Ubuntu
pepperflashplugin-nonfree package

  1. Bug #1312219
  2. Comment #5

Comment 5 for bug 1312219

Revision history for this message
Florian W. (florian-will) wrote :

Debian status is inaccurate, it is actually something like "Invalid" / "Wontfix", not "Fix Released".

I do think this is a valid bug. The "proper" solution probably is: Release an updated pepperflashplugin-nonfree package every time Google updates the flash plugin. The package should contain a checksum of the current .so file and download&extract&check&install the library on installation. (This will only work if old chrome download files are available even after a new version is released… otherwise, the package installation will fail as soon as a new chrome version is released. In that case, the checksum verification should be skipped, but still: a new debian package should released every time flash gets updated.)

The Debian wiki says that this is not suitable for Debian because it's apparently difficult to get security updates into stable if they are not 100% security related. So I wonder why there's no special exception for closed-source software in Debian where patching ONLY security issues is simply not possible… It really sounds stupid.

> But that would reopen the debate on how to get the updated Debian package
> in stable in a user friendly way and sufficiently fast. Note that the Debian
> package would pull in a combination of feature updates and security fixes in a
> new upstream release of closed-source software, which is somewhat difficult
> for Debian procedures to install quickly in stable.

So Debian apparently prefers having really dangerous outdated versions of flash installed on their users' systems (because ~~nobody knows about update-pepperflashplugin-nonfree) instead of pushing one isolated closed-source software package (that might do a little more than fixing security issues) into stable.

The debian process is not very well suited for closed-source software. I wonder if Ubuntu would be willing to improve this. It probably depends on the number of Chromium users, most of which probably use pepperflash-plugin-nonfree without knowing about the risk for their system when installing & forgetting about that package.

So … please: Either drop the pepperflash package and recommend upstream chrome for users that need flash, or fix the package.