The Treviño Story ───────────────── THE INITIAL TEXT, 2006-11-10: The story so far: Some guy decided to make a huge list of random Ubuntu repositories around the web, and he recommends people to dump it to their sources.list without thinking: http://3v1n0.tuxfamily.org/blog/lista-repository-sourceslist-ottimizzata-per-ubuntu-kubuntu-linux/ Hundreds of people (most of them Italian) have obeyed him without realizing that the maintainer of ANY of those repositories can do ANYTHING she wants to their systems: destroying or stealing files, stealing passwords, criminal activity through the computers... Oh, and my repository is listed as well. I made "new versions" of the packages containing the default Ubuntu and Kubuntu wallpapers, where the image is replaced with the following friendly warning: http://soijabanaani.net/tmp/untrusted_repositories ADDITION, 2006-11-12: Oh well, i took down the wallpaper packages. The people who "get it" already know better than to use Treviño's abominable sources.list. The actual users of that list just seem to get aggressive. They'll probably continue using it anyway. If they really want to break their system, they can feel free to do so. Other repositories in that list have already caused users to report funny problems, e.g. /etc/sudoers and /etc/fstab getting modified by something. That is, of course, not caused by my wallpaper packages. Instead, that's precisely what the wallpaper was made to warn about. Here's a related Ubuntu forum thread: http://ubuntuforums.org/showthread.php?t=297814 Some notes: • My repository contains some highly experimental packages that will break your system unless you know exactly what you're doing. A good example is a linux-restricted-modules package that contains a bleeding edge nvidia driver that causes many programs to segfault. When i noticed that the number of the users of my repository had suddenly jumped from ~5 to ~700, i immediately removed the 'all' section in order to prevent the repository from causing harm to users. That section was fortunately the only one listed by Treviño. Seems like many users would have preferred me leaving the repository as it was. According to them, i did something evil when i tried to warn them. Quoting them, i'm an "A$$HOLE" who "should be blacklisted by the Ubuntu community" and who "needs several good swift kicks in the posterior". • My repository is hosted behind my home ADSL connection. Treviño never asked whether it would be a good idea to direct hundreds of users to my server. To the users of the list: • Any changes from my repository can be reverted easily: • The Gnome wallpaper: sudo apt-get install edgy-wallpapers/edgy • The KDE wallpaper: sudo apt-get install kubuntu-default-settings/edgy kubuntu-artwork-usplash/edgy • On the other hand, there's no telling what the *other* repositories have done to your system. Perhaps some evil SOB is recording your keystrokes right now. You should CLEAN YOUR SOURCES.LIST IMMEDIATELY and remove all untrusted keys from apt-key's whitelist. Also remove or revert to edgy versions of any untrusted packages. Running software like tiger, aide, chkrootkit, rkhunter is never a bad idea. Unless some repository has replaced them as well... :-) Finally i'd like to paste a hilarious quote from one of the users: > All I’m saying is that if you want to attract people that know how to get > around in Windows (what you might call the “power users) and get them to try > Linux, one thing you absolute cannot expect them to do is sit on their hands > and watch new version of software be released, only to be told they can’t > install them because they aren’t yet in the “official” repositories blessed > by whatever “royal priesthood” controls the repositories for that > distribution. Maybe people in some nations might put up with that (the folks > used to living under totalitarian governments) but I can guarantee you that > folks from the USA and other freedom-loving countries are going to tell your > “royal priesthood” to go screw themselves. > Two days ago I would have recommended Kubuntu to anyone; as of today my > recommendation is “stick with Windows for a while longer and see if another > Linux distribution percolates to the top, because apparently some people in > the Kubuntu/Ubuntu community are far too full of themselves.”