Category Archives: Uncategorized

Debian/Ubuntu APT repository changes

In the upcoming release of Ubuntu 18.04 APT repositories without signed “Release” files aren’t supported out of the box anymore. I’ve therefore changed my Debian & Ubuntu APT repositories to a new layout that includes proper “Release” files. This also means that you have to update your APT repository definition.

Here’s what such a change would look like:

Before:

deb https://mkvtoolnix.download/ubuntu/artful/ ./
deb-src https://mkvtoolnix.download/ubuntu/artful/ ./

After:

deb https://mkvtoolnix.download/ubuntu/ artful main
deb-src https://mkvtoolnix.download/ubuntu/ artful main

Head over to the downloads page where you can copy & pate the appropriate entries from.

MKVToolNix v18.0.0 released

Welcome to release v18.0.0 of MKVToolNix. This is just a smallish bug fix release which also contains a couple of performance improvements.

There were no changes for package maintainers.

You can download the source code or one of the binaries. The Windows and macOS binaries are available already. The Linux binaries are stil being built and will be available of the course of the next couple of hours.

Here are the NEWS since the previous release:

New features and enhancements

  • build system: when building with clang v3.8.0 or newer, configure will no longer restrict optimization flags to -O1 and use -O3 again (older versions of clang suffered from excessive memory usage with higher optimization levels).
  • build system: when building with mingw 7.2.0 or newer, configure will no longer restrict optimization flags to -O2 and use -O3 again (older versions of mingw suffered from bugs such as segmentation faults with higher optimization levels).
  • build system: stack protection is enabled when building with clang 3.5.0 or newer on all platforms.
  • mkvmerge: AVC & HEVC ES parsers: performance improvements by copying much less memory around.
  • mkvmerge: tags: reintroduced a workaround for non-compliant files with tags that do not contain the mandatory SimpleTag element. This workaround was removed during code refactoring in release v15.0.0.
  • GUI: multiplexer: the "AAC is SBR/HE-AAC/AAC+" checkbox in the "audio properties" section will be disabled if the functionality is not implemented for the selected track’s codec & container.
  • GUI: multiplexer: the "reduce to core" checkbox in the "audio properties" section will be disabled if the functionality is not implemented for the selected track’s codec. See #2134.

Bug fixes

  • mkvmerge: AAC ADTS parser: fixed interpretation of the channel_configuration header element for ADTS files that do not contain a program configuration element: value 7 means 7.1 channels. Fixes #2151.
  • mkvmerge: Matroska identification: the date_local and date_utc attributes will only be output if the identified Matroska file actually contains the "date" header field.
  • mkvmerge: WebVTT: mkvmerge did not recognize timestamp lines if the hours components were absent. Fixes #2139.
  • mkvpropedit, GUI’s header editor: the date header field won’t be added automatically anymore whenever the segment info section is edited and the date element is either deleted or not present in the first place. Fixes #2143.

Have fun :)

MKVToolNix not affected by FossHub breach

Last week FossHub was breached by attackers from the group PeggleCrew. As I’m using FossHub as the primary mean of distributing Windows and MacOS binaries for MKVToolNix, users have asked me whether MKVToolNix or my other servers have been compromised, too.

To the best of my knowledge the answer is: no.

I base this on several facts:

  • Last week the FossHub administrators sent an quick announcement to the developers hosting their software on FossHub on the day the breach was discovered. In it the admins were very open and honest about how they’d been breached, what the attackers had had access to, and what had been modified. While they did have access to the MKVToolNix binaries, those binaries were not modified.
  • Several reports about the incident that have been release since by various media do not list MKVToolNix either.
  • The group’s Twitter account didn’t list MKVToolNix as a modified program.
  • To date I haven’t received a single report by a user about a MKVToolNix binary that was acting suspiciously or that was detected by anti virus tools as dangerous.

Another thing the attackers did have access to was the account database used for the developer section of the site. That database includes the passwords, and they’ve allegedly not been salted. This, however, doesn’t pose a problem for me either:

  • I’m using random, long passwords for such sites. Therefore it’s irrelevant whether or not the passwords have been salted as rainbow attacks (the use of pre-computed tables containing the cleartext passwords and their hashed checksums) aren’t effective against randomly generated passwords.
  • Even more important is that I don’t re-use passwords on other sites. So even if someone was able to determine the cleartext version of my FossHub password, it wouldn’t do them any good as it cannot be used to gain entry to any other service I’m using.

There are two things Windows users can do to verify that the binaries they’ve downloaded from FossHub are clean. The first is to verify its SHA-1 and SHA-512 checksums. I provide both checksums on my own server, and they’re always linked to from the download page: SHA1 checksums for 9.3.1, SHA512 checksums. Checksums for other versions can be queried by replacing the version number 9.3.1 in the URL with the one you’re interested in.

The second thing is to check that the executables (both the installer’s executable as well as the ones for the actual tools) are signed by the right certificate. I’m using a certificate signed by StartSSL (StartCom) (“CN = StartCom Class 2 Object CA, OU = StartCom Certification Authority, O = StartCom Ltd., C = IL”). My current certificate’s serial number is ‎5a:d8:f8:75:9a:c3:46:ae:8b:ec:99:15:eb:b5:5d:04 and its SHA1 fingerprint is 48:13:1B:5D:41:63:12:07:D2:86:20:6C:28:F3:78:C8:06:6F:34:AA, though those two values are subject to change when the certificate will be renewed in 2018.