On Thu, 2012-12-13 at 19:55 -0500, Michael Gilbert wrote: > On Wed, Dec 12, 2012 at 11:41 PM, Jason Fergus wrote: > > On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote: > >> On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: > >> > What is Debian policy on code execution from user websites? > >> > >> Unfortunately there is none. I've tried to gain consensus that at a > >> minimum things downloaders like this need to stay out of main, but > >> that thought hasn't really gained traction. > >> > >> The real answer is that this package is in contrib and thus not > >> security supported at all. Ultimately, for anyone even modestly > >> security-conscious adobe flash should really be avoided at all costs. > >> Alternatives include lightspark, gnash, and (most preferably) html5. > >> > >> Best wishes, > >> Mike > >> > >> > > I could be wrong on this, but I had always thought that ANY sort of > > downloader type installer (like the flashplugin-nonfree package) could > > NOT be in main. For any package to be in main, it has to have source > > code available as well as DFSG compliant. It's the same reason why > > quake2-data packages were always in contrib. While the source code for > > quake2 is GPL, the -data package would grab the pk0.pak files off of the > > CD to put them in the proper place for global Quake 2 fun. quake2-data > > was always in contrib. I was going to use qmail as an example, but I am > > guessing they changed their license recently, because previous to > > Wheezy, you always had to build it from source (and there was a > > qmail-src package). > > You would think that, but Debian policy has nothing to say. I put a > lot of energy into it, but things like getweb still remain: > http://bugs.debian.org/449497 > > These cases are actually pretty rare, which is the real reason that > there is no defined policy. Plus people tend to not like repacking > upstream due to single questionable files. > > > Anyhow, I hope that point was made clear. Contrib also does get > > security updates, but they're not maintained by the security team (if > > I'm recalling correctly. Sucks getting old). They're simply maintained > > by the package maintainer. > > Well, there's always the option for the maintainer to provide a > security update an spu, but that is so rare in contrib that I don't > recall the last time it happened. > > Without security team intervention happens in probably 95% of cases > for security issues, so there's something like a 5% of a fix going > into contrib. Maintainers tend to lose interest in the stable release > fairly quickly. >
Pretty sure I've seen the flashplugin-nonfree updated for Squeeze at some point, but I could be wrong. > Best wishes, > Mike > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
