At the same time, Stefan (the DPL) asked nicely [1] twice, a year ago, for the owner to transfer the domain to Debian. He even had the foresight to point out the renewal race condition which Debian lost recently resulting in the press release. The debian-multimedia guy is just being spiteful at this point given that Debian's been nothing but diplomatic.
They present two options. Option 1 is he does nothing and they risk having to pay lawyers to get the domain, which they are clearly willing to do. Option 2 is that he takes 5 minutes and helps them out for free. Since they were willing to pay lawyers to get the domain, it seems like paying him perhaps $100 or so would have made the issue go away. They probably insulted him, perhaps unintentionally, by indicating that they would monetarily value a professional's time but not his, where each was a different means to the same end.
I doubt he wants money, he wants appreciation for the hard work he does. For years he was the only realistic way to get videos to play on debian.
Instead he gets insults ("your packages harm users"), when actually his packages help users. And now, finally years later, debian got some multimedia programs into debian, and they want him to go away.
Not really the right way to treat someone who made your distribution useful for a whole class of people for years.
And his packages help users even more if he can get his changes into Debian or (even better) upstream. Forking is sometimes unavoidable but it's never ideal. I think the maintainer is just trying to maintain his fiefdom otherwise you'd see him petitioning Debian and upstream with pulls.
These software projects are just as much about social relationships and sharing as they are about code. That's why I see the maintainer's actions as petty, even if you're insulted by the DDs it's never worth it to stoop to a petty level.
"And his packages help users even more if he can get his changes into Debian or (even better) upstream."
Some of his packages (AFAICT) are built from upstream sources, but configured to include capabilities that the debian folk won't or can't build into theirs, like mplayer.
Others are packages excluded from debian entirely for these reasons, like libdvdcss.
The maintainer is providing the user who doesn't care about, or who is not in a jurisdiction where they have to care about it, a whole bunch of codecs and capabilities that the base distro doesn't and will not include.
I used debian-multimedia for years and it was mostly great.
I felt I had to stop because of all the conflicts. Over and over again I'd see mplayer crash seemingly randomly, then I'd look into it and discover that the debian-multimedia stuff was linked to the stock Debian stuff and they had differing ABIs for the same library name, so I'd have to uninstall everything from column A, then reinstall everything from column B ... after so much of this I gave up, and by that point the codecs in stock Debian didn't seem so bad. (Whereas several years ago you'd have to be stupid not to install debian-multimedia.)
No, change unofficial debian-multimedia repo to deb-multimedia.
You probably had a reason to use debian-multimedia, its packages have a lot better codec support (amongst other things) than the mainline, so you probably still have a reason to use deb-multimedia. It's the first thing I install on new debian systems and has been for years.
I'm not sure why the debian guys decided to get pissy about it, as far as I can tell the guy is doing them and their users a huge favour.
It seems like deb(ian)-multimedia was asked to stop using "debian" as a part of the domain name [1]. But I don't see why they decided to let the domain expire instead of setting up a redirect.
Doesn't apt verify the signature of packages before it installs them? If so, then the new domain owner shouldn't be able to do anything malicious because (s)he cannot sign the packages.
Unfortunately a decent percentage of the people using debian-multimedia.org likely never imported the signing keys for the original repository at all, and wouldn't notice that the key ID had changed.
Even if they had previously installed the key, all they would get is that warning during package installation if a rogue repository was established, something which is fairly common and likely to be ignored by a good portion of the user base.
Edit: I recalled hearing that they'd Mitm'd Debian / Ubuntu updates but now I can't find that specific factoid again, so perhaps take the Defcon thing with a grain of salt.
I have never seen such rampant speculation before. I think you should change your addendum to read "take this entire comment with a grain of salt." This gem really takes the cake:
Even if they had previously installed the key, all they would get is that warning during package installation if a rogue repository was established, something which is fairly common
You see so many "rogue repositories" that you think they are common? I have never had one.
I meant it's fairly common to see apt complaining about not having the key available to verify a package. I see this a lot in my work where sysadmins lacking clue enable a third party repository and don't bother / don't understand the need for adding the key with apt-key.
I would say that the user should be forced to install the correct GPG key, however in this case I imagine the attacker would just put up their own key on a "fake" website on the compromised domain and people would then install that. Or just ignore the warning.
So its really about trust then? You trust this website to provide what you want and nothing more. You may also trust other websites that provide up-to-date packages when your distro won't. You may also trust a website to provide software that your distro doesn't.
The clueless user won't be using debian.
The clueless user who's somehow found themselves in possession of a debian system won't be adding third party repos to debian.
The clueless user who's somehow found themselves with a debian system with third party repos installed will be informed when the repository keys change and warned not to install the software because it can't be verified.
This is not a case of google->download->double click->virus like windows has had for so long.
I've met plenty of eager 'leet' computer geeks whom are perfectly willing and capable of installing Debian, blindly following howtos and copying and pasting text from forums until they have a working system, and still completely clueless when it comes to general computer security or any other big picture aspect of how Linux works.
Hell if I'm to be perfectly honest I think I just described myself the first time I sat down with a spare computer and a big pile of Slackware floppies.
Heh. I suppose we all had to start learning somewhere. There were no such things as repos when I started playing with debian...
The key thing would still protect you though. If you don't have the right keys installed, apt will complain at you constantly. And if someone takes over a domain (like has happened here) and runs a malicious repo (no indication of that) you'll see the warnings again.
Trusting the debian team and a community trusted repo, backed up by signing, is a lot different than downloading unsigned packages from a variety of sites all over the net. IMHO.
It's cute how debian thinks you should remove it completely (it sounds like they are insulted actually).
There are plenty of packages in deb-multimedia that are not in debian, like mythtv, avidemux, xbmc, cinelerra.
And some are simply better in deb-multimedia like mplayer which is compiled with many more formats then are available in the stock debian version.
Christian Marillat should get a huge amount of credit for keeping this running, even with all the flak he gets from debian sometimes.