Package is broken since Google stopped shipping Flash with Chrome 54 for Linux

Bug #1632870 reported by Stéphane on 2016-10-12
124
This bug affects 31 people
Affects Status Importance Assigned to Milestone
pepperflashplugin-nonfree (Debian)
Fix Released
Unknown
pepperflashplugin-nonfree (Ubuntu)
High
Unassigned
Trusty
High
Bhavani Shankar
Xenial
High
Bhavani Shankar
Yakkety
High
Bhavani Shankar

Bug Description

[Impact]

Pepperflashplugin-nonfree is a Debian package, slightly modified for Ubuntu, and available in multiverse, that downloads the PPAPI Flash plugin from Google (up to v1.8.3 in Debian and v1.8.2+nmu1ubuntu1 in Ubuntu 16.10) or Adobe (starting with v1.8.3+nmu1 in Debian and v1.8.3+nmu1ubuntu1 in Ubuntu 17.04), and installs it as /usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so.

Versions that download the PPAPI plugin from Google are currently broken since Google decided to unbundle the plugin from Chrome 54, released in late 2016-10. Until that date, ripping the PPAPI plugin from a download of Google Chrome (which comes as a .deb package) was a popular way to get it, and the only possible way on Linux in the early days of the PPAPI plugin, when it was only available to Google. Then Adobe made the Linux PPAPI plugin available to Canonical and on their download site.

The Debian package was changed to download the plugin from Adobe, in version 1.8.3+nmu1 on 2017-01-14, and that fix landed in 1.8.3+nmu1ubuntu1 in Ubuntu 17.04 (the current development release) on 2017-01-22.

The package is still broken in the published releases: 16.10 16.04 14.04. It could be repaired by merging the changes made between 1.8.3ubuntu1 and 1.8.3+nmu1ubuntu1 into the published releases' versions of the package.

This would qualify for an SRU because the bug comes from a change in a web service that made the package stop being installable. This change also causes a security vulnerability in so far as the Flash plugin can no longer be updated (updates were processed by downloading a new version of Google Chrome and extracting the bundled Flash plugin).

[Test Case]

On Ubuntu < 17.04, installation and reinstallation of pepperflashplugin-nonfree (v < 1.8.3+nmu1ubuntu1) fails. On Ubuntu 17.04 (v = 1.8.3+nmu1ubuntu1), it succeeds.

[Regression Potential]

I can't think of any. The new version has been in Debian Sid for one month without any report of a regression, so that's a good sign. It was initially tested in debbug 833741.

[Why not to SRU]

On the one hand, it's bad form to leave an utterly broken package in the published releases when it has been fixed in the development release and works there. Theoretically, SRUs should be performed.

On the other hand, pepperflashplugin-nonfree is The Debian's Way to install the PPAPI Flash plugin. Ubuntu users are recommended to install adobe-flashplugin from Canonical's partner repository instead. Not all Ubuntu users are aware of that. See:

https://help.ubuntu.com/stable/ubuntu-help/net-install-flash.html
https://wiki.ubuntu.com/Chromium/Getting-Flash

We can consider intentionally not fixing that package in the published releases, in which case this bug report should be marked Won't Fix in Yakkety, Xenial, Trusty.

summary: - Package is broken since Google stopped shipping Flash with Chrome 54 on
+ Package is broken since Google stopped shipping Flash with Chrome 54 for
Linux
description: updated
Stéphane (stephane-treboux) wrote :

I installed Google Chrome 54 on Kubuntu 16.04. Chrome downloaded libpepflashplayer.so to:
/home/kubuntu/.config/google-chrome/PepperFlash/23.0.0.185/libpepflashplayer.so
It looks like Google Chrome downloads the Flash plugin at runtime.

Stéphane (stephane-treboux) wrote :

With Wireshark I found that Google Chrome 54 gets downloads Flash 23.0.0.185 PPAPI for Linux from:
http://redirector.gvt1.com/edgedl/release2/rpofl8ynzf9r05ca7iim67wdwf3t0zpuehwy3aswydc9g91q5c4iydolh9lt5toluyuq2phjg168mcvxxhntm3n79e4nw3mrx1j/23.0.0.185_linux_PepperFlashPlayer.crx

CRX files are ZIP files with a special header and the .crx file extension:
https://developer.chrome.com/extensions/crx

Gunnar Hjalmarsson (gunnarhj) wrote :

It shouldn't be too difficult to get it directly from Adobe nowadays:

https://get.adobe.com/flashplayer/

But why bother? According to <https://wiki.ubuntu.com/Chromium/Getting-Flash> the pepperflashplugin-nonfree package has been deprecated for more than a year. Isn't this a suitable time to drop it somehow? It makes little sense to keep maintaining both adobe-flashplugin and pepperflashplugin-nonfree.

