Debian Bug report logs - #457291
flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: submit@bugs.debian.org

Subject: flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

Date: Fri, 21 Dec 2007 11:07:00 +0100

[Message part 1 (text/plain, inline)]

Package: flashplugin-nonfree
Severity: serious

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 457291@bugs.debian.org (full text, mbox, reply):

From: petes-bugs@thegoldenear.org

To: 457291@bugs.debian.org

Subject: what's going on with Adobe Flash player in Lenny?

Date: Mon, 31 Dec 2007 14:16:23 -0000 (UTC)

Under current circumstances at least, losing Adobe Flash Player from a
Debian desktop system is a big deal because of the loss of YouTube
because, as I understand it, the free Flash players don't work with
YouTube.

Can you please elucidate on why Lenny will not have this package?
Will there be a free alternative that will work enough? (I appreciate that
'enough' is vague)
I'd just appreciate knowing what's going on, thanks.

I understand this package must be problematic for Debian Stable because it
downloads a static package name whose contents change and so this package
breaks when Adobe's player is updated.
Has anyone asked Adobe if they'll give their packages a version-specific
filename and leave old versions on their server?

Pete Boyd

Message #17 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: petes-bugs@thegoldenear.org, 457291@bugs.debian.org

Subject: Re: Bug#457291: what's going on with Adobe Flash player in Lenny?

Date: Mon, 31 Dec 2007 16:08:27 +0100

[Message part 1 (text/plain, inline)]

Hi,

we plan to have flashplugin-nonfree available for debian stable users. Either 
via volatile or via backports.org.


regards,
	Holger

[Message part 2 (application/pgp-signature, inline)]

Message #22 received at 457291@bugs.debian.org (full text, mbox, reply):

From: petes-bugs@thegoldenear.org

To: 457291@bugs.debian.org

Subject: Re: Bug#457291: what's going on with Adobe Flash player in Lenny?

Date: Mon, 31 Dec 2007 16:33:19 -0000 (UTC)

Thanks for the information.
What about for Debian Testing users? as far as I understand there isn't an
equivalent in Testing of backports.org or volatile.

Pete Boyd

Message #27 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: petes-bugs@thegoldenear.org, 457291@bugs.debian.org

Subject: flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

Date: Tue, 01 Jan 2008 14:10:44 +0100

[Message part 1 (text/plain, inline)]

On Mon, 2007-12-31 at 14:16 +0000, petes-bugs@thegoldenear.org wrote:
> Can you please elucidate on why Lenny will not have this package?

Yes:

Most newer versions of the Adobe Flash Player are a combination of new
features and fixes for security bugs.  The Debian Security Team does not
support "contrib" and "non-free".  The Debian Stable Release Managers
Team does not support fast updates in "stable".  And "volatile" is not
meant to bring new features in "stable".

It is not acceptable that users of Debian "stable" use
flashplugin-nonfree to install the Adobe Flash Plugin, and not get
updates for security bugs in the Adobe Flash Plugin within reasonable
time.  And it is not acceptable that new features are thrown in "stable"
too soon too fast.

The consensus on #debian-release on 2007-12-21 was that
flashplugin-nonfree does not belong in "stable".

The decision made on 2007-12-21 is, starting with Lenny, that
flashplugin-nonfree is to be maintained in "unstable" for users of
"unstable" and "testing", and is to be maintained at "backports.org" for
users of "stable".

> Will there be a free alternative that will work enough?
>  (I appreciate that
> 'enough' is vague)

No idea.  Maybe "gnash" is an interesting alternative ?

> I'd just appreciate knowing what's going on, thanks.

Yes, of course.  I understand that, and your questions are welcome.

> 
> I understand this package must be problematic for Debian Stable 

Yes.

> because it
> downloads a static package name whose contents change and so this package
> breaks when Adobe's player is updated.

The MD5 checks keep new features out of Debian "stable".  That is
intentional.

> Has anyone asked Adobe if they'll give their packages a version-specific
> filename and leave old versions on their server?

Convincing Adobe to use version-specific filenames, would enable the
flashplugin-nonfree package in "stable" to continue to install the old
version of the Adobe Flash Player, so with the security bugs.  That does
not help users of Debian "stable" to install a secure version of the
Adobe Flash Player.

Regards,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 457291@bugs.debian.org

Cc: petes-bugs@thegoldenear.org

Subject: Re: Bug#457291: what's going on with Adobe Flash player in Lenny?

