Plugin needs to update automatically

Bug #1312219 reported by Marc Deslauriers on 2014-04-24
362
This bug affects 23 people
Affects Status Importance Assigned to Milestone
Pepperflashplugin Nonfree
Fix Released
Unknown
pepperflashplugin-nonfree (Ubuntu)
Undecided
Unassigned

Bug Description

The pepperflashplugin-nonfree package downloads a chrome package and rips out the pepper flash plugin binary from it upon installation.

After installation, the plugin must be manually updated by root using the update-pepperflashplugin-nonfree script.

Since the flash plugin routinely gets security updates, and is directly exposed to untrusted content, there needs to be a way for this plugin to get updated automatically, else we are exposing our users to risk.

Perhaps the best solution would be to fork the package and routinely publish security updates for it.

Changed in pepperflashplugin-nonfree (Ubuntu):
status: New → Confirmed
Obsidian (grandobsidian) on 2014-06-21
Changed in pepperflashplugin-nonfree (Ubuntu):
status: Confirmed → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pepperflashplugin-nonfree (Ubuntu):
status: New → Confirmed
murad (muradmf) on 2014-06-21
Changed in pepperflashplugin-nonfree (Ubuntu):
assignee: nobody → murad (muradmf)
assignee: murad (muradmf) → nobody
houstonbofh (leesharp) wrote :

I think the only reason this bug does not have more people is no one knows it is not being updated.

psl (slansky) wrote :

Thank you! I have no idea I have to run updates manually. That is not good...

$ update-pepperflashplugin-nonfree --status
Flash Player version installed on this system : 13.0.0.182
Flash Player version available on upstream site: 14.0.0.177

$ update-pepperflashplugin-nonfree --install --quiet

Tar Ni (taruny9) wrote :

Wow I thought that I would get automatic update through the Update Manager... I stumbled upon an article on a website that said the plugin didn't update itself and refered to this page. Hopefully this will be fixed soon.

Changed in pepperflashplugin-nonfree:
status: Unknown → Fix Released
Florian W. (florian-will) wrote :

Debian status is inaccurate, it is actually something like "Invalid" / "Wontfix", not "Fix Released".

I do think this is a valid bug. The "proper" solution probably is: Release an updated pepperflashplugin-nonfree package every time Google updates the flash plugin. The package should contain a checksum of the current .so file and download&extract&check&install the library on installation. (This will only work if old chrome download files are available even after a new version is released… otherwise, the package installation will fail as soon as a new chrome version is released. In that case, the checksum verification should be skipped, but still: a new debian package should released every time flash gets updated.)

The Debian wiki says that this is not suitable for Debian because it's apparently difficult to get security updates into stable if they are not 100% security related. So I wonder why there's no special exception for closed-source software in Debian where patching ONLY security issues is simply not possible… It really sounds stupid.

> But that would reopen the debate on how to get the updated Debian package
> in stable in a user friendly way and sufficiently fast. Note that the Debian
> package would pull in a combination of feature updates and security fixes in a
> new upstream release of closed-source software, which is somewhat difficult
> for Debian procedures to install quickly in stable.

So Debian apparently prefers having really dangerous outdated versions of flash installed on their users' systems (because ~~nobody knows about update-pepperflashplugin-nonfree) instead of pushing one isolated closed-source software package (that might do a little more than fixing security issues) into stable.

The debian process is not very well suited for closed-source software. I wonder if Ubuntu would be willing to improve this. It probably depends on the number of Chromium users, most of which probably use pepperflash-plugin-nonfree without knowing about the risk for their system when installing & forgetting about that package.

So … please: Either drop the pepperflash package and recommend upstream chrome for users that need flash, or fix the package.

houstonbofh (leesharp) wrote :

I had forgotten about this. So my flash was way out of date...

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.