Stéphane (stephane-treboux) wrote :

Thanks for the hint. In my case two issues remain:
- browser-plugin-freshplayer-pepperflash recommends on pepperflashplugin-nonfree http://packages.ubuntu.com/xenial/browser-plugin-freshplayer-pepperflash, this should be removed
- in Firefox when I use browser-plugin-freshplayer-pepperflash with adobe-flashplugin I see two different versions of the Flash plugin and I am not able to force the use of the PPAPI version (disabling the NPAPI version is not sufficient)

Stéphane (stephane-treboux) wrote :

OK after some more trying it appears that Firefox cannot tell the NPAPI and PPAPI plugins apart when both are installed, some websites will start the NPAPI plugin and some other will run the PPAPI plugin. Disabling one of the plugins does not work either because the setting is applied to both plugins (this is visible after reloading the plugin setting menu). This makes browser-plugin-freshplayer-pepperflash mostly useless and "solves" my both issues, I will just stick to adobe-flashplugin and remove browser-plugin-freshplayer-pepperflash and pepperflashplugin-nonfree.

Stéphane (stephane-treboux) wrote :

By the way Adobe is working on the NPAPI Flash plugin for Linux again:
https://blogs.adobe.com/flashplayer/2016/08/beta-news-flash-player-npapi-for-linux.html

This means Firefox users would be able to use again an up-to-date version of Flash without workarounds.

Gunnar Hjalmarsson (gunnarhj) wrote :

@Stéphane: Yeah, my suggestion to "drop it somehow" implies that there is a need for some considerations; for instance there is bug #1544409. Ideally you would make pepperflashplugin-nonfree a dummy transitional package which depends on adobe-flashplugin, but since the latter resides in Canonical Partner, which is not enabled by default, it's probably not that easy.

As regards Firefox (pepperflashplugin-nonfree has never been meant for Firefox) Adobe will indeed provide an up-to-date version of the NPAPI plugin soon. Currently I'm making a modified version of adobe-flashplugin, with Flash Player 23 Beta, available in this PPA:

https://launchpad.net/~gunnarhj/+archive/ubuntu/adobe-flashplugin

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pepperflashplugin-nonfree (Ubuntu):
status: New → Confirmed
Niklas Holm (niklas-holm) wrote :

@Stéphane: You can block the plugin adobe-flashplugin installs to Firefox by manually redirecting it to /dev/null

sudo update-alternatives --install /usr/lib/mozilla/plugins/flashplugin-alternative.so mozilla-flashplugin /dev/null 100

that way browser-plugin-freshplayer-pepperflash can do its thing in peace.

A cleaner solution though would probably be for browser-plugin-freshplayer-pepperflash to use the same link as adobe-flashplugin with a higher priority to avoid this collision.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in freshplayerplugin (Ubuntu):
status: New → Confirmed
Viktor Engelmann (viengelm) wrote :

How can the priority still be "undecided" after a week, when the package is 100% dysfunctional?

You might be fine with using adobe flash, but the users of ANY Qt WebEngine based program are not.

Viktor Engelmann (viengelm) wrote :

Using Stéphanes analysis, I wrote this little script to install pepper flash manually:

#!/bin/bash

TARGET=/usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so
wget http://redirector.gvt1.com/edgedl/release2/rpofl8ynzf9r05ca7iim67wdwf3t0zpuehwy3aswydc9g91q5c4iydolh9lt5toluyuq2phjg168mcvxxhntm3n79e4nw3mrx1j/23.0.0.185_linux_PepperFlashPlayer.crx -O PepperFlash.zip
sudo mkdir -p "$(dirname $TARGET)"
sudo unzip PepperFlash.zip libpepflashplayer.so -d "$(dirname $TARGET)"
rm PepperFlash.zip

Stéphane (stephane-treboux) wrote :

@Viktor:

Thanks for sharing your script. You must be aware that the link I provided and that you are using points to a specific version of the PPAPI Flash plugin (23.0.0.185). Flash plugins are very short lived; new critical vulnerabilities will be discovered and the version 23.0.0.185 you use in your script will soon be outdated. I would recommend that your script downloads the current version of the plugin from the Canonical partner repository: http://archive.canonical.com/ubuntu/pool/partner/a/adobe-flashplugin/. The name of the file to download will change with every version but it is manageable in a script whereas the URL used by Google Chrome cannot be easily guessed.

Adobe only distributes the NPAPI Flash plugin for Linux on https://get.adobe.com/fr/flashplayer/; AFAIK the PPAPI plugin is only distributed via the Canonical partner repository. I doubt that it makes sense for the package pepperflashplugin-nonfree to download another package (in this case adobe-flashplugin) and extract its content. So most probably the package pepperflashplugin-nonfree is dead.

What is your use case which requires specifically the package pepperflashplugin-nonfree and won't work with adobe-flashplugin?

Gunnar Hjalmarsson (gunnarhj) wrote :

On 2016-10-19 10:49, Viktor Engelmann wrote:
> You might be fine with using adobe flash, but the users of ANY Qt
> WebEngine based program are not.

I think there is some kind of misconception here. The adobe-flashplugin package installs both NPAPI and PPAPI plugins.

$ dpkg -L adobe-flashplugin | grep so$
/usr/lib/adobe-flashplugin/libflashplayer.so
/usr/lib/adobe-flashplugin/libpepflashplayer.so

Symlinks make the various programs find the applicable library.