Date: Tue, 01 Jan 2008 14:15:45 +0100

[Message part 1 (text/plain, inline)]

On Mon, 2007-12-31 at 16:08 +0100, Holger Levsen wrote:
> Hi,
> 
> we plan to have flashplugin-nonfree available for debian stable users. Either 
> via volatile or via backports.org.

Not via volatile.
http://lists.debian.org/debian-release/2007/12/msg00179.html

Yes, I intend to maintain a package for Debian stable users at
backports.org.

Regards,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: petes-bugs@thegoldenear.org, 457291@bugs.debian.org

Subject: flashplugin-nonfree in testing

Date: Tue, 01 Jan 2008 14:19:32 +0100

[Message part 1 (text/plain, inline)]

On Mon, 2007-12-31 at 16:33 +0000, petes-bugs@thegoldenear.org wrote:
> What about for Debian Testing users? as far as I understand there isn't an
> equivalent in Testing of backports.org or volatile.

I intend to maintain the package in unstable in a way that it is
compatible with testing without delay.  So users of Debian testing can
simply install that package.

Regards,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Timo Jyrinki <timo.jyrinki@iki.fi>

To: 457291@bugs.debian.org

Cc: petes-bugs@thegoldenear.org

Subject: Re: what's going on with Adobe Flash player in Lenny?

Date: Thu, 3 Jan 2008 12:52:35 +0200 (EET)

> Under current circumstances at least, losing Adobe Flash Player from a
> Debian desktop system is a big deal because of the loss of YouTube
> because, as I understand it, the free Flash players don't work with
> YouTube.

Hi. YouTube already works with Gnash the free Flash player, so that in 
particular should not be a problem. Many other sites are not yet working, 
but Gnash could be possibly defined as working "well enough" in time for 
the Lenny. At least I'm using it exclusively anyway, and I'm just using 
the 0.8.1 version, which lacks development for the last four months. But I 
don't find it problematic to skip sites that don't work with Gnash, so I'm 
not an average user.

In summary, Gnash works rather well for Flash 7 sites, but quite a large 
portion of sites has moved to Flash 8 and 9 which are only a 
work-in-progress with regards to Gnash, and most do not work properly. 
Time will tell how fast Gnash will progress.

-Timo

Message #47 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Carlo Wood <carlo@alinoe.com>

To: 457291@bugs.debian.org

Subject: flash could be supported on stable.

Date: Mon, 4 Feb 2008 18:00:21 +0100

I'm sorry, but it doesn't seem to make much sense
to let the debian users of stable and testing suffer
like this. It's not like Adobe is going to be like
"Oh My God!" and change their ways. They clearly don't
give a damn.

I can't help but sense a political reason not to
support flash, just because it's "non-free", the
maintainers of debian WANT it to be broken, almost,
and certainly don't look hard for a way to give
their users an easy way to use flash. Just as long
as the result is that the users blame Adobe, and
not debian, it's ok - regardless of how much the
users suffer because of it.

Flashplayer could be support, technically, in the
following way:

The flashplugin-nonfree package would keep track
of the last time it downloaded the flashplayer
from Adobe. If an update (ie for security reasons)
is needed, then a new flashplugin-nonfree with
a newer version is released. This would cause
the package to be updated the usual way. The
new package would contain the date at which
Adobe made the lastest version available. If that
date is later than the last time the flashplayer
was downloaded - it is downloaded again, and
installed. If necessary, ie as sanity check, it
is easy to obtain the real version from libflashplayer.so:

strings libflashplayer.so | grep '[0-9]\.[0-9] r[0-9]'
Shockwave Flash 9.0 r48

To make a long story short: TECHNICALLY there is
no reason to rip flashplugin-nonfree out of stable
and testing-- it is therefore not very nice towards
the users of debian and my anger towards Adobe is
now devided over Adobe AS WELL as debian.

-- 
Carlo Wood <carlo@alinoe.com>

Message #52 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Carlo Wood <carlo@alinoe.com>, 457291@bugs.debian.org

Subject: Re: Bug#457291: flash could be supported on stable.

Date: Mon, 04 Feb 2008 19:49:04 +0100

Carlo Wood wrote:
> I'm sorry, but it doesn't seem to make much sense
> to let the debian users of stable and testing suffer
> like this. It's not like Adobe is going to be like
> "Oh My God!" and change their ways. They clearly don't
> give a damn.

That's why we are shipping it in etch-backports as it is not feasable
for us to do a whole point release every time there is a new format and
the below is not working on purpose as there could be major issues with
it when there are license changes or similar...

