The problem for flashplugin-nonfree is verifying the tarball that is downloaded. Adobe isn't making this easy since they don't provide any form of conventional signature (PGP). Thus Bart Martens had been doing the rather unenviable job of having to approve Flash Player somehow. The approach had been from signatures downloaded from people.debian.org.
Problem is this only works as long as Bart Martens is able to check and sign the releases promptly. This is now breaking down since Bart Martens is either having difficulty verifying the current release, is unavailable (I hope Bart hasn't met an unfortunate end!), or is otherwise indisposed. The only thing approximating an alternative I'm aware of is the one that has been pointed out earlier on this bug (#814316). Adobe now has HTTPS available on the webserver where Flash Player gets downloaded from. Problem is SSL/TLS isn't really meant as a strong verifier for the source of downloads and I doubt they're using sufficiently long keys to provide good verification anyway. Net result, we've got a bunch of Truly Bad(tm) "alternatives" that are all horrendously insecure. I suppose HTML5 may provide something that is less Bad(tm), but that merely means different forms of Bad(tm). Thank you Bart Martens for your long reasonably sane handling of this stupidly insecure insanity, I hope you merely needed a break and haven't met your end. Now we need to do something about this Bad(tm) situation that isn't absolutely horrible. Looks like we've currently got eight bugs that duplicate #814316 (820583, 820975, 820993, 824367, 826301, 826369, 826618, 826777) and I'm suspecting there will be more new bugs before this is solved. :-( -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | [email protected] PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
