In association with heise online

14 June 2013, 10:10

Users warned to remove Debian Multimedia repository

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Debian logo

The Debian project is warning users that the unofficial Debian Multimedia repository now has to be considered unsafe. According to the Debian maintainers, the domain is not being used by the maintainers of the unofficial repository any more and is now registered to a party unknown to the Debian project. This means that the repository is no longer safe to use and users should remove it from their sources.list file as soon as possible.

In its announcement, the Debian project is recommending that users check their systems by running

grep /etc/apt/sources.list /etc/apt/sources.list.d/* 

which will show in its output if the user has the untrustworthy repository enabled. Meanwhile, Debian developer Steve Kemp has asked the community to create a tool for the distribution to easily manipulate entries in the sources.list file as Debian currently does not ship such a tool. At the moment, users have to edit their repository sources with a text editor.

Using unofficial repositories always represents a security risk and this example clearly shows one of the reasons, as the project usually does not have any control over such repositories. Since the new owners of the domain are unlikely to have access to the signing keys for the expired repository, the security risk is somewhat mitigated as long as users do not install unsigned packages. In any case, removing the repository from one's sources file as Debian recommends is the best procedure to follow.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit