Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Debian Says Remove Unofficial Debian-Multimedia.org Repository From Your Sources

samzenpus posted about a year ago | from the protect-ya-neck dept.

Debian 159

Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.

Sorry! There are no comments related to the filter you selected.

Moved to deb-multimedia.org (5, Informative)

TREE (9562) | about a year ago | (#44003531)

The repository is not gone, it just moved to http://deb-multimedia.org/ [deb-multimedia.org]

Re:Moved to deb-multimedia.org (3, Informative)

stephanruby (542433) | about a year ago | (#44003667)

Not sure if you're using the debian-multimedia repository? You can easily check it by running:

grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*

If you can see debian-multimedia.org line in output, you should remove all the lines including it.

Re:Moved to deb-multimedia.org (4, Insightful)

msauve (701917) | about a year ago | (#44003807)

If you're going to karma whore, you should at least reference the OP.

If you can see debian-multimedia.org lines in output, you might want to change all the lines including it to use deb-multimedia.org instead.

Re:Moved to deb-multimedia.org (1)

kju (327) | about a year ago | (#44005361)

If you can see debian-multimedia.org line in output, you should remove all the lines including it.

Nonsense. Many still working mirrors have "debian-multimedia.org" in the path name, e.g. http://debian.netcologne.de/debian-multimedia.org [netcologne.de]

Re: Moved to deb-multimedia.org (1)

Anonymous Coward | about a year ago | (#44005627)

But what are they mirroring? Do they need to read this article too?

Re:Moved to deb-multimedia.org (0)

Anonymous Coward | about a year ago | (#44005871)

Thanks--I forgot about /etc/apt/sources.list.d/

Re:Moved to deb-multimedia.org (1)

Anonymous Coward | about a year ago | (#44003721)

You completely and utterly missed the entire point.

deb-multimedia.org is run by the original maintainters of debian-multimedia.org and is still probably safe.

debian-multimedia.org is now run by an unknown entity after the debian project told them to stop using their name and they moved and let the domain expire.

Re:Moved to deb-multimedia.org (1)

jones_supa (887896) | about a year ago | (#44004893)

He didn't miss the point. He just commented one aspect of it, which is that the original is now at deb-multimedia.org. Which is correct.

Re:Moved to deb-multimedia.org (1)

Anonymous Coward | about a year ago | (#44004899)

For an annual cost of what $10 (?) Debian should probably have just bought the domain when it expired to protect its users. Not that I'm attributing blame, they probably never even knew it was being allowed to expire since debian-multimedia was an entirely separate unofficial group.

Re:Moved to deb-multimedia.org (0)

Anonymous Coward | about a year ago | (#44005641)

They still need to conserve money. Debian has expenses that were, for a long time, paid for out of the pockets of a few of the developers.

Re:Moved to deb-multimedia.org (0)

hobarrera (2008506) | about a year ago | (#44005249)

I must be dreaming. Not only does this first post NOT say "first", but it's actually really informative!
Did I mistype "slashdot" today? :|

BTW (-1)

Anonymous Coward | about a year ago | (#44003569)

The file is in /etc/apt.

Re:BTW (1)

pinkushun (1467193) | about a year ago | (#44004399)

Analogous to a Trying-to-post-first-so-I-don't-care-if-my-response-is-half-baked post.

So *not* informative.

Re:BTW (4, Funny)

crutchy (1949900) | about a year ago | (#44004853)

it was however more informative than your reply

Re:BTW (0)

Anonymous Coward | about a year ago | (#44004871)

The file is in /etc/apt.

Cool story, bro.

Why not... (1)

ADRA (37398) | about a year ago | (#44003607)

Have a patch update install that appends to the hosts file redirecting said offending domain to 127.0.0.1 or the like. At least then you'd be sure most potential users don't get infected..

Re:Why not... (4, Insightful)

Nutria (679911) | about a year ago | (#44003621)

(a) Because that's intruding where package management doesn't belong, and
(b) into which package would you add this patch?

Re:Why not... (1)

at_slashdot (674436) | about a year ago | (#44003917)

(a) Why is that? Why can't package management fix a security problem?
(b) What package does /etc/apt/sources.list and /etc/apt/sources.d belong to? How about patching that package?
 

Re:Why not... (0)

Anonymous Coward | about a year ago | (#44003927)

They don't belong to any package.

Re:Why not... (0)

Anonymous Coward | about a year ago | (#44003995)

They should just put an update to apt in the official repository that doesn't change anything except looking for that in the sources files and replaces it with the new correct one.

Re:Why not... (3, Insightful)

osu-neko (2604) | about a year ago | (#44004279)

Fixing a security problem is a great idea. Doing so by adding bogus entries to your /etc/hosts file (as OP suggested) is a monumentally stupid idea.

