flashplugin-nonfree get-upstream-version.pl security concern

[adrelanos <adrelanos@riseup.net>]

Hi,

I do not want to discuss security implications of the upstream closed
source Adobe Flash plugin. This is about how the Flash plugin is
downloaded and installed in Debian.

/usr/sbin/update-flashplugin-nonfree downloads get-upstream-version.pl
http://people.debian.org/~bartm/flashplugin-nonfree/get-upstream-version.pl.gz.pgp
stores it in /tmp/xxx, runs it and deletes /tmp/xxx.

Since get-upstream-version.pl runs as root it can do anything.

I don't accuse him personally for anything. But should he ever be
compromised (forced, evil maid, etc...) it's very easy to mount a
stealth attack.

Also reviewing get-upstream-version.pl is cumbersome, you either have to
be fast enough to catch it in /tmp/xxx or to download and decrypt it
manually using his gpg key.

So far it looks clean. But that's not best security practice?

What is Debian policy on code execution from user websites?

Cheers,
adrelanos