

Remove unofficial debian-multimedia.org repository from your sources - mfincham
http://bits.debian.org/2013/06/remove-debian-multimedia.html

======
ars
You shouldn't remove it, you should change it to [http://www.deb-
multimedia.org/](http://www.deb-multimedia.org/) .

It's cute how debian thinks you should remove it completely (it sounds like
they are insulted actually).

There are plenty of packages in deb-multimedia that are not in debian, like
mythtv, avidemux, xbmc, cinelerra.

And some are simply better in deb-multimedia like mplayer which is compiled
with many more formats then are available in the stock debian version.

Christian Marillat should get a huge amount of credit for keeping this
running, even with all the flak he gets from debian sometimes.

~~~
mfincham
Thanks for pointing that out, more info about why the name was changed is on
the Debian list server: [http://lists.alioth.debian.org/pipermail/pkg-
multimedia-main...](http://lists.alioth.debian.org/pipermail/pkg-multimedia-
maintainers/2012-May/026678.html)

~~~
ars
It's really not nice how they treated him. In general his packages are better
than the debian ones (where they duplicate).

Harm to users - right. I've been using dmo for at least 7 years and if I had
any problems in that time I don't remember it.

~~~
lordgilman
At the same time, Stefan (the DPL) asked nicely [1] twice, a year ago, for the
owner to transfer the domain to Debian. He even had the foresight to point out
the renewal race condition which Debian lost recently resulting in the press
release. The debian-multimedia guy is just being spiteful at this point given
that Debian's been nothing but diplomatic.

[1] [http://lists.alioth.debian.org/pipermail/pkg-multimedia-
main...](http://lists.alioth.debian.org/pipermail/pkg-multimedia-
maintainers/2012-May/027482.html)

~~~
foobarbazqux
They present two options. Option 1 is he does nothing and they risk having to
pay lawyers to get the domain, which they are clearly willing to do. Option 2
is that he takes 5 minutes and helps them out for free. Since they were
willing to pay lawyers to get the domain, it seems like paying him perhaps
$100 or so would have made the issue go away. They probably insulted him,
perhaps unintentionally, by indicating that they would monetarily value a
professional's time but not his, where each was a different means to the same
end.

~~~
ars
I doubt he wants money, he wants appreciation for the hard work he does. For
years he was the only realistic way to get videos to play on debian.

Instead he gets insults ("your packages harm users"), when actually his
packages help users. And now, finally years later, debian got some multimedia
programs into debian, and they want him to go away.

Not really the right way to treat someone who made your distribution useful
for a whole class of people for years.

~~~
lordgilman
And his packages help users even more if he can get his changes into Debian or
(even better) upstream. Forking is sometimes unavoidable but it's never ideal.
I think the maintainer is just trying to maintain his fiefdom otherwise you'd
see him petitioning Debian and upstream with pulls.

These software projects are just as much about social relationships and
sharing as they are about code. That's why I see the maintainer's actions as
petty, even if you're insulted by the DDs it's never worth it to stoop to a
petty level.

~~~
Nursie
"And his packages help users even more if he can get his changes into Debian
or (even better) upstream."

Some of his packages (AFAICT) are built from upstream sources, but configured
to include capabilities that the debian folk won't or can't build into theirs,
like mplayer.

Others are packages excluded from debian entirely for these reasons, like
libdvdcss.

The maintainer is providing the user who doesn't care about, or who is not in
a jurisdiction where they have to care about it, a whole bunch of codecs and
capabilities that the base distro doesn't and _will not_ include.

------
Nursie
No, change unofficial debian-multimedia repo to deb-multimedia.

You probably had a reason to use debian-multimedia, its packages have a lot
better codec support (amongst other things) than the mainline, so you probably
still have a reason to use deb-multimedia. It's the first thing I install on
new debian systems and has been for years.

I'm not sure why the debian guys decided to get pissy about it, as far as I
can tell the guy is doing them and their users a huge favour.

------
jabiko
It seems like deb(ian)-multimedia was asked to stop using "debian" as a part
of the domain name [1]. But I don't see why they decided to let the domain
expire instead of setting up a redirect.

[1] [http://lists.alioth.debian.org/pipermail/pkg-multimedia-
main...](http://lists.alioth.debian.org/pipermail/pkg-multimedia-
maintainers/2012-May/thread.html#26678)

------
gizmo686
Doesn't apt verify the signature of packages before it installs them? If so,
then the new domain owner shouldn't be able to do anything malicious because
(s)he cannot sign the packages.