The right way to handle this automatically (assuming you don't object to the idea of it being handled automatically) would be to simply comment out the offending line in the sources.

Re:Why not... (0)

Anonymous Coward | about a year ago | (#44004915)

No the right way would be to ask the root next time he runs the upgrade.

Re:Why not... (0)

Anonymous Coward | about a year ago | (#44005889)

This shouldn't be a security problem because debian uses signed packages and users would see the untrusted key and say no.

Re:Why not... (0)

Anonymous Coward | about a year ago | (#44003841)

Because doing an ugly hack in /etc/hosts is unnecessary where a simple line cut in /etc/apt/sources.list is sufficient and correct.

Re:Why not... (0)

Anonymous Coward | about a year ago | (#44004139)

linux security, fix it yourself or tough shit, gee I wonder why people just dont flock to it

Re: Why not... (1)

Anonymous Coward | about a year ago | (#44004357)

I have a broken shoelace. Should I replace it or just get some brand new Microsoft shoes? I suppose I could wait until the shoes wear out and then replace everything at tge same time, or I could call out that "shoelace flying doctor" company.

Trouble is the art of shoelace replacement died out since everyone has told us it is hard and only for experts.

Re: Why not... (2)

crutchy (1949900) | about a year ago | (#44004875)

holy fucking shitbags!!! Microsoft makes shoes!!!! where can i get a pair so i can wear them with my debian t-shirt :)

Re:Why not... (1)

julesh (229690) | about a year ago | (#44005661)

linux security, fix it yourself or tough shit

More accurately: Linux security - if a change you made to the system turns out to be insecure, you have to remove it yourself later. It's not like debian is distributed with such third-party update sites listed in apt.sources.

Re:Why not... (1)

x_t0ken_407 (2716535) | about a year ago | (#44005943)

The audacity to think that sysadmins should be able to handle their system themselves their way. Why would you NOT pay ungodly amounts of money for a company to hold your hand??

Re:Why not... (1)

Anonymous Coward | about a year ago | (#44003961)

...or just patch apt to ignore the repository, even if it exists in sources.list.

Re: Why not... (0)

Anonymous Coward | about a year ago | (#44004081)

Best response.

Re:Why not... (2)

KGIII (973947) | about a year ago | (#44004045)

APK, is that you? ;)

Re:Why not... (1)

crutchy (1949900) | about a year ago | (#44004883)

nah i can't be... the sentences are intelligible and there's no mention of "open sores"

Re:Why not... (3, Informative)

gmack (197796) | about a year ago | (#44005601)

Already done.. debian-multimedia packages were signed and anything new from that domain won't be and should not install.

Just don't ignore any warnings? (4, Insightful)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44003645)

Please correct me if I'm wrong for this specific one; but the official repositories and many of the 3rd party ones are signed, and you mark the corresponding public key as trusted when you add the repo. Unless the new owner got the domain name and the signing key, their ability to fuck with you is pretty much limited to breaking dependencies in assorted creative ways. Unless you speed through those annoying warnings about crypto issues, in which case you are executing god-knows-what as root. So don't do that.

Re:Just don't ignore any warnings? (1)

BitZtream (692029) | about a year ago | (#44003679)

The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.

Vulnerability in repo system itself (1)

tepples (727027) | about a year ago | (#44003795)

If the individual packages in the repository are signed but the repository as a whole is not, then there is a problem with how the repository system is designed. The list of files on the repository should be signed with the repository's own key.

Re: Vulnerability in repo system itself (0)

Anonymous Coward | about a year ago | (#44004299)

Debian repositories have been signed since 2005. http://wiki.debian.org/HowToSetupADebianRepository

Re:Just don't ignore any warnings? (3, Informative)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44004305)

The files in the repositories are signed, there is nothing that confirms that the line in your apt sources is actually connecting to someone you know.

True, having your system chatting with random servers about how it could really use an update isn't a good thing. My point/question was just that, even if you control the domain name the apt sources point to, you can't actually tamper with package payloads without apt freaking out about it, which at least mitigates the damage.

Re:Just don't ignore any warnings? (1, Insightful)

Anonymous Coward | about a year ago | (#44004957)

Several attacks are possible if you control the repo but not the package contents though. Debian (and many other Linux "vendors") were supposed to be vaguely addressing this, but it never really got the priority it needed. If you're running a big corporate distro (e.g. RHEL) you are OK because the repos are SSL, so most attacks aren't viable without breaking SSL on top of everything else, but all the volunteer distros like Debian use unencrypted repos so...

1. The bad guys can refuse to tell you about a security update you actually needed, fooling you into thinking you're secure when actually they have an exploit that you were supposed to be updated against but you aren't.
2. The bad guys can trickle you a "bad" update that's been superseded, making your security worse. This is a genuine update, made by (in this case) Debian, but which happened to have some bug in it that you'd rather not have. Real repos may have held this update only for a few hours at some point, or even only on some testing server and not on their main repo at all, but if they're signed then you'll never know once the bad guy repo lies to you about how you ought to download the update.

