Flash plugin from pepperflashplugin-nonfree is installed as a Recommends of browser-plugin-freshplayer-pepperflash (source: freshplayerplugin) even if it is already installed from another package

The Debian package will keep a Recommends. This package requires the Google pepperflashplugins. The fact that pepperflashplugin-nonfree can be avoided by manually installing it explains why this is a Recommends instead of a Depends (i.e. users that really want can avoid the installation of pepperflashplugin-nonfree). But, for average users, the Recommends is good: by default, "apt-get install browser-plugin-freshplayer-pepperflash" will give them a working flash plugin.

When reading this bug report, I agree that the Ubuntu package should have an alternative. If someone tries to use it with Debian (ie installing browser-plugin-freshplayer-pepperflash and adobe-flashplugin but not pepperflashplugin-nonfree) and reports it works, I will also add it in Debian.

One should also probably check that there are proper Conflicts/Replaces between pepperflashplugin-nonfree and adobe-flashplugin (in particular in Ubuntu that provides both packages)

Makes sense. Now we need an Ubuntu MOTU maintainer to take a look at this. I can't offer to put the alternative in place myself, it is beyond my skills (one day hopefully).

> One should also probably check that there are proper Conflicts/Replaces
> between pepperflashplugin-nonfree and adobe-flashplugin (in particular in
> Ubuntu that provides both packages)

I checked and there aren't, at least in 14.04 LTS (that I'm using). There is however a proper Conflicts between flashplugin-installer and adobe-flashplugin, that both provide NPAPI Flash, so I think it makes sense that there is one too between pepperflashplugin-nonfree and adobe-flashplugin, that both provide PPAPI Flash.

I've subscribed the maintainers of the partner repository since they are in charge of adobe-flashplugin. I hope it's the way to go.

> I don't know if [having two PPAPI Flash plugins] is that much of a problem

Come to think of it, it is: the one browser-plugin-freshplayer-pepperflash recommends, pepperflashplugin-nonfree, must be updated manually or cronly by sudo update-pepperflashplugin-nonfree --install, while the one in Canonical's partner repository, adobe-flashplugin, updates with the rest of the system when the user sudo apt-get dist-upgrade.

The problem is that when the PPAPI/NPAPI wrapper, FreshPlayerPlugin, looks for a PPAPI Flash plugin in various directories where it may be, the one installed by pepperflashplugin-nonfree has a higher priority over the one installed by adobe-flashplugin:

  https://github.com/i-rinat/freshplayerplugin/blob/master/src/config_pepperflash.c

So the wrapper will wrap the pepperflashplugin-nonfree plugin. Therefore, a user who installs adobe-flashplugin as the plugin and browser-plugin-freshplayer-pepperflash as the wrapper will actually use pepperflashplugin-nonfree as the plugin, and if they don't notice that, there is little reason that they'll think about updating that plugin independently of the rest of their system. This will eventually lead to them using an outdated Flash plugin, with the associated security risks.

I therefore sincerely believe that browser-plugin-freshplayer-pepperflash (in Ubuntu not in Debian) should recommend pepperflashplugin-nonfree | adobe-flashplugin instead of just the former, and that pepperflashplugin-nonfree and adobe-flashplugin should conflict with each other so that they don't install alongside.

I've added this bug to the packages pepperflashplugin-nonfree and adobe-flashplugin to reflect that last point (the missing Conflicts), since I'm not sure it warrants its own bug report.

> The problem is that when the PPAPI/NPAPI wrapper, FreshPlayerPlugin, looks
> for a PPAPI Flash plugin in various directories where it may be, the one
> installed by pepperflashplugin-nonfree has a higher priority over the one
> installed by adobe-flashplugin: [URL]

This is no longer the case since 2016-02-27 in the upstream code, and the subsequent release 0.3.5 on 2016-04-12:

https://github.com/i-rinat/freshplayerplugin/commit/00e41544ad29c87e3bf03d9953798f46cda9a16f

Wily and Xenial still ship older versions though, packaged in browser-plugin-freshplayer-pepperflash, so this problem and its consequence are still present and this bug report is still valid.