You can find more information on etch-backports on http://backports.org

Cheers

Luk

Message #57 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Carlo Wood <carlo@alinoe.com>, 457291@bugs.debian.org

Subject: Re: Bug#457291: flash could be supported on stable.

Date: Mon, 4 Feb 2008 20:12:11 +0100

[Message part 1 (text/plain, inline)]

Hi Carlo,

one link: 
http://wiki.debian.org/DebianEdu/Documentation/Etch/HowTo/Administration#head-136bb7e75e07e8b6463e6b30761ac51776c5c27d

Using backports.org is easy. And supporting this particular piece of nonfree 
in Debian stable is not. This is why the maintainer decided to support it 
(and our users) in(/via) backports.org.


regards,
	Holger

[Message part 2 (application/pgp-signature, inline)]

Message #62 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Raymond Wan <rwan@kuicr.kyoto-u.ac.jp>

To: Carlo Wood <carlo@alinoe.com>, 457291@bugs.debian.org

Subject: Re: Bug#457291: flash could be supported on stable.

Date: Tue, 05 Feb 2008 10:12:49 +0900

Hi Carlo,

Carlo Wood wrote:
> I can't help but sense a political reason not to
> support flash, just because it's "non-free", the
> maintainers of debian WANT it to be broken, almost,
> and certainly don't look hard for a way to give
>   


As a Debian user, but someone who isn't related to how Debian is run...I 
think you are correct and more importantly, what makes you think that 
Debian isn't political?  Every time I visit a web site with Iceweasel 
and the server pops up an annoying message saying that Firefox is 
supported but not my browser, I sense only a part of the overall 
politics in Debian.  In this case, I blame the server developers, too, 
for having such a message (how about if I used lynx?).

Anyway, there is a lot of politics within Debian and it stems from them 
drawing a line that forms the basis of what Debian is (i.e., "free").  
If they start making exceptions, then that line has no meaning.  
Backports is a patch that helps make it easy for many of us.  We give up 
some things to be able to use Debian (rather than one of the many other 
Linux distributions).

Just my 2 cents...

Ray

Message #67 received at 457291-quiet@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: 457291-quiet@bugs.debian.org

Subject: flashplugin-nonfree in Debian

Date: Sat, 07 Mar 2009 14:09:06 +0100

[Message part 1 (text/plain, inline)]

Time to evaluate the decision of 2007-12-21.  First a status overview of
the flashplugin-nonfree package.

The package flashplugin-nonfree is currently being maintained in Debian
unstable and at backports.org.

There are currently three versions being maintained:
- in etch-backports
  . for users of etch=oldstable
  . Adobe Flash Player 9
  . only i386
- in lenny-backports
  . for users of lenny=stable
  . Adobe Flash Player 10
  . i386 and amd64
- in Debian unstable
  . for users of unstable or testing
  . Adobe Flash Player 10
  . i386 and amd64

The versions in lenny-backports and in Debian unstable are currently
almost identical, so users of lenny=stable can currently choose which
version to install.

Users of flashplugin-nonfree are strongly recommended to use "apt
pinning" to prevent accidentally pulling in unwanted packages from
backports.org or from unstable.

In previous packages of flashplugin-nonfree the Adobe Flash Player for
i386 was installed on amd64.  Since Adobe now distributes a 64 bit
version of the Adobe Flash Player, the package flashplugin-nonfree uses
that 64 bit Adobe Flash Player on amd64.

The package flashplugin-nonfree uses "md5sum" to verify the
downloaded .tar.gz file from Adobe.  Adobe releases newer versions of
the Adobe Flash Player by replacing the .tar.gz file on their download
site.  To make the newer Player available to the end users asap, the MD5
checksums are maintained outside the flashplugin-nonfree package.  Users
can simply run "update-flashplugin-nonfree --install" to install the
Adobe Flash Player corresponding to the updated MD5 checksums.

Users of flashplugin-nonfree are strongly recommended to follow security
advisories at Adobe.  Note that security advisories like apsb09-01 may
not lead to updated packages of flashplugin-nonfree, since updating the
MD5 checksums outside the flashplugin-nonfree package may be sufficient.
http://www.adobe.com/support/security/
http://www.adobe.com/support/security/bulletins/apsb09-01.html

I still think that the decision made on 2007-12-21 documented on bug
report 457291 was OK at the time, but I'm not sure whether I would
make/join that same decision today.

