[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wiki FlashPlayer page

On Wed, Nov 5, 2008 at 11:08 AM, Franklin PIAT <fpiat@bigfoot.com> wrote:
> Lukasz Szybalski wrote:
>> On Wed, Nov 5, 2008 at 1:10 AM, Frank Lin PIAT <fpiat@klabs.be> wrote:
>>> Lukasz,
>>>
>>>> On Tue, Nov 4, 2008 at 5:25 PM, Frank Lin PIAT <fpiat@klabs.be> wrote:
>>>> > On Tue, 2008-11-04 at 23:14 +0100, Alexander Reichle-Schmehl wrote:
>>>> >>
>>>> >> Lukasz Szybalski schrieb:
>>>> >> > It was there before. Was flashplugin-nonfree removed from debian
>>>> repository?
>>>> >>
>>>> >> See http://www.debian.org/News/2008/20080217. It was removed with
>>>> 4.0r3
>>>> >> because of missing security support.  Updated packages are available
>>>> via
>>>> >> backports.org.
>>>> >
>>>> > Thank you. I've merged that information in the wiki page.
>>>> > Also, I've removed duplicate content in Manual-Howto.
>>>
>>>
>>> On Tue, 2008-11-04 at 17:33 -0600, Lukasz Szybalski wrote:
>>>> Did you verify before you deleted the section form manualhowto?
>>>> The manual-howto had instruction on how to manually install flash
>>>> player to /usr/lib/mozilla/plugins/ vs the "flash=player page does
>>>> not.
>>>
>>> As I mentioned in the changelog, I removed that section because it
>>> duplicate the content of the page FlashPlayer.
>>> I decided not to merge the content because explaining how to manually
>>> install something is just the wrong way to do things: I defeats the
>>> purpose of having a distribution.
>>> People willing to install or compile stuffs manually should use LFS,
>>> Gentoo, Windows or whatever.
>>
>> I agree that installing things manually is a pain but in this case it
>> seems as one of the options.
>> First  flash player was in sarge, but didn't work, Then sarge fixed it
>> year later
>> Second etch came in with flash player, it worked then got removed
>
> The ftpmaster removal log states :
>> [Date: Sat, 16 Feb 2008 12:46:05 +0000] [ftpmaster: Archive Administrator]
>> Removed the following packages from stable:
>>
>> flashplugin-nonfree | 9.0.115.0.1~etch1 | source, i386
>> Closed bugs: 458550
>>
>> ------------------- Reason -------------------
>> RoSRM; security nightmare
>
> You'll find the rationale fot it's removal in:
>  http://bugs.debian.org/458550
>
> I don't understand why it was removed either, but anyway the
> current recommended way to install Flashplugin is documented by the
> maintainer in the page "FlashPlayer"
> (basically: use backports.org)
>
>> Third, backports  repository is questionable...
>> so the only way to me seems like a manual install is one of the options.
>
> Installing anything manually is a bad practice.
> - One have to reinstall it again and again, especially when new security
> updates are published.
> - A vulnerable version could remain installed for a while.
> - The file isn't managed by apt/dpkg (conflict and dependencies)
> - Why do manually waht can be done automacically
> - And many other reasons that don't comes to my mind...
>
>> Above point doesn't matter now. I've merged the changes to Flash-player
>> page.
>
> Document this procedure on your own website if you want, but not on the
> wiki, where we only list recommended practices.
>
> At the risk of getting you upset, I'll remove that again.

How about just add the warning you just mentioned...
"
>Installing anything manually is a bad practice.
> - One have to reinstall it again and again, especially when new security
> updates are published.
> - A vulnerable version could remain installed for a while.
> - The file isn't managed by apt/dpkg (conflict and dependencies)
> - Why do manually what can be done automatically
"

Because If you don't want to use backports then that is your only option.
My opinion on the plugins is that they are exception to a lot of
things. They are not stable and if you don't have most recent flash
plugin then your website don't work, and if you website don't work
then debian doesn't work. So I think manual option instructions should
be available. I'll add the warning you just mentioned.

I know for sure there are places that have "not recommended practice"
so I would put the warning on and let user decide instead of forcing
users to use one way over another.

If there was a security bug in a software and since its proprietary we
really can't do patches to it, this means that this can happen again.
If lenny was stable now and there was a security problem flashplayer
would get removed again. I wonder if a better solution would be to
create a package that gets the newest version from flashplayer
website. Something similar to "djbdns" or broadcom firmware package.

I'll post the question to the bug.
Lucas
Reply to: