[conspire] help with adobe flash I can't watch my "good stuff" videos online/

Rick Moen rick at linuxmafia.com
Sun Dec 30 00:02:37 PST 2007

Quoting roger at rogerchrisman.com (roger at rogerchrisman.com):

> Ken, I think you downloaded and installed
> install_flash_player_9_linux.tar.gz from adobe.com via Firefox's menus
> rather than from your Linux distribution's repositories. That is how I
> did it on my Kubuntu Gutsy Gibbon, too. Those Synaptic and aptitude
> steps are not part of that procedure however, I think. Instead, those
> are part of an alternative procedure whereby you could have installed
> the flashplugin-nonfree package through your Linux distributions
> package management system.
> To avoid unexpected consequences, you may want to *undo* your
> redundant steps with:
> sudo aptitude remove flashplugin-nonfree
> Use one installation method, not both.

I've been seeing a lot of people on Linux forums, lately, referring to
these as if they were exactly equivalent and equally acceptable
procedures -- and other people, like Daniel in his post in this thread,
reminding people that the Ubuntu flashplugin-nonfree package is
currently broken (which is apparently true, and thus is useful information),
but _then_ going on to say "just download the Adobe tarball and run its
installer" (which may or may not be a good idea).

Please indulge me for a minute, while I detail what's going on, here.

Adobe Software inherited the proprietary Flash (aka "Shockwave Flash")
software copyrights (and probably patents, etc.) when it bought
Macromedia.  Adobe/Macromedia publishes, among other things, a
proprietary, binary-only Flash language interpreter browser plugin and
related installer script for Linux, i386-only.  As is typical for Adobe
offerings generally, even the "free" (no-charge) ones, nobody but Adobe
is allowed to distribute or redistribute that software.  Adobe is among
the most nasty of the major proprietary software houses about copyright
violation, so distros tend to take this matter seriously, and do _not_
provide the Flash interpreter with their distributions.  (Adobe updates
its package occasionally.  The current release is v. 9.)

However, most Linux distributions for x86 have one sort of mechanism or
other to semi-automatically download the Adobe tarball, verify its
contents against corruption or security compromise, and slide its
contents into the running system so that (1) the other software
(including Web browsers) can use its services, and (2) the package
system is aware of its existence / requirements and (among other things)
won't accidentally remove during subsequent package operations anything
the Flash interpreter depends on.

In Ubuntu, the package whose installation causes all of those extra
steps to get performed is "flashplugin-nonfree".  Debian has a similar
package called "flash-nonfree".  Neither _includes_ the actual Adobe 
Flash software; each is an automated installer and integration tool that
retrieves, verifies, installs, and makes an accurate distro-internal
record of that procedure.

So, you folks, being bright people, are probably way ahead of me:  The
problem of just grabbing the Adobe tarball
unpacking it, closing temporarily all browsers that could need to use 
the Flash interpreter, and running its installer routine (with root
authority via sudo, no less!)[1] is:

1.  Are you absolutely sure what you connected to was the real Adobe
site, e.g., that a router or DNS server between you and there didn't 
direct your query to a phony site?

2.  Are you sure that the tarball you downloaded wasn't corrupt?  Are
you sure it isn't a security-compromised variant swapped in by bad guys?

3.  Even if you have confidence in the tarball you downloaded, are you
sure the Adobe installer script (that you then ran with root authority)
put the browser plugin in the right directory?  Did it do so for _all_
of your browsers that can use it?

4.  I hope you're aware that the Ubuntu/Kubuntu/whatever package system
knows nothing about your Flash installation, and that this is A Bad Thing.

How does the maintainer of a package like flashplugin-nonfree address
these problems?  First, he/she gets to know what's supposed to be in the
tarball, and does what he/she can to ensure that it's the real site and 
the real software.  (A more clueful company than Adobe would pgp-sign 
hashes of its software releases, and ensure that the signing key is
verifiable broadly.)  He/she records the md5 or sha1 (or sha256) hash of
the genuine Adobe tarball, for later checking -- and then constructs the
flashplugin-nonfree to verify that hash (checksum) and only then install
and record the plugin Ubuntu-style.

How do _you_ know that the flashplugin-nonfree package's assurances of 
integrity are themselves trustworthy?  Well, every Ubuntu package
maintainer signs his/her work before upload with a pgp key checked
against the developers' keyring.  That goes into official packages that
are signed with keys in the Ubuntu release's own keyring.  And that
keyring was in your distro when you got it -- which was either official
media from a vendor you trust not to be a criminal, or a download whose
signed checksum you verified before burning it, right?  Or at bare
minimum, you got the ISO from a site on which _some_ users check
signatures, or a copy of such an ISO.  (Yes, you generally end up having
to trust some people, but it's a question of whom and to what degree.)

Reportedly, what happened recently was that Adobe -- naturally without
informing anyone (AFAIK) -- recently updated the
install_flash_player_9_linux.tar.gz package's contents to Update 3,
Codename "Moviestar" (aka 9.0 r115), and removed some of the former
contents.  This of course changes the md5 checksum -- so the Ubuntu
package naturally doesn't trust it.  (Among the problems reported with
Adobe's new release is that it breaks on Konqueror.)  

This has required that the Ubuntu developers download and verify the new
Adobe software, and then construct new revisions of the
flashplugin-nonfree package for Gutsy & Hardy in various forms.  A
glance at the bug report
suggests that it's nearly out.  See:
https://launchpad.net/ubuntu/+source/flashplugin-nonfree/ for current
package status on various *buntus.  You're looking for replacement of v.
9.0.48.* with v. 9.0.115.* .

So, people _could_ just wait for the update, unless they're in some
awful hurry.

Which brings me to my broader point:  

It's a bit alarming to see people blithely going out and running binary
software as root that they _hope_ is Adobe's uncorrupted, untrojaned
software from what they _hope_ is Adobe's Web site -- just because some
Web forum or mailing list post told them to -- and not even _thinking_ 
"Er, I don't remember seeing any checks to ensure that this is
uncorrupted and untrojaned."

You _probably_ will not get bitten by just downloading
install_flash_player_9_linux.tar.gz and whisling in the dark -- but it's
a really, really bad habit, to just go outside your distro's package
system and not even _think_ about the fact that you're running
significant risk of shooting your system in the foot -- nay, in the
heart -- using root authority.  Really.  Bad.  Idea.

[1] Note that it's not this simple, if you're seeking to run Adobe's
interpreter on x86_64 distros, which requires nspluginwrapper.  See:

Cheers,                                     Ceci n'est pas une pipe:   |
Rick Moen
rick at linuxmafia.com 

More information about the conspire mailing list