, to the detriment of both parties.
>
> What do you think?

I'll move to a new domain name (without debian), for that I need
time. Maybe 3 or 6 months should be enough, I don't know exactly.


Christian


So from my perspective, the d-m-o folks have decided to go on their merry way rather than work things out on the duplication issue. After that, the discussion starts going downhill rapidly - as discussions are wont to do in the FOSS world whenever someone thinks somebody else just flipped them off. (You can find the whole discussion thread herein case anybody's interested.)
 :)

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
People still use Linux?

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member

Sure, on target again 40hz.

I absolutely get that a former "trusted source" flips hands and then you have no idea where it goes - that's a classic precursor to malware vs less than aware users.


ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Thanks for the headsup, 40hz.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Thanks for the headsup, 40hz.

You're welcome. But thanks is really due Heise Online's The H-Open site. :-*  A daily must visit if you're at all into FOSS.
 :Thmbsup:

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Thanks for the headsup, 40hz.

But thanks is really due Heise Online's The H-Open site. :-*

As they seem to have feeds I'll give one a try for a while.  Thanks for the tip :)