Re: Just don't ignore any warnings? (0)

Anonymous Coward | about a year ago | (#44004091)

If someone is ignoring warnings about missing public keys, they probably also have bigger problems.

Re: Just don't ignore any warnings? (1)

jones_supa (887896) | about a year ago | (#44004919)

If someone is ignoring warnings about missing public keys, they probably also have bigger problems.

Alcoholism, depression...

Re: Just don't ignore any warnings? (2)

Threni (635302) | about a year ago | (#44004969)

Lions, tigers, bears...

Re: Just don't ignore any warnings? (1)

sjames (1099) | about a year ago | (#44005381)

Oh MY! [gstatic.com]

Ugh, forks (4, Interesting)

BitZtream (692029) | about a year ago | (#44003669)

He said (d-m.o) he stopped using the name because she told him to.

She said (the actual debian team) he shouldn't use the confusion it causes and people think donating to him is for Debian in general due to the scammy way its worded and fine print ...

He said, I'll just dump the original name, then in my nice passive aggressive way, I'll use another name that is going to cause more or less the exact same problem! That'll teach those guys!.

She then had to warn all of her customers because he just let the domain expire and be taken over by someone else for phishing purposes, he is such a considerate guy, she said under her breath.

So basically, the debian-multimedia guy is being an ass by not only making a new nearly equally confusing name, the jack ass let the old one expire immediately so that someone else could pick it up, and in tiny print (wtf is with jackasses making text small, let the browser do its job douche) he puts on his website ... that no one visits after the initial hits because they now have the repository in /etc/apt anyway ... there he tells of the change ...

Since apt doesn't validate that the domain is held by a trusted source/known private key before accepting it, this is a known issue and the d-m.o guy is just being an unhelpful ass.

After reading everything, I think d-m.o douche could have been a lot more professional.

He could have been a normal person and just done what debian asked ... put a notice on his page saying 'I'm not taking these donations for debian, they are for me!' but instead he didn't want to.

He's essentially trying to scam people into donations unless they carefully read the right parts of his site. Now I'm all for reading the fine print, but when you are intentionally scamming people and trying to skirt around that fact by 'the fine print' so to speak, you're still just a scum back.

This guy, needs to be blacklisted by geeks. No one should give him money, he's not a team player, a bad sport, a jerk, and a scammer. He's a passive aggressive asshole.

Yes, I can get that from reading a couple of his websites and an email thread on the Debian lists.

Re:Ugh, forks (0)

Anonymous Coward | about a year ago | (#44003717)

Sounds like a good reason to use a distribution that includes such basic functionality in their primary repositories. As a bonus, you can pick a distribution that ships vanilla packages instead of packages that are heavily patched by random idiots (hurr durr I can do crypto better than the OpenSSH developers!).

Such a distro would be illegal (1)

tepples (727027) | about a year ago | (#44003811)

Sounds like a good reason to use a distribution that includes such basic functionality in their primary repositories.

Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.

Re: Such a distro would be illegal (0)

Anonymous Coward | about a year ago | (#44003859)

possibly not. but then, nobody gives a fuck where there distro is "made", so why would that matter?

Re: Such a distro would be illegal (0)

Anonymous Coward | about a year ago | (#44003963)

If you make the distro and start distributing software you can't legally distribute in your country, it will open you up to all sorts of legal issues. These start out with a C&D notice that makes it pointless to include the software in the first place and only goes downhill from there.

Re:Such a distro would be illegal (1)

tlhIngan (30335) | about a year ago | (#44004169)

Is it even legal to make such a distribution if you happen to live in the United States, Dice's home country? A lot of the multimedia functionality that people expect includes royalty-bearing technology such as MPEG audio and video decoders.

I'm fairly certain at this point that decoders are cheap or already paid for. I remember someone actually doing it, and I know when I installed Ubuntu 12.04, it asked if I wanted to install closed source binaries for that purpose. So someone paid for the royalties or arranged it to be royalty free.

Not that there aren't ways to do it on Linux - Apple gives away the decoder for free with QuickTime. You don't need an iThing to download iTunes or QuickTime, after all, and if you get the Windows version, not a cent went to Apple to pay for it.

Heck, I think Adobe gives away the decoder as well with their Flash plugin. Granted, the only way now is to use Chrome, but still.

Of course, the thing is that doing so violates Debian's charter - but that's what the non-free repos are for.

Re: Ugh, forks (0)

Anonymous Coward | about a year ago | (#44004145)

If you have a problem with the process and care to help, you are welcome to join. So far, the project seems to be working well. I'm sure you have seen the stories about NASA's Debian expansion, but many other organizations also use them. However, RHEL, CentOS, openSUSE, Ubuntu, and many others are also in great shape, and all of them share package maintainers.

