[sf-lug] flash 9 on Gutsy ubuntu 32 bit

Rick Moen rick at linuxmafia.com
Sun Dec 23 02:26:01 PST 2007

Quoting Christian Einfeldt (einfeldt at gmail.com):

> k, I will try this on the next install.  But please see this link for
> details as to the troubles associated with using Synaptic to install:
> http://ubuntuforums.org/showthread.php?p=4000022&posted=1#post4000022

According to your installation transcript, the problem is not really
with Synaptic.  Synaptic merely attempted to verify that the md5sum
of the install_flash_player_9_linux.tar.gz matches what package
flashplugin-nonfree_9. said it should
be, e.g. that it was downloaded uncorrupted, hasn't been trojaned, and
so on.  For reasons not clear from what you posted, the downloaded
file's calculated md5sum didn't match.

The means either that your download was corrupted, or Adobe has changed
the contents of install_flash_player_9_linux.tar.gz without changing the
filename (which would be a really dumb thing for them to do) -- or, as
an extreme longshot, that the maintainer of package flashplugin-nonfree
screwed up and go the checksum wrong.

> The bottom line is that I was able to install Flash 9, but through a
> slightly more circuitous route.

I hope your slightly more circuitous route included checking the
Adobe download's integrity.  The method included in the cited Web forum 
("So I got the latest Flash Player:
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash . Then I unpacked the .tgz file, and got a folder which has the
libflashplayer.so file in it.") includes _no checking_.  (Do I guess
correctly that it's what you did?)

To reiterate and expand on what I said about a week ago, going outside
your package regime to install software is something you should do only
as an extreme last resort, and then should be very wary and careful.
One of the things package maintainers do for you is verify and attest to 
integrity of package contents.  If you _go outside_ the package system, 
you need to be prepared to do the checking work that they otherwise do
for you, e.g., acquiring the software's signing key, verifying that it's
legitimate, checking the package's cryptographic signing, and checking
file integrity.

If you're not ready to do that yet, then -- really -- you should stick
to official packages.

And, if the official Ubuntu flashplugin-nonfree package doesn't work for
some reason, then you should work with Ubuntu help resources (such as
their mailing lists) to figure out why and fix it, not download
non-packaged software directly and install it with root-user authority
without even checking its signature or md5sum.

Doing the latter puts your machine at risk of installing corrupted
software, or of trojaning your own machine.  You really don't want to do
either of those things, I would think.

More information about the sf-lug mailing list