Blaze (blaze) wrote :

Basically you need to execute

sudo ln -s /usr/lib/adobe-flashplugin/libpepflashplayer.so /usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so

to get everything working with QtWebEngine etc.

Viktor Engelmann (viengelm) wrote :

ah, I didn't know that libpepflashplayer.so is included in adobe-flashplugin. symlinking it works indeed - even in WebEngine programs.

Naël (nathanael-naeri) on 2016-10-24
description: updated
Naël (nathanael-naeri) wrote :

Viktor: your issue with QtWebEngine not finding the PPAPI Flash plugin is that it looks for it in the following three locations, if I understand correctly from http://doc.qt.io/qt-5/qtwebengine-features.html#pepper-flash-player-plugin-support:

/usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so
/usr/lib/PepperFlash/libpepflashplayer.so
/usr/lib64/chromium/PepperFlash/libpepflashplayer.so

You could ask the QtWebEngine developers to add the following path to the list, and dispense with the symlink:

/usr/lib/adobe-flashplugin/libpepflashplayer.so

Naël (nathanael-naeri) wrote :

First of all: pepperflashplugin-nonfree comes from Debian, as opposed to adobe-flashplugin which is Ubuntu-specific, and the fact that it is broken now that Google stops shipping the PPAPI Flash plugin with Chrome, starting with v54 released a few days ago, has been reported to the Debian maintainer Bart Martens:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833741
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841373

To repair the package, he could use Adobe's website instead of Google Chrome as the source for the PPAPI Flash plugin: as Gunnar mentionned the PPAPI plugin is now officially available from Adobe:

https://get.adobe.com/flashplayer/otherversions

Using this source would probably be simpler than the redirector.gvt1.com link, or ripping libpepflashplayer.so from Canonical's adobe-flashplugin package.

That said, if the Debian maintainer fixes the package, changes to it will only land in the development release of Ubuntu, not in the already-released releases, unless an Ubuntu universe/multiverse maintainer manually updates it, which I wouldn't hold my breath for, given how few they are for so many packages. So Trusty/Xenial/Yakkety users will probably stay stuck with a broken pepperflashplugin-nonfree.

Anyway, Ubuntu users are no longer supposed to use this package, as Gunnar mentionned, they should use Canonical's adobe-flashplugin instead as their source for the PPAPI Flash plugin:

https://wiki.ubuntu.com/Chromium/Getting-Flash

Gunnar's packaging of the updated beta NPAPI plugin is a new possibility too (for Firefox users), thanks Gunnar.

In any case, and despite our wishes, pepperflashplugin-nonfree is unlikely to disappear from Ubuntu, because it is Debian users' sole (packaged) way of getting the PPAPI Flash plugin and because it has no Ubuntu maintainer who could stop it from being imported from Debian at each new Ubuntu development cycle.

Naël (nathanael-naeri) wrote :

Stéphane:

> Adobe only distributes the NPAPI Flash plugin for Linux
> on https://get.adobe.com/fr/flashplayer/; AFAIK the PPAPI
> plugin is only distributed via the Canonical partner repository

This used to be the case, but no longer: Adobe now finally distributes the PPAPI Flash plugin for Linux, by itself, unbundled from Google Chrome and the Canonical package:

https://get.adobe.com/flashplayer/otherversions

I suppose we have to thank Google's decision of no longer shipping PPAPI Flash with Chrome for that.

Naël (nathanael-naeri) wrote :

Moving on to the browser-plugin-freshplayer-pepperflash issues mentioned in this thread: just like pepperflashplugin-nonfree (the PPAPI plugin), browser-plugin-freshplayer-pepperflash (the NPAPI/PPAPI wrapper) comes from Debian and has no Ubuntu maintainer, only the MOTU guys who are overworked already.

So any change that we would like to see made to it will only be made in Debian, and with Debian in mind, and land in the development release of Ubuntu, not in the already-released releases, unless a MOTU takes specific action.

This is why, for instance, browser-plugin-freshplayer-pepperflash will keep recommending pepperflashplugin-nonfree, the sole packaged source of PPAPI Flash plugin for Debian users, whereas we Ubuntu users would rather see browser-plugin-freshplayer-pepperflash recommend adobe-flashplugin instead (Stéphane, comment 4).

The reproaches made in this thread against browser-plugin-freshplayer-pepperflash have been documented in other bug reports (bug 1544409, bug 1633678). I'm therefore removing this package from the current bug report, because it is about the PPAPI Flash plugin, not the PPAPI/NPAPI wrapper.

Those reproaches are (Stéphane, Niklas):

* should recommend adobe-flashplugin instead of pepperflashplugin-nonfree

* should install the wrapper as a higher-priority alternative to the NPAPI plugin installed by adobe-flashplugin (/usr/lib/mozilla/plugins/flashplugin-alternative.so -> /etc/alternatives/mozilla-flashplugin -> /usr/lib/adobe-flashplugin/libflashplayer.so) instead of as a separate plugin (/usr/lib/mozilla/plugins/flash-mozilla.so -> /etc/alternatives/flash-mozilla.so -> /usr/lib/browser-plugin-freshplayer-pepperflash/libfreshwrapper-flashplayer.so), so that only the wrapped PPAPI plugin shows up in Firefox, not the NPAPI plugin too

It is worth mentioning here that Andrei Alin's version of browser-plugin-freshplayer-pepperflash (>= 0.3.6-1), in ppa:nilarimogard/webupd8, available for Trusty to Yakkety, takes these reproaches into account and implement our requested changes, contrary to Debian's version of browser-plugin-freshplayer-pepperflash. Thanks Andrei!

I suggest using Andrei Alin's version over Debian's version, not only because it closely follows upstream versions, but also because it is better tailored to Ubuntu users and adobe-flashplugin.

Naël (nathanael-naeri) wrote :

Last remarks about the wrapper: Stéphane:

> in Firefox when I use browser-plugin-freshplayer-pepperflash
> with adobe-flashplugin I see two different versions of the
> Flash plugin and I am not able to force the use of the PPAPI
> version
>
> OK after some more trying it appears that Firefox cannot tell
> the NPAPI and PPAPI plugins apart when both are installed

This is because both look like NPAPI plugins to Firefox (which incidentally does not support PPAPI plugins anyway): the PPAPI plugin installed by adobe-flashplugin is wrapped as a NPAPI plugin by browser-plugin-freshplayer-pepperflash. But you (and Firefox) can still tell the difference from the version numbers.

As mentioned in my previous comment, I suggest using Andrei Alin's version of browser-plugin-freshplayer-pepperflash instead of the one in the Ubuntu repository. It will set up the symlinks so that only the wrapped PPAPI plugin is shown to Firefox, not the NPAPI plugin.

> some websites will start the NPAPI plugin and some other will
> run the PPAPI plugin

Are you sure about that? I've always thought only the higher-version plugin was used by Firefox, so, the wrapped PPAPI plugin. I've never seen Firefox start the lower-version plugin when running Flash content on the web, but I'm not checking every time though.

> Disabling one of the plugins does not work either because the
> setting is applied to both plugins (this is visible after
> reloading the plugin setting menu).

Yes, this is irritating. Again, Andrei Alin's version.

> This makes browser-plugin-freshplayer-pepperflash mostly useless
> and "solves" my both issues, I will just stick to adobe-flashplugin
> and remove browser-plugin-freshplayer-pepperflash and
> pepperflashplugin-nonfree

I don't see how this solves anything, and if you do that, your Firefox will use the deprecated 11.2 NPAPI Flash plugin, because you'll have removed the PPAPI/NPAPI wrapper (browser-plugin-freshplayer-pepperflash).

Now the 11.2 NPAPI plugin is still supported security-wise, so that may be enough for your needs, while waiting for the updated new NPAPI plugin to exit beta.

affects: freshplayerplugin (Ubuntu) → ubuntu
affects: ubuntu → freshplayerplugin (Ubuntu)
Changed in freshplayerplugin (Ubuntu):
assignee: nobody → Nathanaël Naeri (nathanael-naeri)
assignee: Nathanaël Naeri (nathanael-naeri) → nobody
status: Confirmed → Invalid
Gunnar Hjalmarsson (gunnarhj) wrote :

Currently, i.e. as long as version 23+ of the NPAPI plugin is only beta and not officially released by Adobe, we are in limbo. However, Adobe can be expected to release the updated NPAPI soon, and when that happens, all this ought to be significantly easier to deal with. Hence I don't think it's worth too much effort to resolve the issues for this transitional period only.

In Ubuntu the only package needed should be adobe-flashplugin, which will provide updated versions of both NPAPI and PPAPI. pepperflashplugin-nonfree will be redundant, and so will, if I understand it correctly, the browser-plugin-freshplayer-pepperflash package (the "wrapper"). No need to make Firefox use the PPAPI plugin via a wrapper when there is an updated NPAPI.

It should be easier to handle from a Debian POV as well. Possibly - for license reasons - they can't mirror the adobe-flashplugin approach. Debian may need to keep pepperflashplugin-nonfree to download the PPAPI plugin (from Adobe), and they may need to have some other package download the NPAPI plugin. However, the wrapper shouldn't be needed in Debian either going forward.

As regards dependencies in Ubuntu, I don't think it's possible to let a package in universe/multiverse recommend or depend on a package in Canonical Partner, since the latter is not enabled by default.

I wish I could see a way to provide the users a smooth transition from pepperflashplugin-nonfree/browser-plugin-freshplayer-pepperflash to adobe-flashplugin, but I can't.

@Chris: I took the liberty to subscribe you to this bug report, since you maintain adobe-flashplugin.

Stéphane (stephane-treboux) wrote :

First thanks for the (long and) exhaustive comments!

@Nathanaël: My main concern with pepperflashplugin-nonfree was that I was stuck with an impossible to update, outdated Flash plugin. In the past I had a cron job reinstalling the package everyday to make sure that a secure version of Flash plugin was in use; this approach is does not work anymore since the installation fails.

@Gunnar:
The PPAPI plugin has some extra features the NPAPI will not get according to Adobe:
"Because this change is primarily a security initiative, some features (like GPU 3D acceleration and premium video DRM) will not be fully implemented. If you require this functionality, we recommend that you use the PPAPI version of Flash Player." (https://blogs.adobe.com/flashplayer/2016/08/beta-news-flash-player-npapi-for-linux.html)
Still most users should be happy with the NPAPI plugin or no plugin at all.