For future reference and the sake of completeness: this bug is not present in Andrei Alin's version of browser-plugin-freshplayer-pepperflash (source: freshplayerplugin) from ppa:nilarimogard/webupd8, starting today and version 0.3.5-1~webupd8~trusty|...|v|w|xenial~3. His version Recommends pepperflashplugin-nonfree | adobe-flashplugin instead of just pepperflashplugin-nonfree. Thanks Andrei!

So this report only concerns the version shipped with Ubuntu Wily and Xenial (and now Yakkety).

Status changed to 'Confirmed' because the bug affects multiple users.

My test case :

- adobe-flashplugin is already installed

Using synaptic I want to install :

- browser-plugin-freshplayer-pepperflash

which recommends pepperflashplugin-nonfree.

This last one seems useless as flash for chromium has already been installed through adobe-flashplugin.

So I only installed browser-plugin-freshplayer-pepperflash (without pepperflashplugin-nonfree) and Firefox shows « You have version 21,0,0,213 installed » on the page http://www.adobe.com/software/flash/about/ and « Shockwave Flash 13.1 r2 » in plugins.

I may be wrong but I think pepperflashplugin-nonfree does not update automatically* so it looks less safe than adobe-flashplugin.

*one has to periodically run
update-pepperflashplugin-nonfree --install
to keep it safe.

pepperflashplugin-nonfree is broken since Google stopped shipping Flash with Chrome 54 for Linux and it is unclear if it will ever be fixed (see bug #1632870). browser-plugin-freshplayer-pepperflash could recommend adobe-flashplugin instead of pepperflashplugin-nonfree.

Still there is a problem with this approach because Firefox would see two NPAPI plugins: the official plugin from Adobe and Freshplayerplugin. There is no reliable way of ruling out the official plugin from Adobe in Firefox; disabling one from the plugin settings also disables the other.

One approach would be to split adobe-flashplugin in two packages, I have no idea if this is likely to happen. Another approach is proposed here and could be implemented in browser-plugin-freshplayer-pepperflash: https://bugs.launchpad.net/ubuntu/+source/pepperflashplugin-nonfree/+bug/1632870/comments/9

Gérald:

> So I only installed browser-plugin-freshplayer-pepperflash
> (without pepperflashplugin-nonfree) and Firefox shows « You
> have version 21,0,0,213 installed » on the page
> http://www.adobe.com/software/flash/about/ and « Shockwave
> Flash 13.1 r2 » in plugins.

It's all right, you're using the right plugin. The difference in reported versions between Adobe's test page and about:plugins is a known issue (https://github.com/i-rinat/freshplayerplugin/blob/master/doc/known-issues.md#flash-version-is-incorrect).

> I may be wrong but I think pepperflashplugin-nonfree does
> not update automatically* so it looks less safe than
> adobe-flashplugin.
>
> *one has to periodically run update-pepperflashplugin-nonfree
> --install to keep it safe

You are correct and this is a reason why adobe-flashplugin is recommended over pepperflashplugin-nonfree (+ the browser-plugin-freshplayer-pepperflash wrapper in both cases, if using Firefox).

Stéphane: see my comments 20 and 21 on bug 1632870, also:

> split adobe-flashplugin in two packages,
> I have no idea if this is likely to happen

Perhaps when Adobe releases the new NPAPI plugin that's currently in beta, we'll see flashplugin-installer (NPAPI) bumped to that new plugin, and adobe-flashplugin (currently PPAPI and NPAPI) restricted to PPAPI. But it's just as likely that adobe-flashplugin will instead continue to provide the PPAPI plugin and also provide the new NPAPI plugin.