The flashplugin-nonfree package is meant to make it easier for the end
user to install the Adobe Flash Player.  But installing from
backports.org with "apt pinning" is more difficult than simply from
Debian stable.  So at least part of the added value of
flashplugin-nonfree is lost with the effort spent on getting
flashplugin-nonfree installed.

I see that the debian-installer now adds lines in sources.list for
security and volatile.  So Debian now provides two (quite) fast update
paths for stable.  I know, flashplugin-nonfree does not fit those paths,
but still, Adobe Flash Player is a popular piece of software, so it
would be nice to agree on some reasonable compromise.

For example, Adobe has recently published this security advisory:
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Obviously this is not a security advisory on flashplugin-nonfree, but on
the Adobe Flash Player itself.  Debian does not officially support
security for contrib and non-free, but the infrastructure is there, and
packages are being distributed:
http://security.debian.org/pool/updates/
Can security contrib be used for distributing an update of
flashplugin-nonfree to encourage users to upgrade their installed Adobe
Flash Player ? If not, why not ?

Adobe may also release a newer Adobe Flash Player for bug fixing or for
adding minor features.  Can volatile be used for distributing an update
of flashplugin-nonfree to encourage users to upgrade their installed
Adobe Flash Player ? If not, why not ?

Obviously, a major update like the update from Flash Player 9 to 10,
requiring other/newer libraries, cannot go via security nor via
volatile.  That's typically for backports, in my opinion.

Thoughts from debian-release, debian-security, and from
debian-volatile ? Thoughts from users ?

Replies preferably to 457291-quiet@bugs.debian.org .

Regards,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #72 received at 457291-quiet@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: debian-release@lists.debian.org, debian-volatile@lists.debian.org, debian-security@lists.debian.org

Cc: 457291-quiet@bugs.debian.org

Subject: flashplugin-nonfree in Debian

Date: Sat, 07 Mar 2009 14:47:18 +0100

[Message part 1 (text/plain, inline)]

Hello debian-release team,
      debian-volatile team,
      debian-security team,

I have updated bug report 457291 "flashplugin-nonfree: decision
2007-12-21: keep this package out of stable starting with lenny".
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457291

I hereby invite you to evaluate how my newest comments on that bug
report match or conflict with your policies, and to share your thoughts
with me, replies preferably sent to 457291-quiet@bugs.debian.org .

Thanks in advance,

Bart Martens

[signature.asc (application/pgp-signature, inline)]

Message #77 received at 457291@bugs.debian.org (full text, mbox, reply):

From: "Dusty Wilson [Megagram]" <dusty@megagram.com>

To: 457291@bugs.debian.org

Subject: RE: flashplugin-nonfree: decision 2007-12-21: keep this package out of stable starting with lenny

Date: Sat, 7 Mar 2009 10:49:31 -0600

> I can't help but sense a political reason not to
> support flash, just because it's "non-free", the
> maintainers of debian WANT it to be broken, almost,
> and certainly don't look hard for a way to give
> their users an easy way to use flash. Just as long
> as the result is that the users blame Adobe, and
> not debian, it's ok - regardless of how much the
> users suffer because of it.

Unfortunately, Adobe is to blame in my opinion.  Of course no one is
forcing them to do anything.  Read my comments below for more
clarification.

> Flashplayer could be support, technically, in the
> following way:
>
> The flashplugin-nonfree package would keep track
> of the last time it downloaded the flashplayer
> from Adobe. If an update (ie for security reasons)
> is needed, then a new flashplugin-nonfree with
> a newer version is released. This would cause
> the package to be updated the usual way. The
> new package would contain the date at which
> Adobe made the lastest version available. If that
> date is later than the last time the flashplayer
> was downloaded - it is downloaded again, and
> installed. If necessary, ie as sanity check, it
> is easy to obtain the real version from libflashplayer.so:
>
> strings libflashplayer.so | grep '[0-9]\.[0-9] r[0-9]'
> Shockwave Flash 9.0 r48
>
> To make a long story short: TECHNICALLY there is
> no reason to rip flashplugin-nonfree out of stable
> and testing-- it is therefore not very nice towards
> the users of debian and my anger towards Adobe is
> now devided over Adobe AS WELL as debian.

"stable" is meant to be stable.  Debian has no control or input over
the stability of Adobe's product.  There is no code review of any
kind.  It's not possible to ensure that no new features are being
added to a version, which is a restriction of "stable".  Blindly
trusting that Adobe hasn't added features or instability is not a
"stable" thing to do.