You are right not to trust anyone absolutely. Compiling from audited source will always be the best practice for those who can. Compiling without auditing is good as well if many eyes can see the source, and using trusted binaries is still acceptable for most. Fortunately, most people now have at least basic security in their software, but there's plenty to do.

Re:Ugh, forks (0)

Anonymous Coward | about a year ago | (#44003835)

A lot of the language you call scammy and passive aggressive is due to english as a second language.

Re:Ugh, forks (0)

BitZtream (692029) | about a year ago | (#44003971)

I don't think so. If that were the case he could have just corrected it, which was brought up. He instead claimed that he made it clear and that if you read the page you would know. If that were the case, it wouldn't have come up. He's clearly trying to not make it obvious. Instead of just fixing it, he made a different, clearly passive aggressive move. Using deb-multimedia instead of debian-multimedia ... seriously? Dropping the original domain rather than doing something intelligent like ... using a redirect or error page for a while? FFS, godaddy and register will host a basic page for like $15/year and that includes the cost of the domain if you use a coupon from retailmenot or google.

He's really just showing his ass, spoken language isn't needed. His actions speak clearly.

Re:Ugh, forks (2, Insightful)

jabuzz (182671) | about a year ago | (#44005009)

The issue is the Debian team where demanding things that they could not expect. The maintainer of d-m.o was free to do whatever they wanted which includes maintaining separate versions of packages in Debian proper. They pointlessly demanded that he stop using debian in his domain name which achieved nothing. It did not reduce any confusion, and it did not stop him doing what he was doing before. Worse than that the domain expired and some random other person picked it up.

The Debian team have a habit of being self obsessed holier than though righteous pricks at times. This is one of them.

Re:Ugh, forks (1)

Anonymous Coward | about a year ago | (#44005331)

they have a legal obligation to actively protect the trademark so that they do not lose it. deal with it.

Re:Ugh, forks (0)

Anonymous Coward | about a year ago | (#44005607)

They could easily uphold trademark by licensing the name to d-m.o. Seems a given considering its run by a Debian project member even. But no, instead they decided to flex their muscle because they didn't like that he rolled competing packages.

NSE - Null Streisand Effect (-1)

oldhack (1037484) | about a year ago | (#44003687)

Never heard of it before, but then, it don't make no difference - never used it before and won't use it now.

DPL, the ultimate sticklers (2, Insightful)

MetalliQaZ (539913) | about a year ago | (#44003739)

Step 1: Make pointless and annoying request
Step 2: Watch as security problem is created in the fallout
Step 3: Be smug

Re:DPL, the ultimate sticklers (-1)

Anonymous Coward | about a year ago | (#44003767)

Step 4: RMS shits in your mouth.

Yup, all-too-common free software experience: (1, Insightful)

aussersterne (212916) | about a year ago | (#44004173)

break something that's working well just to score correctness points, because in free software, "working well" and "correct" are often not only separate quantities, but orthogonal ones.

Re:DPL, the ultimate sticklers (4, Informative)

Kidbro (80868) | about a year ago | (#44004765)

Except, of course, that the request wasn't pointless:
http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html [debian.org]

The name actually caused real problems for Debian maintainers and users.

What problems? (0)

Anonymous Coward | about a year ago | (#44005173)

The only problems listed where invalid whines of a overly pedantic assholes who are just looking to pick a fight. How dare someone create an 3rd party archive that has the same package names. How dare someone create a domain name with the word debian in it. It's just so fucking confusing for people who are completely clueless. The concept of a PPA or third party repository is just too complicated for the high and mighty debian developers to handle. They would rather attempt to threaten anyone who dare threatens their pristine virgin OS by creating their own software repositories and sharing them with the public.

Some people in the Debian project define success in how many packages they can get REMOVED from the repositories. The more popular the package is the better and more arcane the reasoning is the better, hence why Debian has iceweasel while virtually ever single other linux distro has Firefox. They simply do it for the lulz.

Re:What problems? (1)

Anonymous Coward | about a year ago | (#44005311)

you are an ignorant fool of a troll, but I'll answer anyway in case
you are just plain ignorant.

debian-multimedia was primarily renamed to deb-multimedia to protect
the debian trademark, which the law says must be protected if you want
to keep it.

firefox was renamed iceweasel at the request of mozilla, after they
removed their permission for debian to use their trademark on debian
security packages. this is why on ubuntu you get new firefox versions
in the LTS, and on debian you get bug and security fixes to the existing
version without head-first upgrades to the next version.

Re:DPL, the ultimate sticklers (1)

c (8461) | about a year ago | (#44005379)

The name actually caused real problems for Debian maintainers and users.