Also, update to my comment 5 on this bug report:

For future reference and the sake of completeness: this bug is not present in Andrei Alin's version of browser-plugin-freshplayer-pepperflash (source: freshplayerplugin) from ppa:nilarimogard/webupd8, starting version 0.3.5-1. His version 0.3.5-1 Recommends pepperflashplugin-nonfree | adobe-flashplugin instead of just pepperflashplugin-nonfree, and his version 0.3.6-1 only Recommends adobe-flashplugin. Thanks Andrei!

So this report only concerns the version shipped with Ubuntu, imported from Debian.

As regards having adobe-flashplugin and pepperflashplugin-nonfree conflict to each other, please see this email correspondence I had with Chris Coulson a while ago:

<quote>
On 23/09/16 11:34, Gunnar Hjalmarsson wrote:
> Hi Chris,
>
> Writing you about adobe-flashplugin, since I noticed that you were
> the latest uploader.
>
> adobe-flashplugin conflicts flashplugin-installer, which is nice, but
> I think it would be good to let it conflict pepperflashplugin-nonfree
> also to make the installation more straight forward. For that to be
> possible, I suppose that <https://launchpad.net/bugs/1544409> needs
> to be fixed first.
>
> Do you think that would be steps in the right direction? If so, would
> it be helpful if I prepared some patches to get it done?

Not conflicting pepperflashplugin-nonfree is intentional. When we added the PPAPI plugin to adobe-flashplugin, an additional conflict would have prevented update-manager from updating the package for people who already had pepperflashplugin-nonfree installed.

Regards
- Chris
</quote>

Since it can't be done easily, I guess we have to live with this inconvenience. I've closed the adobe-flashplugin and pepperflashplugin-nonfree tasks.

As regards which package browser-plugin-freshplayer-pepperflash recommends, it's about to be fixed via bug #1633678. Marking this bug as a duplicate.

As regards the future of pepperflashplugin-nonfree, we don't need it in Ubuntu any longer since we have adobe-flashplugin. While a fixed version of it will keep being needed for other Debian distros, a reasonable measure would probably be to drop it from the Ubuntu archive in 17.04. But that part of the discussion may better be held on bug #1632870.

> As regards having adobe-flashplugin and pepperflashplugin-nonfree
> conflict to each other [...] Since it can't be done easily, I
> guess we have to live with this inconvenience. I've closed the
> adobe-flashplugin and pepperflashplugin-nonfree tasks.

I understand why the Conflicts can't be added. I can think of one last way of fixing this inconvenience in published releases: make pepperflashplugin-nonfree a metapackage Depending on adobe-flashplugin (assuming this is possible since the later is in Canonical Partner). This would transparently substitute the former with the later.

> As regards which package browser-plugin-freshplayer-pepperflash recommends, it's about to be fixed via bug #1633678. Marking this bug as a duplicate.

Agreed. Looking forward to your work making its way into the published releases, and we can close this bug.

> As regards the future of pepperflashplugin-nonfree, we don't need it in Ubuntu any longer since we have adobe-flashplugin.

Unless Canonical Partner can't be enabled for new desktop installations, isn't it?

> a reasonable measure would probably be to drop it from the Ubuntu archive in 17.04

I would love to see that happening. How does one go about stopping a package from being imported from Debian?

On 2016-11-13 19:42, Nathanaël Naeri wrote:
> I can think of one last way of fixing this inconvenience in published
> releases: make pepperflashplugin-nonfree a metapackage Depending on
> adobe-flashplugin (assuming this is possible since the later is in
> Canonical Partner).

For precisely that reason I'm assuming it's not possible (unfortunately).

>> As regards which package browser-plugin-freshplayer-pepperflash
>
> Agreed. Looking forward to your work making its way into the
> published releases, and we can close this bug.

I'm waiting for a sponsor to upload it to xenial-proposed and yakkety-proposed. (I'm not a MOTU.) Will probably happen soon.

> How does one go about stopping a package from being imported from
> Debian?

By requesting in a bug report that it's removed and subscribing ~ubuntu-archive. Autosync only happens for packages which already exist in the Ubuntu archive with exactly the same version number.