Time to evaluate the decision of 2007-12-21. First a status overview of the flashplugin-nonfree package.
The package flashplugin-nonfree is currently being maintained in Debian unstable and at backports.org. There are currently three versions being maintained: - in etch-backports . for users of etch=oldstable . Adobe Flash Player 9 . only i386 - in lenny-backports . for users of lenny=stable . Adobe Flash Player 10 . i386 and amd64 - in Debian unstable . for users of unstable or testing . Adobe Flash Player 10 . i386 and amd64 The versions in lenny-backports and in Debian unstable are currently almost identical, so users of lenny=stable can currently choose which version to install. Users of flashplugin-nonfree are strongly recommended to use "apt pinning" to prevent accidentally pulling in unwanted packages from backports.org or from unstable. In previous packages of flashplugin-nonfree the Adobe Flash Player for i386 was installed on amd64. Since Adobe now distributes a 64 bit version of the Adobe Flash Player, the package flashplugin-nonfree uses that 64 bit Adobe Flash Player on amd64. The package flashplugin-nonfree uses "md5sum" to verify the downloaded .tar.gz file from Adobe. Adobe releases newer versions of the Adobe Flash Player by replacing the .tar.gz file on their download site. To make the newer Player available to the end users asap, the MD5 checksums are maintained outside the flashplugin-nonfree package. Users can simply run "update-flashplugin-nonfree --install" to install the Adobe Flash Player corresponding to the updated MD5 checksums. Users of flashplugin-nonfree are strongly recommended to follow security advisories at Adobe. Note that security advisories like apsb09-01 may not lead to updated packages of flashplugin-nonfree, since updating the MD5 checksums outside the flashplugin-nonfree package may be sufficient. http://www.adobe.com/support/security/ http://www.adobe.com/support/security/bulletins/apsb09-01.html I still think that the decision made on 2007-12-21 documented on bug report 457291 was OK at the time, but I'm not sure whether I would make/join that same decision today. The flashplugin-nonfree package is meant to make it easier for the end user to install the Adobe Flash Player. But installing from backports.org with "apt pinning" is more difficult than simply from Debian stable. So at least part of the added value of flashplugin-nonfree is lost with the effort spent on getting flashplugin-nonfree installed. I see that the debian-installer now adds lines in sources.list for security and volatile. So Debian now provides two (quite) fast update paths for stable. I know, flashplugin-nonfree does not fit those paths, but still, Adobe Flash Player is a popular piece of software, so it would be nice to agree on some reasonable compromise. For example, Adobe has recently published this security advisory: http://www.adobe.com/support/security/bulletins/apsb09-01.html Obviously this is not a security advisory on flashplugin-nonfree, but on the Adobe Flash Player itself. Debian does not officially support security for contrib and non-free, but the infrastructure is there, and packages are being distributed: http://security.debian.org/pool/updates/ Can security contrib be used for distributing an update of flashplugin-nonfree to encourage users to upgrade their installed Adobe Flash Player ? If not, why not ? Adobe may also release a newer Adobe Flash Player for bug fixing or for adding minor features. Can volatile be used for distributing an update of flashplugin-nonfree to encourage users to upgrade their installed Adobe Flash Player ? If not, why not ? Obviously, a major update like the update from Flash Player 9 to 10, requiring other/newer libraries, cannot go via security nor via volatile. That's typically for backports, in my opinion. Thoughts from debian-release, debian-security, and from debian-volatile ? Thoughts from users ? Replies preferably to 457291-qu...@bugs.debian.org . Regards, Bart Martens
signature.asc
Description: This is a digitally signed message part
