Bug#457291: flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

2009-03-07 Thread Dusty Wilson [Megagram] 
 I can't help but sense a political reason not to
 support flash, just because it's non-free, the
 maintainers of debian WANT it to be broken, almost,
 and certainly don't look hard for a way to give
 their users an easy way to use flash. Just as long
 as the result is that the users blame Adobe, and
 not debian, it's ok - regardless of how much the
 users suffer because of it.

Unfortunately, Adobe is to blame in my opinion.  Of course no one is
forcing them to do anything.  Read my comments below for more
clarification.

 Flashplayer could be support, technically, in the
 following way:

 The flashplugin-nonfree package would keep track
 of the last time it downloaded the flashplayer
 from Adobe. If an update (ie for security reasons)
 is needed, then a new flashplugin-nonfree with
 a newer version is released. This would cause
 the package to be updated the usual way. The
 new package would contain the date at which
 Adobe made the lastest version available. If that
 date is later than the last time the flashplayer
 was downloaded - it is downloaded again, and
 installed. If necessary, ie as sanity check, it
 is easy to obtain the real version from libflashplayer.so:

 strings libflashplayer.so | grep '[0-9]\.[0-9] r[0-9]'
 Shockwave Flash 9.0 r48

 To make a long story short: TECHNICALLY there is
 no reason to rip flashplugin-nonfree out of stable
 and testing-- it is therefore not very nice towards
 the users of debian and my anger towards Adobe is
 now devided over Adobe AS WELL as debian.

stable is meant to be stable.  Debian has no control or input over
the stability of Adobe's product.  There is no code review of any
kind.  It's not possible to ensure that no new features are being
added to a version, which is a restriction of stable.  Blindly
trusting that Adobe hasn't added features or instability is not a
stable thing to do.

Packages in stable need to have security support, which is not
necessarily easy for Debian to provide for Flash Player.  Unless Adobe
works closely with Debian, I don't see this as being an easy task.  I
feel that this security burden without help from upstream is unfair
and unreasonable.  Maybe allowing Debian to distribute binaries
instead of just a downloader/installer package would help, but from
what I understand, they don't allow distribution of the player in that
way.  (Though I have re-distribution rights for the Flash Player, so I
don't know why Debian can't...)

If Adobe were to release a .deb for it and follow proper Debian
release guidelines, things might be a bit different, but they don't.
They're not required to do so.  But because of this, they can't be
given special treatment by Debian.  There are specific rules that all
packages, even Adobe's Flash Player, must abide by.

As others have mentioned, it's available to the users.  They just need
to know how to get it.  If it's *that* big of a deal for them, they
can always use Ubuntu.  I feel that users that aren't willing to do
this minor amount of work are the types that jump to Ubuntu anyway.
Jumping through hoops to get Flash Player is a pain, but I don't feel
that Adobe has allowed Debian to offer this as an easy install.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#457291: flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

2008-01-01 Thread Bart Martens 
On Mon, 2007-12-31 at 14:16 +, [EMAIL PROTECTED] wrote:
 Can you please elucidate on why Lenny will not have this package?

Yes:

Most newer versions of the Adobe Flash Player are a combination of new
features and fixes for security bugs.  The Debian Security Team does not
support contrib and non-free.  The Debian Stable Release Managers
Team does not support fast updates in stable.  And volatile is not
meant to bring new features in stable.

It is not acceptable that users of Debian stable use
flashplugin-nonfree to install the Adobe Flash Plugin, and not get
updates for security bugs in the Adobe Flash Plugin within reasonable
time.  And it is not acceptable that new features are thrown in stable
too soon too fast.

The consensus on #debian-release on 2007-12-21 was that
flashplugin-nonfree does not belong in stable.

The decision made on 2007-12-21 is, starting with Lenny, that
flashplugin-nonfree is to be maintained in unstable for users of
unstable and testing, and is to be maintained at backports.org for
users of stable.

 Will there be a free alternative that will work enough?
  (I appreciate that
 'enough' is vague)

No idea.  Maybe gnash is an interesting alternative ?

 I'd just appreciate knowing what's going on, thanks.

Yes, of course.  I understand that, and your questions are welcome.

 
 I understand this package must be problematic for Debian Stable 

Yes.

 because it
 downloads a static package name whose contents change and so this package
 breaks when Adobe's player is updated.

The MD5 checks keep new features out of Debian stable.  That is
intentional.

 Has anyone asked Adobe if they'll give their packages a version-specific
 filename and leave old versions on their server?

Convincing Adobe to use version-specific filenames, would enable the
flashplugin-nonfree package in stable to continue to install the old
version of the Adobe Flash Player, so with the security bugs.  That does
not help users of Debian stable to install a secure version of the
Adobe Flash Player.

Regards,

Bart Martens



signature.asc
Description: This is a digitally signed message part

Bug#457291: flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

2007-12-21 Thread Bart Martens 
Package: flashplugin-nonfree
Severity: serious




signature.asc
Description: This is a digitally signed message part