Gunnar Hjalmarsson (gunnarhj) wrote :

On 2016-10-25 20:59, Stéphane wrote:
> @Gunnar:
> The PPAPI plugin has some extra features the NPAPI will not get
> according to Adobe:
> "Because this change is primarily a security initiative, some
> features (like GPU 3D acceleration and premium video DRM) will not be
> fully implemented. If you require this functionality, we recommend
> that you use the PPAPI version of Flash Player."

Thanks for pointing that out. (I for one had missed it.)

Are those extra features preserved when connecting the PPAPI to e.g. Firefox via the "wrapper"? If they are, it will be in the interest of some users to keep maintaining browser-plugin-freshplayer-pepperflash, after all.

Gunnar Hjalmarsson (gunnarhj) wrote :

I'm working with bug #1633678, and have uploaded some changes to a PPA:

https://launchpad.net/~gunnarhj/+archive/ubuntu/freshplayerplugin

I have some doubts described in comment #3 of bug #1633678.

Would appreciate if some people could test and give feedback before I ask for sponsorship.

no longer affects: freshplayerplugin (Ubuntu)
Changed in pepperflashplugin-nonfree (Ubuntu):
importance: Undecided → High
Changed in pepperflashplugin-nonfree (Debian):
status: Unknown → New
Naël (nathanael-naeri) wrote :

Gunnar:
>
> As regards dependencies in Ubuntu, I don't think it's
> possible to let a package in universe/multiverse
> recommend or depend on a package in Canonical Partner,
> since the latter is not enabled by default.

I thought so too, but now I'm not sure it's that much of a problem, as long as a fallback is in place. Take ubuntu-restricted-addons for instance, which is installed with a new copy of Ubuntu when the option about non-free software is selected: it recommends adobe-flashplugin | flashplugin-installer for i386 architectures (and, weirdly enough, only flashplugin-installer for amd64 architectures) (flashplugin-installer is the one that only installs the NPAPI plugin, adobe-flashplugin is the one in partner with NPAPI and PPAPI).

http://packages.ubuntu.com/xenial/ubuntu-restricted-addons

Stéphane:
>
> In the past I had a cron job reinstalling the package
> everyday to make sure that a secure version of Flash
> plugin was in use; this approach is does not work
> anymore since the installation fails.

This nice approach is also implemented in Jonathon Fernyhough's version of pepperflashplugin-nonfree. His version also downloads the plugin from Adobe instead of Chrome, so it should have survived Google's unbundling's decision. (I haven't tested it though, I use adobe-flashplugin.)

https://launchpad.net/~jonathonf/+archive/ubuntu/pepperflashplugin-nonfree

Gunnar:

I agree that the PPAPI/NPAPI wrapper shouldn't be retired given that a few features present in the existing PPAPI version won't be fully implemented in the future NPAPI version. Besides, Adobe could change their mind again regarding NPAPI support.

> Are those extra features preserved when connecting the PPAPI
> to e.g. Firefox via the "wrapper"? If they are, it will be
> in the interest of some users to keep maintaining
> browser-plugin-freshplayer-pepperflash, after all.

Yes I'm pretty sure they are preserved by the PPAPI-to-NPAPI translation process: the wrapper's configuration file has a "enable_3d = 1" option that probably refers to the support of GPU 3D acceleration, and its Known Issues page mentions how DRM support is only provided by Chrome OS's PPAPI plugin, not by the desktop PPAPI plugins.

https://github.com/i-rinat/freshplayerplugin/blob/master/data/freshwrapper.conf.example
https://github.com/i-rinat/freshplayerplugin/blob/master/doc/known-issues.md#drm-doesnt-work

Gunnar Hjalmarsson (gunnarhj) wrote :

On 2016-10-28 23:01, Nathanaël Naeri wrote:
> Gunnar:
>> As regards dependencies in Ubuntu, I don't think it's possible to
>> let a package in universe/multiverse recommend or depend on a
>> package in Canonical Partner, since the latter is not enabled by
>> default.
>
> I thought so too, but now I'm not sure it's that much of a problem,
> as long as a fallback is in place.

Well, when working with bug #1633678 I tested it and changed my mind. The proposal there does not include a fallback, and the package system seems to handle it fine.

Btw, Your remark about the recommends of ubuntu-restricted-addons was interesting considering a post I made to the ubuntu-devel mailing list earlier today:

https://lists.ubuntu.com/archives/ubuntu-devel/2016-October/039529.html

(I posted a correction afterwards, so if you read that message, please read the whole thread.)

Naël (nathanael-naeri) wrote :

I read the ubuntu-devel thread and agree with everything you said. Thanks for trying to solve that issue at installation level.

As a side note about that thread: AFAIK, flashplugin-installer (NPAPI 11.2, src:flashplugin-nonfree) comes from Debian too, just like pepperflashplugin-nonfree (PPAPI, src:pepperflashplugin-nonfree), and they have the same Debian maintainer (Bart Martens), and the same update mechanism on Debian (sudo update-update-[pepper]flashplugin-nonfree --install).

https://wiki.debian.org/FlashPlayer
https://wiki.debian.org/PepperFlashPlayer

So that's all the more surprising that the first one has been heavily modified for Ubuntu (plugin actually downloaded from partner behind the scene, and package version bumped with Flash updates) while the second one hasn't (only small details if I understand the changelog correctly).

In case that helps now or in the future: I have some notes about Flash plugins and wrapper that I read and update everytime I have to setup a new computer (which happens quite frequently). Without this memo I'd be lost in the maze of similarly-named Flash packages:

https://gist.github.com/nathanael-naeri/0ba3d8aba09743221d76142e896ab2c0

Gunnar Hjalmarsson (gunnarhj) wrote :

Thanks for sharing that memo, Nathanaël. Indeed a useful road map to get a grasp of the current confusing state of Flash related packages. Hopefully we will succeed in simplifying it a bit.

Gunnar Hjalmarsson (gunnarhj) wrote :

I just noticed what Daniel did with the pepperflash PPA he provided previously.

https://launchpad.net/~skunk/+archive/ubuntu/pepper-flash

As regards the pepperflashplugin-nonfree package in the Ubuntu archive, is it time to propose that it's dropped from the archive in yakkety?

Naël (nathanael-naeri) wrote :

Yes, I contacted Daniel a few weeks ago to let him know about the Chrome/Flash unbundling and suggest he downloads from Adobe or retires his PPA. Since there is now a variety of ways to get the NPAPI/PPAPI Flash plugin, he decided to retire his PPA, and I updated my Flash memo to stop mentioning it. I remember there used to be a time around Ubuntu Precise where his pepflashplugin-nonfree was the sole packaged way to install the PPAPI plugin for other browsers than Chrome. Let him be thanked for this pioneer work.

Regarding the pepperflashplugin-nonfree package in the Ubuntu archive, I am in favor of proposing to drop it from the archive in zesty (I believe you mean zesty). As it stands now, this package will stay broken until the original Debian maintainer fixes it, and there hasn't been a sign on debbugs 833741 and 841373 that this will happen soon. And even if it does, this package offers no advantage over the adobe-flashplugin package in partner, besides being in multiverse rather than in partner. Unless that last point is crucial, I vote for proposing to drop the package.

BTW, was there ever a consensus in favor or against enabling partner at install time, when you contacted the ubuntu-devel list?

Gunnar Hjalmarsson (gunnarhj) wrote :

On 2016-12-06 03:37, Nathanaël Naeri wrote:
> Regarding the pepperflashplugin-nonfree package in the Ubuntu
> archive, I am in favor of proposing to drop it from the archive in
> zesty (I believe you mean zesty).

Yes. Thanks for pointing it out.

> BTW, was there ever a consensus in favor or against enabling partner
> at install time, when you contacted the ubuntu-devel list?

No. Because of my mistake in the first message, there was a side discussion, but nobody commented on the actual proposal. I think I'll ask Chris Coulson (who currently maintains both adobe-flashplugin and flashplugin-installer) in a private mail. Will ask for his view on pepperflashplugin-nonfree as well, to confirm that our assumption, that adobe-flashplugin will keep being maintained, is correct.

Changed in pepperflashplugin-nonfree (Debian):
status: New → Fix Released
Naël (nathanael-naeri) wrote :

This bug has been fixed in pepperflashplugin-nonfree 1.8.3+nmu1 in Debian on 2017-01-14, and the fix landed in 1.8.3+nmu1ubuntu1 in Ubuntu Zesty (the current development release) on 2017-01-22. The PPAPI Flash plugin is now downloaded from Adobe rather than Google. One still has to run the provided update-pepperflashplugin-nonfree to update it from time to time.

I'm marking the bug as Fix Released (in the development release).

The package is still broken in the published releases: Trusty, Xenial, Yakkety. Is it worth requesting Stable Release Updates? It would qualify, since the bug comes from a web service change that makes the package stop working, and exposes the user to Flash vulnerabilities.

I also still believe, like I said in comment 32, that this package offers no advantage over adobe-flashplugin, besides being in multiverse rather than in partner. Unless that last point is important (independence from Adobe/Canonical, perhaps?), dropping the package from Zesty seems more appropriate to me. If this has to be done before FeatureFreeze, there's only a couple days left. Gunnar, do you have the authority to do that? Also, did you get feedback from Chris Coulson?

Changed in pepperflashplugin-nonfree (Ubuntu):
status: Confirmed → Fix Released
Viktor Engelmann (viengelm) wrote :

In Qt WebEngine, we have added "/usr/lib/adobe-flashplugin/libpepflashplayer.so" to the locations where it looks for the plugin, so it is now also found when one installs the package "adobe-flashplugin".

Blaze (blaze) wrote :

Experience with the Adobe flashplugin is somewhat worse than with the native Google solution. For example it's not possible to make a flash video go fullscreen, at least in QtWebengine. Also hardware acceleration works better with Pepper plugin. Therefore it's not a complete replacement.

