The Debian project is warning users that the unofficial Debian Multimedia repository now has to be considered unsafe. According to the Debian maintainers, the debian-multimedia.org domain is not being used by the maintainers of the unofficial repository any more and is now registered to a party unknown to the Debian project. This means that the repository is no longer safe to use and users should remove it from their sources.list file as soon as possible.

In its announcement, the Debian project is recommending that users check their systems by running



grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*

which will show debian-multimedia.org in its output if the user has the untrustworthy repository enabled. Meanwhile, Debian developer Steve Kemp has asked the community to create a tool for the distribution to easily manipulate entries in the sources.list file as Debian currently does not ship such a tool. At the moment, users have to edit their repository sources with a text editor.

Using unofficial repositories always represents a security risk and this example clearly shows one of the reasons, as the project usually does not have any control over such repositories. Since the new owners of the debian-multimedia.org domain are unlikely to have access to the signing keys for the expired repository, the security risk is somewhat mitigated as long as users do not install unsigned packages. In any case, removing the repository from one's sources file as Debian recommends is the best procedure to follow.

(fab)