Hmmm... well, having scanned through that thread (read it folks, it's not that long), all I can say is that if that's the DPL-approved way of fixing problems, I don't want those idiots anywhere near my plumbing.

Public ultimatums are not an appropriate or effective technique to use on someone you don't have any functional control over.

Re:DPL, the ultimate sticklers (1)

pla (258480) | about a year ago | (#44005419)

Except, of course, that the request wasn't pointless

Those do not describe "real" problems.

The first describes why "unofficial" repositories exist in the first place - So we can install non-stock versions of packages. That breaks dependencies? Hey, the user has to choose to add those to his apt sources, so keep your nose out of it, DPL.

And the second amounts to nothing more than weaselly lawyering up. Quick poll, everyone who loves FOSS at least in part to avoid that pro-corporate "protect our IP at all costs" bullshit, raise your hand? Yeah, thought so.

From Redhat to Ubuntu and now to games like this from Debian, has the entire Linux community sold out?

/ Glad I've always preferred Slackware. No games, no GNU/purism, no corporate BS. Just a rock-solid distro that stays true to its roots.

AND THIS IS WHY EVERYONE KNOWS LINUX SUCKS !! (-1)

Anonymous Coward | about a year ago | (#44003831)

Because, well, face it, it does suck !! If it were not free no one would use it !! It is like the free shit handed out in the aisles of your favorite market !! If only beer truly were free, as in beer !! What does that mean ?? You tell !!

WHOIS (1)

olsmeister (1488789) | about a year ago | (#44003875)

Domain ID:D168841859-LROR
Domain Name:DEBIAN-MULTIMEDIA.ORG
Created On:01-Jun-2013 14:30:15 UTC
Last Updated On:07-Jun-2013 08:15:23 UTC
Expiration Date:01-Jun-2014 14:30:15 UTC
Sponsoring Registrar:Center of Ukrainian Internet Names dba UKRNAMES (R1787-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:UANS-00000704339
Registrant Name:Mikhail Dashkel
Registrant Street1:Dekhtyarovskaya, 26, 13
Registrant Street2:
Registrant Street3:
Registrant City:Kiev
Registrant State/Province:Kievskaya
Registrant Postal Code:35000
Registrant Country:UA
Registrant Phone:+380.637806963
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:urbanus@bigmir.net
Admin ID:UANS-00000704340
Admin Name:Mikhail Dashkel
Admin Street1:Dekhtyarovskaya, 26, 13
Admin Street2:
Admin Street3:
Admin City:Kiev
Admin State/Province:Kievskaya
Admin Postal Code:35000
Admin Country:UA
Admin Phone:+380.637806963
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:urbanus@bigmir.net
Tech ID:UANS-00000704341
Tech Name:Mikhail Dashkel
Tech Street1:Dekhtyarovskaya, 26, 13
Tech Street2:
Tech Street3:
Tech City:Kiev
Tech State/Province:Kievskaya
Tech Postal Code:35000
Tech Country:UA
Tech Phone:+380.637806963
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:urbanus@bigmir.net
Name Server:NS1.DARTMATS.NET
Name Server:NS2.DARTMATS.NET
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

Re:WHOIS (1)

shentino (1139071) | about a year ago | (#44003919)

somehow I read that as "uranus" instead of "urbanus"

Re:WHOIS (1)

jones_supa (887896) | about a year ago | (#44004409)

He seems to host some kind of motorcycle website there.

Re:WHOIS (1)

LordLimecat (1103839) | about a year ago | (#44004423)

Oh, Im sure it will be fine. That looks perfectly trustworthy.

Why not automate the fix? (1)

readingaccount (2909349) | about a year ago | (#44003887)

Given not everyone will know the repo had been moved and the domain is now registered to new owners, the most sensible approach in this case would have been to post an emergency update through the official Debian repositories, such that if the Debian-Multimedia.org is present, it is automatically removed from any source.list files and replaced with deb-multimedia.org. No harm, no foul.

Re:Why not automate the fix? (1)

UltraZelda64 (2309504) | about a year ago | (#44003935)

I agree. If the Debian project wants to cause these possible security problems for stupid trademark/naming issues, then the least they can do is push an update to fix this for all affected users. As it is, they're causing a potential serious security problem for many of their users... and yet, actively doing nothing at all to eliminate the chance of Debian machines getting owned by malicious package installs. I would say that this is a pretty big mistake, on the level of the SSL certificate problem several years ago... but potentially much worse because the people within Debian itself knew the consequences and what could happen by forcing the changing of a major third-party repo after so many years.

Re:Why not automate the fix? (3, Insightful)

BitZtream (692029) | about a year ago | (#44004015)

No one 'forced' him to change the name. Read that again. NO ONE FORCED HIM TO CHANGE THE DOMAIN NAME.

They asked for him to stop soliciting donations in a way that made it look like he was doing it for Debian proper. Then if he didn't want to do that, they started clamping down on the name usage in order to resolve the real problem, which is him making it unclear that he isn't collecting for Debian proper

He's an ass and didn't want to stop scamming people for donations (he is intentionally misleading, this was discussed on the mailing list and its clear), so he responded in a passive aggressive way.

This isn't about 'trademarks' or naming, its about integrity and ethical practices. The naming thing is just a way to require an uncooperative asshole into doing what they want. This is EXACTLY THE REASON TRADEMARK LAWS EXIST. To prevent some jackass like this from tricking people into donating to something other than what they think they are donating to.

The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party, and that leads us to ...

The big mistake is Linux geeks in general. You don't have signed repositories because you all get so uppity about someone being the 'central authority' that you lose basic functionality and usability ... and end up with the EXACT same flaws you rant on about. Don't let anyone centrally sign things and validate others as being legitimate, make everyone do it themselves! Thats so much better! Power to the people! ... the people who will then put a single line in a relatively obscure configuration file and then forget it for the rest of the install.

Then you come back ... and solution you propose ... is to have the debian organization function as a clearing house by remapping someone elses domain. Do you want them to run a walled garden or not? Pick one or the other. Just because you don't recognize your request as being a walled garden doesn't make it any less so. You're asking Debian to play moderator, gate keeper.

You'll then flip the fuck out if it turns out that debian-multimedia.org is owned by someone who is legitimate about it. (not likely, but not impossible, yet)

No, they shouldn't patch the package manager for the good of others, they should let you get exploited. You added the repository of a douche, your problem. You didn't want them playing gate keepers, remember, thats why you have an unsigned file with out digital signatures as your list of repositories.

Re:Why not automate the fix? (1)

KGIII (973947) | about a year ago | (#44004105)

I haven't been following this so I don't know. You're not that clear either. First you say that nobody forced him to change the name. Then you say they "clamped down" on the name bit which, well, means they forced him to change the name unless I'm not getting something. It certainly sounds like they forced him to change the domain name given your description except you preface it by saying they didn't - then you say they did. Like I said, you're not helping.

Perhaps you can clear up what you wrote?

Re:Why not automate the fix? (1)

osu-neko (2604) | about a year ago | (#44004329)

Then you say they "clamped down" on the name bit...

No, you misread. They didn't "clamp down" on the name. You appear to have missed an "if" that was written above. They probably would have clamped down on the name if he had refused to make it clear that donations to him are not donations to Debian. But it never got that far. All they did do was "ask him to stop soliciting donations in a way that made it look like he was doing it for Debian proper." They made a request, that's all they did, and this was how he responded to the request.

Re:Why not automate the fix? (1)

KGIII (973947) | about a year ago | (#44004479)

Ah - but they have this in there:

"Then if he didn't want to do that, they started clamping down on the name usage in order to..."

The sentence makes no sense so I read it as they started clamping down on the name usage (which is what it says). If he hadn't changed the name then they WOULD have started clamping down? Did they threaten to clamp down on the name usage? If they threatened then it could still be said that they forced him to change his name (it was the only alternative he had if he didn't want to change his donation crap).

It isn't that I support the guy. Don't think that. It's that I want to understand the truth, not the nuance but the truth. I want to know what REALLY happened (without needing to go through all the lists) and it appears that people have gone through the lists and they're not being all that informative. Yes, yes I'm lazy but that's the point of being on a site such as this - sharing of information.

I didn't really misread the "if" I just didn't know if it was in error or intentional or just meant to obscure as the remainder of the sentence says that they DID start clamping down. The two parts of the sentence do not go together. If he didn't do something they started something. It makes no sense.

Re:Why not automate the fix? (1)

sjames (1099) | about a year ago | (#44005425)

So they demanded that he pick one of two options, the least unpalatable of which was changing the domain name.

So, yes they did force him to change the domain name, even if they were nice about it.

Re: Why not automate the fix? (0)

Anonymous Coward | about a year ago | (#44004199)

Having a central authority is not a solution either. It just opens another vector of attack. You fail to mention that this solution has been considered and rejected by others.

However, there certainly is a flaw. A solution is coming, but no one has implemented yet. I think it may require the ability to create artificial and temporary trusted authorities whose trustworthiness can be validated mathematically.

We simply do not yet have software advanced enough to validate trustworthiness. Our reliance on trusting other people is still a point of vulnerability, as it has been for all of history. However, we now regularly trust many people we have never met.

This is the frontier, and we haven't tamed trust yet.

Re:Why not automate the fix? (0)

Anonymous Coward | about a year ago | (#44004255)

This is why you never use anything associated with freetards.

Re:Why not automate the fix? (1)

petermgreen (876956) | about a year ago | (#44005199)

The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party

We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.

1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).

Re:Why not automate the fix? (1)

julesh (229690) | about a year ago | (#44005685)

The proper way to resolve this exact problem is to require sources to have a valid digital signature signed by a trusted party

We DO have signed repositories and apt DOES check the signatures. However there are a couple of traps the unwary could fall into.

1: Some people may have just decided to ignore the security warning rather than properly set up the key for a third party repository.
2: The first assumption of someone getting a key error who isn't aware that the domain is no longer in trusted hands may well be to think that they haven't installed the key properly and to go to reinstall the key. Unfortunately they are unlikely to do so in a secure manner. They are likely to either go to the website on the domain in question to get the key or download it from a public keyserver by it's 32-bit key ID (which are easy enough to collide).

Or, worse still: apt-get install deb-multimedia-keyring as is recommended on the archive's home page.

Re:Why not automate the fix? (1)

Anonymous Coward | about a year ago | (#44005959)

Bullshit.
http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/2012-May/026678.html [debian.org]

Thinking about it, I think we should choose one of the two possible way
forward:

1) You and the pkg-multimedia team reach an agreement on
      which-packages-belong-where. One way to settle would be that for
      every package that exist in the official Debian archive, the same
      package should not exist in d-m.o, unless it has a version that does
      not interfere with the official packages in "standard" Debian
      installations. Another way would be to rename packages and sonames.

      I understand that such agreements would give a sort of "advantage" to
      the pkg-multimedia people over d-m.o, but that seems to be warranted
      by the fact that they are doing the official packaging, while you're
      not. If, as I hope, you could start doing your packaging work
      (wherever possible) within Debian as well, things would be different
      and we could consider solving potential technical conflicts in the
      usual Debian way.

2) You stop using "debian" as part of the domain name of your
      repository, which is confusing for users (e.g. [2,3]). That would
      allow each part to keep on doing what they want in terms of
      packaging, but at least would remove any of the existings doubts
      about the official status of d-m.o.

      [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660924#20
      [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668308#47

      I can imagine that would be a painful step for you to take, given the
      well established domain name. But it seems fair to ask you to do so
      if we couldn't manage to find an agreement between you and the
      official Debian packaging initiative of software you're maintaining
      in an unofficial repository.

TLDR version: rename all packages that collide with debian package names or drop the domain name.

Attacks on Package Managers (4, Interesting)

Anonymous Coward | about a year ago | (#44003933)

https://www.cs.arizona.edu/stork/packagemanagersecurity/ [arizona.edu]

Do read it all. It may not apply here but it should be read by everyone who uses package managers.

Re:Attacks on Package Managers (0)

Anonymous Coward | about a year ago | (#44004115)

That article is nearly five years old. How can we know how much of it is still relevant?

Re: Attacks on Package Managers (2, Informative)

Anonymous Coward | about a year ago | (#44004359)

Vulnerabilities do not vanish with time, but good geeks adapt. Eight years ago, Debian responded to these problems. http://wiki.debian.org/HowToSetupADebianRepository

mostly a non-issue (4, Informative)

louden obscure (766926) | about a year ago | (#44004129)

I've had this repo in my apt list forever, it's changed names three times and has had two maintainers since I've added it to my list. It's where the dvd decrypter deally lived and a better mplayer package and well surprise, multi-media packages that were/are bleeding edge compared to the stock debian fare. I changed my apt source ages ago to reflect the title change after I noticed apt-get was pitching a fit; it only took opening up another browser tab and going to the multi-media web site to see why. You have to manually edit/write a file to add the repo, manually grab and load the key. Jeeze, I always have to add non-free and contrib on a new default install.

  I'm cutting the muti-media maintainer lotsa slack, I appreciate his effort.

           

Re:mostly a non-issue (0)

Anonymous Coward | about a year ago | (#44004489)

I honestly can't tell why Debian insists on using years-old software, and not including basic, commonly-used packages in its repository (e.g., avidemux). I left Debian for Xubuntu a few years ago and made the mistake of installing Debian when I reformatted my work workstation. It may have been stable, but many packages were noticeably outdated (it shipped with OpenOffice 2, Ruby 1.8, and PHP 5.1—all uselessly out of date); it was like running RHEL.

Re:mostly a non-issue (0)

Anonymous Coward | about a year ago | (#44004859)

Bullshit.

Lenny, released in Feb 2009, has ruby 1.9 packages. The php5 version was 5.2.6. Squeeze, released Feb 2011, uses Openoffice 3.2.

Debian Stable packages are up to a few years old; it's a stable release, not bleeding edge. However, your numbers are laughably wrong, or you just neglected to mention that your experience, and all of your data, is from 5+ years ago. If it's been that long, then your experience, and your numbers, are uselessly out of date.

multi-media bone headed stupidity! (-1)

Anonymous Coward | about a year ago | (#44004367)

OK you guys I absolutely must watch my pron in WMV And absolutely cannot do without WMA and I want it to just work! Not only that if I want to watch stuff from the local hot vid shop on my 'puter I am getting sick and tired of having to do stupid things like type sudo /usr/share/doc/libdvdread4/install-css.sh just so I can get my rocks off.

