For those who use the Debian Multimedia repository, the Debian project is warning users that the repository now has to be considered unsafe. The debian-multimedia.org domain is not being used by the maintainers of the unofficial repository any more and is now registered to a party unknown to the Debian project. Users are being cautioned to remove it from their sources.list file as soon as possible.

In its announcement, the Debian project is recommending that users check their systems by running

grep debian-multimedia.org /etc/apt/sources.list /etc/apt/sources.list.d/*

which will show debian-multimedia.org in its output if the user has the untrustworthy repository enabled. Debian developer Steve Kemp is asking the community to create a tool for the distribution to easily manipulate entries in the sources.list file as it does not ship with such a tool. Users currently have to edit with a text editor.

Unofficial repositories represents a security risk and this is a good example, as the project does not have any control over the repository. Since the new owners of the debian-multimedia.org domain are unlikely to have access to the signing keys for the expired repository, the security risk is somewhat mitigated as long as users do not install unsigned packages. Removing the repository from one's sources file as Debian recommends is the best procedure to follow.