Andrei POPESCU wrote:
> Patrick Bartek wrote:
> > I am using the flashplugin from Debian's nonfree repo. If there are
> > any security updates for it from Adobe shouldn't those updates
> > ultimately end up in the repo just like all other nonfree stuff? Or
> > would the security updates end up in some backport repo, since it
> > would be coming from a newer, non-Linux version of Flash?
> >
> > As far as I can tell, I have the latest version not only from the repo,
> > but according to Adobe as well: 11.2.202
>
> You are missing the fact that the flashplugin-nonfree package doesn't
> actually contain the plugin. The "package" is actually only a
> downloading script executed on package install[1]. So the only way to
> trigger an update would be to bump the package version, which has to be
> done by the maintainer.
Exactly right. Which is why if there is an Adobe update then the
--install must be run explicitly to install it. The deb package
simply packages an installer. You still need to run the installer.
> If one has good reasons to request such a version bump it would be a
> good idea to file a bug with appropriate severity (I'd say valid
> security concerns warrant 'important'). The package maintainer might not
> be following updates from Adobe very closely.
I have no idea what the maintainer's strategy is on this package. I
haven't seen package updates as often as upstream updates. However
the man page says:
The program update-flashplugin-nonfree takes care of
downloading last minute information from Debian about suitable
versions, removing the installed Adobe Flash Plugin if it has
been reported as insecure, or, if a newer suitable version is
available, downloading a newer Adobe Flash Player and its
installer from the Adobe download site, run the downloaded
installer to install the Adobe Flash Player on the local
system, and then move the installed files to where they fit on
a Debian system.
...
The program update-flashplugin-nonfree is used in the postinst
and prerm scripts of the Debian package, but this program can
also be run manually by root.
I assume by this that the strategy is that I should run it whenever I
want to ensure that the system is up to date. I don't check status
first and then do something. In my case on the media machine if there
is a newer version then I want it installed as soon as practical.
Therefore I simply --install it without checking --status. In my case
checking --status would be wasteful extra work even if quite small.
> Of course, the package could set up a cron job to do the update
> automatically, but most people would hate that (me included) and it's
> trivial to do it yourself.
Which is what I am doing when I set it up in my cron job. Also only
two of my machines has this installed. I avoid it on all of the rest.
Not having unsupportable nonfree blobs installed is better when possible.
The real problem is with closed source proprietary blobs like these.
If it were free(dom) software then it could be maintained normally and
updates distributed by the normal Debian methods. That it is
distributed with a non-free license is the root of the problem. It
causes these shenanigans such as a separate installer layer.
I wish the majority of people would simply do the right thing and
avoid entrenching nonfree protocols. If they did then we wouldn't
have this problem. But most people don't. And so we do.
Bob
Attachment:
signature.asc
Description: Digital signature