~~~
mfincham
I'd say it's still pretty risky to leave this source enabled.

The behaviour shown at
[http://wiki.debian.org/SecureApt#How_apt_uses_Release.gpg](http://wiki.debian.org/SecureApt#How_apt_uses_Release.gpg)
is what a user would see if the entire repository (including the Release.gpg
file) were swapped out.

Unfortunately a decent percentage of the people using debian-multimedia.org
likely never imported the signing keys for the original repository at all, and
wouldn't notice that the key ID had changed.

Even if they had previously installed the key, all they would get is that
warning during package installation if a rogue repository was established,
something which is fairly common and likely to be ignored by a good portion of
the user base.

In the past even very savvy folks (Defcon attendees) have fallen afoul of
accepting dodgy package updates:
[http://seclists.org/fulldisclosure/2011/Aug/76](http://seclists.org/fulldisclosure/2011/Aug/76)

Edit: I recalled hearing that they'd Mitm'd Debian / Ubuntu updates but now I
can't find that specific factoid again, so perhaps take the Defcon thing with
a grain of salt.

~~~
dfc
I have never seen such rampant speculation before. I think you should change
your addendum to read "take this entire comment with a grain of salt." This
gem really takes the cake:

 _Even if they had previously installed the key, all they would get is that
warning during package installation if a rogue repository was established,
something which is fairly common_

You see so many "rogue repositories" that you think they are common? I have
never had one.

~~~
mfincham
You're right, I didn't word that well at all.

I meant it's fairly common to see apt complaining about not having the key
available to verify a package. I see this a lot in my work where sysadmins
lacking clue enable a third party repository and don't bother / don't
understand the need for adding the key with apt-key.

------
J_Darnley
So this means that Linux is just as bad as Windows when it comes to installing
software from a random website.

~~~
kintamanimatt
This doesn't mean that at all. This is the first time I've seen the domain
that hosted a trustworthy repo go bye-bye.

~~~
J_Darnley
So its really about trust then? You trust this website to provide what you
want and nothing more. You may also trust other websites that provide up-to-
date packages when your distro won't. You may also trust a website to provide
software that your distro doesn't.

Why is this any safer for the clueless user?

~~~
Nursie
The clueless user won't be using debian. The clueless user who's somehow found
themselves in possession of a debian system won't be adding third party repos
to debian. The clueless user who's somehow found themselves with a debian
system with third party repos installed will be informed when the repository
keys change and warned not to install the software because it can't be
verified.

This is not a case of google->download->double click->virus like windows has
had for so long.

~~~
dagw
I've met plenty of eager 'leet' computer geeks whom are perfectly willing and
capable of installing Debian, blindly following howtos and copying and pasting
text from forums until they have a working system, and still completely
clueless when it comes to general computer security or any other big picture
aspect of how Linux works.

Hell if I'm to be perfectly honest I think I just described myself the first
time I sat down with a spare computer and a big pile of Slackware floppies.

~~~
Nursie
Heh. I suppose we all had to start learning somewhere. There were no such
things as repos when I started playing with debian...

The key thing would still protect you though. If you don't have the right keys
installed, apt will complain at you constantly. And if someone takes over a
domain (like has happened here) and runs a malicious repo (no indication of
that) you'll see the warnings again.

Trusting the debian team and a community trusted repo, backed up by signing,
is a lot different than downloading unsigned packages from a variety of sites
all over the net. IMHO.