What's with that? With Windows I never had any of these problems all I had to do was go get my system re-installed every few months and it only cost me about 100 bucks every time. The guys in the shop even promised they could care less about the content of my harddrive..nice guys. I had absolutely no issues with giving them my money every couple of months just so I could avoid having to use APT. Thats the trouble with just about all Linux distros they actually expect the users to think!

Something which fortunately does not happen very much any more thanks to Microsoft.

Re: multi-media bone headed stupidity! (0)

Anonymous Coward | about a year ago | (#44004445)

I have bad news for you. Most of those porn websites were not running Windows, so while you may think you were stroking yourself while watching Russian co-eds stroke a horses underside, you were actually entering terminal commands for Iranian Occupy Bitcoin miner vegans.

Re: multi-media bone headed stupidity! (0, Offtopic)

Anonymous Coward | about a year ago | (#44004619)

I have bad news for you. Most of those porn websites were not running Windows, so while you may think you were stroking yourself while watching Russian co-eds stroke a horses underside, you were actually entering terminal commands for Iranian Occupy Bitcoin miner vegans.

Funny as hell guy! When you wake up tomorrow and drive into Redmond I hope you think about how stupid the comment you made last night really was. One thing for sure you didn't turn your wife on the way I did after watching the Russians do their thing. Good thing that my e-mail does not get pounded like the idiots who use hotmail while watching the Russians all the time clicking on phoney links with aspx and even activex headers!!!!!

I mean really here we are with the freakin' US government warning people about Microsoft and yet there are still some desperate trolls out there trying to push Windows as a secure method of browsing.

No doubt the recent advertising that Bing is superior prove only one thing. The next move will be free advertising on Bing to screw over Google for good. But we are drifting off topic and I shall return to the topic.

The guys and gals over at Debian cannot and will not endorse software that shows up on a repo using an apt file identifier that is not fully endorsed to be free from patent encumbered codecs. SO BIG FREAKING DEAL.

It is Microshaft and their minions at MPEGLA that are usurping the ability of users to chose which operating system they want to use to watch DVDs on a computer. AND GUESS WHAT STUPID. In my books that is precisely the core of the issue.
ALL pron, RUSSIAN NUDES and the like aside. Microsoft is a convicted monopolist and is manipulating legislators in the West to a disgusting degree.

The only way to fight this bullshit is with the truth and again guess what the truth is that the majority of computer security issues come from the use of modified internet protocol shit from Microsoft that can and does hose system files in Windows.

The last heavily publicized OS hack convention in Vancouver did not even include an Ubuntu machine this time....guess why, the last few times no one was able to pown one even with a stock install! So I guess that just goes to show how well the PR shill idiots from Microsoft are doing at keeping the computer sheep from moving to Linux.

All I have to do is track this thread and again guess what the shills are still there bleating away at any possible chance to claim that Linux is as insecure as Windows. I highly doubt you even understand what an apt/sources list is for in the first place DO YOU? And again all one has to do is see if the source code is available and guess what sucker if the actual source will not build the to the same signature as the binary then chances are the binary in the repo is flawed.

US linux users have been checking code for years and some of us do not even write, but at least we understand why having the ability to confirm a binary is essential from a security point of view!

). There. (3, Funny)

xded (1046894) | about a year ago | (#44005065)

You're welcome [xkcd.com] .

Re:). There. (0)

Anonymous Coward | about a year ago | (#44005421)

... but now it's in the wrong place.

As bad as Windows (0)

J_Darnley (918721) | about a year ago | (#44005251)

So if it is no longer safe, does this just prove that Linux is just as bad as Windows when it comes to installing software from a random website?

Re:As bad as Windows (0)

Anonymous Coward | about a year ago | (#44005877)

No.

ahh.... (0)

Anonymous Coward | about a year ago | (#44005277)

Just let it be and see what great software will infest your machine shortly :)

Not a huge problem (1)

xororand (860319) | about a year ago | (#44005647)

It's not a significant problem because the repository is signed with OpenPGP.
aptitude displays a big red warning if there are unknown signatures in in your repository.

Re:Not a huge problem (2)

julesh (229690) | about a year ago | (#44005699)

It's not a significant problem because the repository is signed with OpenPGP.
aptitude displays a big red warning if there are unknown signatures in in your repository.

Unfortunately, people are likely to respond to this warning by doing what the repository maintainer suggests on the repository's home page:

apt-get install deb-multimedia-keyring

Since Squeeze you can install this package with apt-get but you need to presse Y when the package ask what to do and do not press return.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?