Packages in "stable" need to have security support, which is not
necessarily easy for Debian to provide for Flash Player.  Unless Adobe
works closely with Debian, I don't see this as being an easy task.  I
feel that this security burden without help from upstream is unfair
and unreasonable.  Maybe allowing Debian to distribute binaries
instead of just a downloader/installer package would help, but from
what I understand, they don't allow distribution of the player in that
way.  (Though I have re-distribution rights for the Flash Player, so I
don't know why Debian can't...)

If Adobe were to release a .deb for it and follow proper Debian
release guidelines, things might be a bit different, but they don't.
They're not required to do so.  But because of this, they can't be
given special treatment by Debian.  There are specific rules that all
packages, even Adobe's Flash Player, must abide by.

As others have mentioned, it's available to the users.  They just need
to know how to get it.  If it's *that* big of a deal for them, they
can always use Ubuntu.  I feel that users that aren't willing to do
this minor amount of work are the types that jump to Ubuntu anyway.
Jumping through hoops to get Flash Player is a pain, but I don't feel
that Adobe has allowed Debian to offer this as an easy install.

Message #82 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 457291@bugs.debian.org

Subject: too hard to install the right way

Date: Fri, 20 Mar 2009 18:52:46 -0400

[Message part 1 (text/plain, inline)]

The decision was wrong, because, out of fear of introducing new features
into stable / volatile, it made flashplugin-nonfree too hard to install
via Debian. With the result that many of the users who wanted flash
chose to install it in other ways, which in turn prevents them from
getting security updates for their flash installation.

* Popcon data[2] indicates that 50% of desktop users install flashplugin-nonfree,
  but another 15% go to adobe.com and download their adobe-flashplugin deb[3]
  directly.

* Popcon can't tell us how many people chose to download a tarball,
  or install the plugin in ~/.mozilla/ in some other way. Let's guess
  that this is also somewhere around 15%.

* Also, some unknown percentage of people add unstable to sources.list
  just long enough to install flashplugin-nonfree from it onto their
  stable or testing system, and then remove it. Or download the deb manually
  from packages.debian.org. I think this is the obvious thing to do
  if you don't know it's in backports and are not thinking ahead and
  need the package. I know I've done it, quite a few times.

End result of all of these choices is a system with flash installed but with
no security upgrade path. I wouldn't be too suprised if half of the Debian
stable/testing systems that have flash installed are in such a situation.
That's not good.

There are two ways to look at the flashplugin-nonfree package:

1. It is the package that provides Adobe flash (somehow); if a new version of
   flash comes out and has new bugs/features, then that means the package
   needs an upgrade, which is not suitable for stable or volatile.

2. If is a package that downloads some binary from adobe.com and allows
   users to use it. No guarantees are made about the binary working
   or being the same today as it was yesterday. If you have problems
   with it, complain to Adobe. All the package is responsible for is
   downloading it and helping you keep it up-to-date, especially when
   Adobe releases a new version to fix a security hole.

I suggest that the second mindset might be better both for users of Debian
and for your own peace of mind/sanity.

-- 
see shy jo

[2]     name                            inst  vote   old recent no-files (maintainer)
        flashplugin-nonfree             7940  1581  3866  1549   944 (Bart Martens)
        adobe-flashplugin               2300  1852   209   208    31 (Not in sid)                    
        swfdec-mozilla                 15481  8184  2942  4266    89 (Santiago Garcia Mantinan)      
[3] Which claims to be for Ubuntu, but will work on Debian, I assume.
    BTW, I think that flashplayer-nonfree should conflict with it..

[signature.asc (application/pgp-signature, inline)]

Message #87 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Filipus Klutiero <chealer@gmail.com>

To: 457291@bugs.debian.org

Cc: Joey Hess <joeyh@debian.org>

Subject: Re: too hard to install the right way

Date: Thu, 26 Mar 2009 23:20:40 -0400

Le March 20, 2009 06:52:46 pm Joey Hess, vous avez écrit :
> The decision was wrong, because, out of fear of introducing new features
> into stable / volatile, it made flashplugin-nonfree too hard to install
> via Debian.
The fear is not really to introduce new features, but to introduce 
regressions.