Stéphane (stephane-treboux) wrote :

Hello Blaze,
What do you mean with "hardware acceleration works better with Pepper plugin"? adobe-flashplugin does install the Pepper Flash plugin alongside the NPAPI plugin. Did you check that your browser / application uses the correct version of the Flash plugin (Pepper and not NPAPI)?

Blaze (blaze) wrote :

Pepper Flash Player is maintained by Google. Adobe Flash plugin is provided by Adobe both the PPAPI and NPAPI versions. Don't you see the difference?

Naël (nathanael-naeri) wrote :

@Viktor:

Awesome! You may want to follow the following file in the future:

https://github.com/i-rinat/freshplayerplugin/blob/master/src/config_pepperflash.c

The developer of this application (a PPAPI-to-NPAPI wrapper) does a good job of keeping up with the possible locations of the PPAPI Flash plugin.

@Blaze:

You seem to be a little mixed up, "Pepper Flash Player" *is* the PPAPI Adobe Flash plugin, and it is no longer provided by Google alone as part of Chrome, but available for download from Adobe's web site, along with the NPAPI Adobe Flash plugin. Both plugins are maintained by Adobe for respectively PPAPI-compatible browsers (e.g. Chrome) and NPAPI-compatible browsers (e.g. Firefox).

Also, the PPAPI and NPAPI versions are not exactly the same, especially regarding hardware acceleration and DRM support: http://blogs.adobe.com/flashplayer/2016/08/beta-news-flash-player-npapi-for-linux.html. This is intentional on Adobe's part. So the difference in your experience between the two plugins most certainly comes from this.

Gunnar Hjalmarsson (gunnarhj) wrote :

@Nathanaël: No, I don't have access to remove any packages. A request will have to be filed. Possibly too late for zesty.

Haven't talked with Chris yet. Just tried to ping him on IRC:

https://irclogs.ubuntu.com/2017/02/14/%23ubuntu-devel.html#t12:06

Assuming that he doesn't have any other thoughts, neither I see any reason to keep maintaining pepperflashplugin-nonfree in Ubuntu.

On 2017-02-14 03:26, Nathanaël Naeri (Naël) wrote:
> One still has to run the provided update-pepperflashplugin-nonfree to
> update it from time to time.

Right, and that's a not unimportant disadvantage with pepperflashplugin-nonfree compared to adobe-flashplugin.

Gunnar Hjalmarsson (gunnarhj) wrote :

@Blaze: Assuming that you use Firefox, and with adobe-flashplugin installed, you can install the browser-plugin-freshplayer-pepperflash package to make Firefox actually use the PPAPI plugin.

Naël (nathanael-naeri) on 2017-02-14
description: updated
Naël (nathanael-naeri) wrote :

@Gunnar: Yes, probably too late for Zesty. Besides, we should probably leave the package in Zesty for now, if it is to be backported to the previous releases via SRUs. We'll make the request later.

I have updated the bug's description according to the guidelines in https://wiki.ubuntu.com/StableReleaseUpdates, but I can't go further for lack of administrative rights and technical knowledge (we're supposed to prepare... a debdiff? I don't know what that is).

Since you're in the Bug Control Team, can you nominate this bug to Yakkety, Xenial, Trusty? Be it only for marking it as Won't Fix in these releases (see bottom of the updated bug description).

Gunnar Hjalmarsson (gunnarhj) wrote :

Nominated and approved (the latter via a workaround...)

On 2017-02-14 21:40, Naël wrote:
> @Gunnar: Yes, probably too late for Zesty. Besides, we should
> probably leave the package in Zesty for now, if it is to be
> backported to the previous releases via SRUs. We'll make the request
> later.

+1

no longer affects: ubuntu-docs (Ubuntu Yakkety)
no longer affects: ubuntu-docs (Ubuntu Xenial)
no longer affects: ubuntu-docs (Ubuntu Trusty)
no longer affects: ubuntu-docs (Ubuntu)
Amr Ibrahim (amribrahim1987) wrote :

Just a hint to be in the picture, flashplugin-installer (from multiverse) downloads and installs adobe-flashplugin (from Canonical partner archive). I guess that means they are the same.

Gunnar Hjalmarsson (gunnarhj) wrote :

On 2017-02-16 08:39, Amr Ibrahim wrote:
> Just a hint to be in the picture, flashplugin-installer (from
> multiverse) downloads and installs adobe-flashplugin (from Canonical
> partner archive). I guess that means they are the same.

It does, but they aren't the same. flashplugin-installer only keeps the NPAPI plugin (for Firefox and friends), while adobe-flashplugin installs both the NPAPI and PPAPI plugins.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pepperflashplugin-nonfree (Ubuntu Trusty):
status: New → Confirmed
Changed in pepperflashplugin-nonfree (Ubuntu Xenial):
status: New → Confirmed
Changed in pepperflashplugin-nonfree (Ubuntu Yakkety):
status: New → Confirmed
Bhavani Shankar (bhavi) wrote :

I'll have a look and prepare an upload to Yakketty and Xenial soon (until someone beats me to it)

Changed in pepperflashplugin-nonfree (Ubuntu Xenial):
status: Confirmed → In Progress
assignee: nobody → Bhavani Shankar (bhavi)
Changed in pepperflashplugin-nonfree (Ubuntu Yakkety):
status: Confirmed → In Progress
assignee: nobody → Bhavani Shankar (bhavi)
Bhavani Shankar (bhavi) wrote :

Uploaded SRU to yakkety-proposed. Waiting for approval.

