Comment 238 for bug 173890

The problem is the nature of the link between the package and the real code that it downloads from Adobe.

Adobe maintains the URL to point to the current code, which is what we want (as noted, they *could* maintain links to security fixed older versions, but it is likely that they will maintain only a single release with both fixes and enhancements).

The content available from Adobe is going to change. Either Ubuntu has to be timely in getting updated packages with an updated MD5SUM, to detect file corruption from the transfer, whenever Adobe updates the download, or change the approach. Some options that come to mind: (a) skip the MD5SUM check, (b) download the MD5SUM from Adobe, or (c) work with Adobe on a signed download. One would still want to push out a new package when Adobe revs Flash to cause users to refetch from the URL (and to handle any dependency updates), but the package should otherwise be less dependent on the download from Adobe, since it would no longer have an embedded checksum.