Re: flashplugin-nonfree get-upstream-version.pl security concern

To: debian-security@lists.debian.org
Subject: Re: flashplugin-nonfree get-upstream-version.pl security concern
From: Jason Fergus <leech@thefnords.org>
Date: Wed, 12 Dec 2012 21:41:42 -0700
Message-id: <[🔎] 1355373702.10685.22.camel@localhost.localdomain>
In-reply-to: <[🔎] CANTw=MOB8g0L-TwBeFmgTAd68wv=dJwjKFFszhHptRGc9HedRA@mail.gmail.com>
References: <[🔎] 50C8C45F.1050404@riseup.net> <[🔎] CANTw=MOB8g0L-TwBeFmgTAd68wv=dJwjKFFszhHptRGc9HedRA@mail.gmail.com>

On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote:
> On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote:
> > What is Debian policy on code execution from user websites?
> 
> Unfortunately there is none.  I've tried to gain consensus that at a
> minimum things downloaders like this need to stay out of main, but
> that thought hasn't really gained traction.
> 
> The real answer is that this package is in contrib and thus not
> security supported at all.  Ultimately, for anyone even modestly
> security-conscious adobe flash should really be avoided at all costs.
> Alternatives include lightspark, gnash, and (most preferably) html5.
> 
> Best wishes,
> Mike
> 
> 
I could be wrong on this, but I had always thought that ANY sort of
downloader type installer (like the flashplugin-nonfree package) could
NOT be in main.  For any package to be in main, it has to have source
code available as well as DFSG compliant.  It's the same reason why
quake2-data packages were always in contrib.  While the source code for
quake2 is GPL, the -data package would grab the pk0.pak files off of the
CD to put them in the proper place for global Quake 2 fun.  quake2-data
was always in contrib.  I was going to use qmail as an example, but I am
guessing they changed their license recently, because previous to
Wheezy, you always had to build it from source (and there was a
qmail-src package).

Anyhow, I hope that point was made clear.  Contrib also does get
security updates, but they're not maintained by the security team (if
I'm recalling correctly.  Sucks getting old).  They're simply maintained
by the package maintainer.

Warning, all of the above could be incorrect, but that had always been
my impression, and I've been running Debian since 1.3 was out.  I
remember being totally stoked for Kernel 2.2.x coming out!

I totally agree with Mike though, Adobe flash has a horrible security
record, which is why Adobe has continuously been releasing new versions,
even though they said they were discontinuing support for it.  They are
all security patches!

Reply to:

Follow-Ups:
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Michael Gilbert <mgilbert@debian.org>

References:
- flashplugin-nonfree get-upstream-version.pl security concern
  - From: adrelanos <adrelanos@riseup.net>
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Previous by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Index(es):
- Date
- Thread