Re: flashplugin-nonfree get-upstream-version.pl security concern

To: debian-security@lists.debian.org
Subject: Re: flashplugin-nonfree get-upstream-version.pl security concern
From: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 12 Dec 2012 17:26:57 -0500
Message-id: <[🔎] CANTw=MOB8g0L-TwBeFmgTAd68wv=dJwjKFFszhHptRGc9HedRA@mail.gmail.com>
In-reply-to: <[🔎] 50C8C45F.1050404@riseup.net>
References: <[🔎] 50C8C45F.1050404@riseup.net>

On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote:
> What is Debian policy on code execution from user websites?

Unfortunately there is none.  I've tried to gain consensus that at a
minimum things downloaders like this need to stay out of main, but
that thought hasn't really gained traction.

The real answer is that this package is in contrib and thus not
security supported at all.  Ultimately, for anyone even modestly
security-conscious adobe flash should really be avoided at all costs.
Alternatives include lightspark, gnash, and (most preferably) html5.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Jason Fergus <leech@thefnords.org>
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Davide Prina <davide.prina@gmail.com>

References:
- flashplugin-nonfree get-upstream-version.pl security concern
  - From: adrelanos <adrelanos@riseup.net>

Prev by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Previous by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Index(es):
- Date
- Thread