@ ubuntu-sru team: Kindly request you to approve the same.

Thanks!

Bhavani Shankar (bhavi) wrote :

Uploaded SRU to xenial-proposed. Waiting for approval.

@ Nathanaël: Do you want me to upload the fix to trusty too, considering the comments above about adobe-flashplugin and pepperflashplugin-nonfree atleast until next cycle? (for rm request processing maybe?)

Naël (nathanael-naeri) wrote :

@Bhavani: thanks a lot! If it's easily doable to SRU in Trusty, why not? That would unbreak the package for the rest of Trusty's life. But Trusty's version of the package is 1.3 vs. Xenial/Yakkety/Zesty's 1.8.x, so the difference in versions may make it more difficult to SRU in Trusty. In which case, don't bother, this can be a Won't Fix.

In any case, since there is adobe-flashplugin, we'll request removal of this package in Zesty+1, to prevent problems in future releases.

Bhavani Shankar (bhavi) wrote :

Ok.. Thanks! Assigning the trusty SRU to myself now.

Changed in pepperflashplugin-nonfree (Ubuntu Trusty):
status: Confirmed → In Progress
assignee: nobody → Bhavani Shankar (bhavi)
Bhavani Shankar (bhavi) wrote :

Uploaded SRU to trusty-proposed. Waiting for approval.

@ Nathanaël: The package should be in for Yakkety/Xenial/Trusty proposed repos once accepted.

Bhavani Shankar (bhavi) wrote :

Setting bug priority as high due to package being unusable on stable versions

Changed in pepperflashplugin-nonfree (Ubuntu Trusty):
importance: Undecided → High
Changed in pepperflashplugin-nonfree (Ubuntu Xenial):
importance: Undecided → High
Changed in pepperflashplugin-nonfree (Ubuntu Yakkety):
importance: Undecided → High

Hello Stéphane, or anyone else affected,

Accepted pepperflashplugin-nonfree into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pepperflashplugin-nonfree/1.8.2+nmu1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in pepperflashplugin-nonfree (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in pepperflashplugin-nonfree (Ubuntu Xenial):
status: In Progress → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello Stéphane, or anyone else affected,

Accepted pepperflashplugin-nonfree into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pepperflashplugin-nonfree/1.8.2ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in pepperflashplugin-nonfree (Ubuntu Trusty):
status: In Progress → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello Stéphane, or anyone else affected,

Accepted pepperflashplugin-nonfree into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pepperflashplugin-nonfree/1.3ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Naël (nathanael-naeri) wrote :

Verified for 1.3ubuntu1.1 on Trusty.

The package installs successfully, downloads a .tar.gz PPAPI Flash Player Plugin archive from an Adobe URL, and installs the contained libpepflashplayer.so into /usr/lib/pepperflashplugin-nonfree/.

tags: added: verification-done-trusty
Gunnar Hjalmarsson (gunnarhj) wrote :

I successfully installed pepperflashplugin-nonfree
- version 1.8.2ubuntu1.1 from xenial-proposed
- version 1.8.2+nmu1ubuntu1.1 from yakkety-proposed

tags: added: verification-done-xenial verification-done-yakkety
removed: verification-needed
Bhavani Shankar (bhavi) wrote :

Thanks Nathanael and Gunnar.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pepperflashplugin-nonfree - 1.8.2+nmu1ubuntu1.1

---------------
pepperflashplugin-nonfree (1.8.2+nmu1ubuntu1.1) yakkety-proposed; urgency=medium

  * Update to use adobe upstream rather than google (LP: #1632870)
  * Add alternate dependency on gnupg1 as gnupg is no longer available
    in yakkety.

 -- Bhavani Shankar <email address hidden> Fri, 24 Feb 2017 18:34:02 +0530

Changed in pepperflashplugin-nonfree (Ubuntu Yakkety):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for pepperflashplugin-nonfree has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pepperflashplugin-nonfree - 1.8.2ubuntu1.1

---------------
pepperflashplugin-nonfree (1.8.2ubuntu1.1) xenial-proposed; urgency=medium

  * Update to use adobe upstream rather than google (LP: #1632870).

 -- Bhavani Shankar <email address hidden> Fri, 24 Feb 2017 19:29:38 +0530

Changed in pepperflashplugin-nonfree (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pepperflashplugin-nonfree - 1.3ubuntu1.1

---------------
pepperflashplugin-nonfree (1.3ubuntu1.1) trusty-proposed; urgency=medium

  * Update to use adobe upstream rather than google (LP: #1632870)

 -- Bhavani Shankar <email address hidden> Sat, 25 Feb 2017 08:18:13 +0530

Changed in pepperflashplugin-nonfree (Ubuntu Trusty):
status: Fix Committed → Fix Released
Naël (nathanael-naeri) wrote :

Bug fixed in all supported releases. Thanks Bhavani!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.