Auteur Sujet: Users warned to remove Debian Multimedia repository  (Lu 6851 fois)

0 Membres et 2 Invités sur ce sujet

djohnston

  • Invité
Users warned to remove Debian Multimedia repository
« le: 14 juin 2013 à 20:07:30 »
News Source

The Debian project is warning users that the unofficial Debian Multimedia repository now has to be considered unsafe. According to the Debian maintainers, the debian-multimedia.org domain is not being used by the maintainers of the unofficial repository any more and is now registered to a party unknown to the Debian project. This means that the repository is no longer safe to use and users should remove it from their sources.list file as soon as possible.

In its announcement, the Debian project is recommending that users check their systems by running

grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*
which will show debian-multimedia.org in its output if the user has the untrustworthy repository enabled. Meanwhile, Debian developer Steve Kemp has asked the community to create a tool for the distribution to easily manipulate entries in the sources.list file as Debian currently does not ship such a tool. At the moment, users have to edit their repository sources with a text editor.

Using unofficial repositories always represents a security risk and this example clearly shows one of the reasons, as the project usually does not have any control over such repositories. Since the new owners of the debian-multimedia.org domain are unlikely to have access to the signing keys for the expired repository, the security risk is somewhat mitigated as long as users do not install unsigned packages. In any case, removing the repository from one's sources file as Debian recommends is the best procedure to follow.


Hors ligne melodie

  • Administrateur
  • Membre Héroïque
  • *****
  • Messages: 1777
    • Citrotux
Re : Users warned to remove Debian Multimedia repository
« Réponse #1 le: 14 juin 2013 à 21:21:59 »
Meanwhile, Debian developer Steve Kemp has asked the community to create a tool for the distribution to easily manipulate entries in the sources.list file as Debian currently does not ship such a tool. At the moment, users have to edit their repository sources with a text editor.

Why don't they try to see if the software-properties-gtk tool from Ubuntu could be ported to Debian?



http://packages.ubuntu.com/raring/software-properties-gtk

humm… maybe too much python?

Good leaders being scarce, following yourself is allowed.

djohnston

  • Invité
Re : Re : Users warned to remove Debian Multimedia repository
« Réponse #2 le: 15 juin 2013 à 03:37:44 »
Why don't they try to see if the software-properties-gtk tool from Ubuntu could be ported to Debian?
I think it's probably the other way around. That is, I believe Ubuntu's was "ported" from Debian.



It's what gives you this "front end" to Synaptic:



He is referring to something like this:

Citer
Seeing this piece in the news, about how Debian-Multimedia.org is now unsafe, I was reminded we don't have a tool to manipulate sources.lists entries.

For example:

$ apt-sources list
..
deb http://ftp.uk.debian.org/debian/ squeeze main non-free contrib
deb-src http://ftp.uk.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main
..

How about listing only my repos?

$ apt-sources list steve.org.uk
deb-src http://packages.steve.org.uk/firefox-wrapper/squeeze/ ./
deb     http://packages.steve.org.uk/firefox-wrapper/squeeze/ ./
deb     http://packages.steve.org.uk/meta/squeeze/ ./
deb-src http://packages.steve.org.uk/meta/squeeze/ ./
deb-src http://packages.steve.org.uk/minidlna/squeeze/ ./
deb     http://packages.steve.org.uk/minidlna/squeeze/ ./

Now add in a command to delete lines matching a given pattern:

# apt-sources delete debian-multimedia.org

Doesn't that seem like a tool that should exist?

I've added this quick hack to this repository which you can submit pull requests against, or use as a base.

TODO: Write the "add" handler. Neaten.

Ever felt jealous that Ubuntu users can add PPAs? Nows your chance to do something like this:

# apt-sources add "deb http://packages.steve.org.uk/lumail/wheezy/ ./"


Hors ligne melodie

  • Administrateur
  • Membre Héroïque
  • *****
  • Messages: 1777
    • Citrotux
Re : Re : Re : Users warned to remove Debian Multimedia repository
« Réponse #3 le: 15 juin 2013 à 16:10:52 »
I think it's probably the other way around. That is, I believe Ubuntu's was "ported" from Debian.



It's what gives you this "front end" to Synaptic:



He is referring to something like this:

Hi, yes it gives this frontend but not only : it is also used independantly from Synaptic in the update manager, and even if Ubuntu was ported from Debian it has a few tools/items which are not available in Debian. Else than being a heavy tool, with the list of depends it needs, I don't quite see why Debian could not use it.

When the sources are modified, when new repos are added or removed from it, or deactivated, keys changes, then the apt files are re written accordingly : the source.list and any other file (the file related to gpg key when you change a authentication key).

Good leaders being scarce, following yourself is allowed.

djohnston

  • Invité
Hi, yes it gives this frontend but not only : it is also used independantly from Synaptic in the update manager, and even if Ubuntu was ported from Debian it has a few tools/items which are not available in Debian. Else than being a heavy tool, with the list of depends it needs, I don't quite see why Debian could not use it.

I'm not sure what you are trying to say. I believe you are still referring to software-properties-gtk.

Why don't they try to see if the software-properties-gtk tool from Ubuntu could be ported to Debian?

If that's the case, let's look at the differences between Ubuntu's version and Debian's version. Here is Ubuntu's version, (taken from Bodhi):

darrel@Bodhi:~$ software-properties-gtk --help
Usage: software-properties-gtk [options]

Options:
  -h, --help            show this help message and exit
  -d, --debug           Print some debug information to the command line
  -m, --massive-debug   Print a lot of debug information to the command line
  -n, --no-update       No update on repository change (useful if called from
                        an external program).
  -t TOPLEVEL, --toplevel=TOPLEVEL
                        Set x-window-id of the toplevel parent for the dialog
                        (useful for embedding)
  -e ENABLE_COMPONENT, --enable-component=ENABLE_COMPONENT
                        Enable the specified component of the distro's
                        repositories
  --open-tab=OPEN_TAB   Open specific tab number on startup
  --enable-ppa=ENABLE_PPA
                        Enable PPA with the given name
  -k KEYSERVER, --keyserver=KEYSERVER
                        URL of keyserver. Default:
                        hkp://keyserver.ubuntu.com:80/
  --data-dir=DATA_DIR   Use data files (UI) from the given directory
darrel@Bodhi:~$

Here's Debian's version, taken from DebWeb:

darrel@DebWeb:  11 items 220Kb -> software-properties-gtk --help
Usage: software-properties-gtk [options]

Options:
  -h, --help            show this help message and exit
  -d, --debug           Print some debug information to the command line
  -m, --massive-debug   Print a lot of debug information to the command line
  -n, --no-update       No update on repository change (useful if called from
                        an external program).
  -t TOPLEVEL, --toplevel=TOPLEVEL
                        Set x-window-id of the toplevel parent for the dialog
                        (useful for embedding)
  -e ENABLE_COMPONENT, --enable-component=ENABLE_COMPONENT
                        Enable the specified component of the distro's
                        repositories
  --open-tab=OPEN_TAB   Open specific tab number on startup
  --enable-ppa=ENABLE_PPA
                        Enable PPA with the given name
  -k KEYSERVER, --keyserver=KEYSERVER
                        URL of keyserver. Default:
                        hkp://keyserver.ubuntu.com:80/
  --data-dir=DATA_DIR   Use data files (UI) from the given directory

Sat Jun 15 11:49:01 AM CDT 2013
~
darrel@DebWeb:  11 items 216Kb ->

I can't see any difference. Can you? Except for the python version, the dependencies are the same.

Ubuntu's:

darrel@Bodhi:~$ apt-cache depends software-properties-gtk
software-properties-gtk
  Depends: python2.7
  Depends: python
  Depends: python
  Depends: python-software-properties
  Depends: python-gi
  Depends: gir1.2-gtk-3.0
  Depends: python-aptdaemon.gtk3widgets
  Depends: software-properties-common
darrel@Bodhi:~$

Debian's:

darrel@DebWeb:  11 items 220Kb -> apt-cache depends software-properties-gtk
software-properties-gtk
 |Depends: python2.7
  Depends: python2.6
  Depends: python
  Depends: python
  Depends: python-software-properties
  Depends: python-gi
  Depends: gir1.2-gtk-3.0
  Depends: python-aptdaemon.gtk3widgets
  Depends: software-properties-common

Sat Jun 15 12:05:24 PM CDT 2013
~
darrel@DebWeb:  11 items 216Kb ->


Hors ligne melodie

  • Administrateur
  • Membre Héroïque
  • *****
  • Messages: 1777
    • Citrotux
Re : Users warned to remove Debian Multimedia repository
« Réponse #5 le: 15 juin 2013 à 19:32:53 »
Then I don't quite see why they would need any additional gui program to edit the sources.list file?
Good leaders being scarce, following yourself is allowed.

djohnston

  • Invité
Re : Users warned to remove Debian Multimedia repository
« Réponse #6 le: 15 juin 2013 à 19:52:41 »
What Steve Kemp is asking for is a command line tool to manipulate apt sources, or repo lists, or PPA lists, without having to resort to using a text editor to manually edit the sources. He proposes calling the command line tool apt-sources.


Hors ligne melodie

  • Administrateur
  • Membre Héroïque
  • *****
  • Messages: 1777
    • Citrotux
Re : Users warned to remove Debian Multimedia repository
« Réponse #7 le: 15 juin 2013 à 21:35:08 »
Ok, then they will certainly sort it out. Many comments bring ideas for a solution to be used.
Good leaders being scarce, following yourself is allowed.