[...]
>
> * Popcon data[2] indicates that 50% of desktop users install
> flashplugin-nonfree, but another 15% go to adobe.com and download their
> adobe-flashplugin deb[3] directly.
Note that there's also flashplayer-mozilla:

Package: flashplayer-mozilla             2831   347  1116   994

Message #92 received at 457291-quiet@bugs.debian.org (full text, mbox, reply):

From: Filipus Klutiero <chealer@gmail.com>

To: Bart Martens <bartm@debian.org>

Cc: 457291-quiet@bugs.debian.org

Subject: Re: flashplugin-nonfree in Debian

Date: Thu, 26 Mar 2009 23:39:19 -0400

Le March 7, 2009 08:09:06 am Bart Martens, vous avez écrit :

[...]

> For example, Adobe has recently published this security advisory:
> http://www.adobe.com/support/security/bulletins/apsb09-01.html
> Obviously this is not a security advisory on flashplugin-nonfree, but on
> the Adobe Flash Player itself.  Debian does not officially support
> security for contrib and non-free, but the infrastructure is there, and
> packages are being distributed:
> http://security.debian.org/pool/updates/
> Can security contrib be used for distributing an update of
> flashplugin-nonfree to encourage users to upgrade their installed Adobe
> Flash Player ?
The security team could be asked, but I think that wouldn't be a problem.

[...]

>Thoughts from users ?
As an ex-Konqueror user, I didn't like to see Flash lose support for 
Konqueror. Other stable users must have felt the same way. This is IMO a 
strong argument against offering Adobe Flash just like any package.
OTOH, maybe that was an exception which doesn't warrant excluding Flash 
forever.

What could be done would be to offer to remove Flash or upgrade it every time 
a vulnerability is discovered in the installed version. The known regressions 
in the updated version could also be documented. Moreover, 
flashplugin-nonfree could warn the user some way (either via the extended 
description or when installing) that Adobe Flash may need to be removed at 
any time.

It would help to know the frequence of security updates in Adobe Flash.

Message #97 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: 457291@bugs.debian.org

Subject: flashplugin-nonfree: decision 2007-12-21 under review

Date: Mon, 13 Apr 2009 11:37:36 +0200

[Message part 1 (text/plain, inline)]

severity 457291 normal
stop

Using the feedback so far, I'm lowering the severity of this bug report
so that flashplugin-nonfree can enter testing and later also stable.

I'm not yet closing this bug report, because some aspects are still
being discussed.

[signature.asc (application/pgp-signature, inline)]

Message #104 received at 457291-quiet@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 457291-quiet@bugs.debian.org

Cc: debian-release@lists.debian.org, debian-volatile@lists.debian.org, debian-security@lists.debian.org

Subject: Re: flashplugin-nonfree in Debian

Date: Wed, 22 Apr 2009 10:33:08 +0200

Bart Martens wrote:
> Hello debian-release team,
>       debian-volatile team,
>       debian-security team,
> 
> I have updated bug report 457291 "flashplugin-nonfree: decision
> 2007-12-21: keep this package out of stable starting with lenny".
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457291
> 
> I hereby invite you to evaluate how my newest comments on that bug
> report match or conflict with your policies, and to share your thoughts
> with me, replies preferably sent to 457291-quiet@bugs.debian.org .

Sorry for not answering sooner.

I want to have a more general solution, so instead of focusing on 
flashplugin-nonfree, I'd rather want to have a common policy for stable, 
volatile and backports so it would be very clear for everyone how things 
are supported and where to find updates.

I've requested a slot at DebConf to discuss this into detail, though 
feel free to start a discussion already on debian-devel.

Cheers

Luk

Message #109 received at 457291@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 457291@bugs.debian.org

Subject: followup

Date: Wed, 22 Apr 2009 18:23:59 -0400

[Message part 1 (text/plain, inline)]

I agree with Luk that it would be good to have a clear,
user-communicatable policy for what goes in stable, volatile, and
backports, and how users can use them.

However, despite such a general approach, flashplugin-nonfree is quite a
special case, since it's one of very few installer packages that download
a program from a third party. Also, there's a lot of room for variation
in how such packages work, as we can see in googleearth-package that
handles things in an entirely different way.

I'm glad this bug was downgraded, because at least now a current version
of flashplugin-nonfree is available to testing users with a security
upgrade path. 

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #114 received at 457291-done@bugs.debian.org (full text, mbox, reply):

From: Bart Martens <bartm@debian.org>

To: 457291-done@bugs.debian.org

Subject: flashplugin-nonfree: decision 2007-12-21 reverted

Date: Tue, 4 Aug 2009 09:59:56 +0000

Using the the feedback so far, I'm reverting the decision of 2007-12-21.

Regards,

Bart Martens

Send a report that this bug log contains spam.