View previous topic :: View next topic |
Author |
Message |
LIsLinuxIsSogood Veteran
Joined: 13 Feb 2016 Posts: 1186
|
Posted: Sun Nov 19, 2017 1:32 am Post subject: Is flash safe to install |
|
|
What is the reason that flash is masked in the gentoo portage tree...ideally, like all packages in the tree it should be safe to use, correct? Are there any security concerns with it, or is there something that I should be careful about in terms of system stability with that? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22819
|
Posted: Sun Nov 19, 2017 1:49 am Post subject: |
|
|
Based solely on the history of Adobe security exploits, I would say that no, Flash is not safe to install, never has been, and very likely never will be. Yes, ideally, all in-tree packages should be safe, but certain exceptions apply in practice. In the case of Flash, despite its numerous security flaws over the years, some sites still insist on using it as an exclusive content distribution mechanism. None of the attempts to make a Free compatible replacement have achieved sufficient feature coverage to match Flash in all practical cases. There are sites that offer their content only in Flash format, only Adobe Flash can adequately render that content, and some users need access to that content. Thus, as a practical matter, Flash is in-tree despite being closed-source and having an infamous security background, because if people will use Flash regardless, it may as well be maintained at the distribution level instead of requiring users to manage it themselves.
It should not adversely impact system stability, since it is only a user process, not a kernel module. Due to its security record, I recommend avoiding Flash if at all possible; if that is not possible, run it only on sites you trust not to serve any malware. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54627 Location: 56N 3W
|
Posted: Sun Nov 19, 2017 10:02 am Post subject: |
|
|
LIsLinuxIsSogood,
What Hu said ++
Start off without Flash and see what you miss. You can add it later. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
havana8 n00b
Joined: 17 Nov 2017 Posts: 16
|
Posted: Fri Nov 24, 2017 2:26 pm Post subject: |
|
|
I don't think there are any security concerns with it, at least I haven't heard anybody complain |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6069 Location: Removed by Neddy
|
Posted: Fri Nov 24, 2017 2:34 pm Post subject: |
|
|
havana8 wrote: | I don't think there are any security concerns with it, at least I haven't heard anybody complain | wat oO _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Fri Nov 24, 2017 3:46 pm Post subject: Re: Is flash safe to install |
|
|
LIsLinuxIsSogood wrote: | What is the reason that flash is masked in the gentoo portage tree...ideally, like all packages in the tree it should be safe to use, correct? Are there any security concerns with it, or is there something that I should be careful about in terms of system stability with that? |
Flash is a big source of issues.
--
Google chrome, opera-beta, firefox-bin. => one of those three can always play any video source on the web.
There is no need to install the buggy flash package.
It's a good habbit to have different browsers for different things. So the browser history is separated, user accounts and such.
edit: AFAIK chrome comes with pepper-flash. no idea on the recent status of that plugin. pepper-flash = the desired flash plugin you asked for. |
|
Back to top |
|
|
LIsLinuxIsSogood Veteran
Joined: 13 Feb 2016 Posts: 1186
|
Posted: Fri Nov 24, 2017 8:15 pm Post subject: |
|
|
I must agree with Naib and Roman_Gruber here, and since this was a question about a minimal desktop installation I ended up going the route of not installing flash. The thing was I wanted to watch some videos online and what I found instead was a way of using a more basic browser (w3m) for associating certain filetypes with 2nd-ary and 3rd,4th, all the way up 9 different alternatives for opening links from the buffer. Hence, with some other basic tools (namely mpv the standard for playing movies in linux) I was able to bypass the need altogether for it.
The reason flash probably sucks is because it like windows it is so regularly used (e.g. Chrome-pepper) that it could be a major target for hacks. That is why on one installation at least of gentoo, which is my minimal installation environment, I am going to opt for without it instead.
However, Roman_Gruber, I don't know that the idea that Opera or Firefox which are browsers that I will use frequently, even Chrome on occasion (I don't like the API for it which is the only reason I stay away)...these browsers don't seem to always have a working flash installed so I'm a bit confused about the point you were making regarding flash and this list of browsers. Was it that these are a list of compatible browsers? Because if that's what you were saying then I think you might need to add in a host of others, including those built for windows like Int Explorer and all the all other browsers that mimic the layout in general. I am still considering how to apply the results of this discussion to the other gentoo installs I have such as my "go to" working and office environment which is my laptop that is really anything but minimal. Currently I have many browsers on that machine, like Roman_Gruber says I think it helps to ensure that various options or settings can be followed, but keeping track of that stuff can be sort of tough, like finding a needle in a haystack... But so far at least the flash-less browsers on this machine have been working fine, so we agree there at least. And if given a risk at all, which clearly there is at least some risk to it, then I would prefer to work around it at all costs. |
|
Back to top |
|
|
LIsLinuxIsSogood Veteran
Joined: 13 Feb 2016 Posts: 1186
|
Posted: Fri Nov 24, 2017 8:18 pm Post subject: |
|
|
Quote: | Google chrome, opera-beta, firefox-bin. => one of those three can always play any video source on the web.
There is no need to install the buggy flash package. |
Put yet another way,
Is that what flash is meant for in every case is just to play videos or is it also for other web related programs like web page navigating similar to some other platform/players like javascript with quicktime on Mac or whatever? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22819
|
Posted: Sat Nov 25, 2017 4:57 am Post subject: |
|
|
havana8 wrote: | I don't think there are any security concerns with it, at least I haven't heard anybody complain | I don't know how you missed the complaints, but I would be very curious to know why you think there are no security problems. There may not be any currently publicly known problems in the latest version (or there might be - I don't track Flash that closely since I don't install it), but Flash as a product line has a long history of nasty security vulnerabilities, and the manner in which Adobe maintains it does not inspire confidence that there are no remaining unpublished vulnerabilities lurking. |
|
Back to top |
|
|
havana8 n00b
Joined: 17 Nov 2017 Posts: 16
|
Posted: Mon Nov 27, 2017 4:33 pm Post subject: |
|
|
Hu wrote: | havana8 wrote: | I don't think there are any security concerns with it, at least I haven't heard anybody complain | I don't know how you missed the complaints, but I would be very curious to know why you think there are no security problems. There may not be any currently publicly known problems in the latest version (or there might be - I don't track Flash that closely since I don't install it), but Flash as a product line has a long history of nasty security vulnerabilities, and the manner in which Adobe maintains it does not inspire confidence that there are no remaining unpublished vulnerabilities lurking. |
I meant that I haven't heard anything recently, I supposed they've fixed the problems. Haven't heard anything from 2015, not that I've been researching tho |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6069 Location: Removed by Neddy
|
Posted: Mon Nov 27, 2017 4:40 pm Post subject: |
|
|
havana8 wrote: | Hu wrote: | havana8 wrote: | I don't think there are any security concerns with it, at least I haven't heard anybody complain | I don't know how you missed the complaints, but I would be very curious to know why you think there are no security problems. There may not be any currently publicly known problems in the latest version (or there might be - I don't track Flash that closely since I don't install it), but Flash as a product line has a long history of nasty security vulnerabilities, and the manner in which Adobe maintains it does not inspire confidence that there are no remaining unpublished vulnerabilities lurking. |
I meant that I haven't heard anything recently, I supposed they've fixed the problems. Haven't heard anything from 2015, not that I've been researching tho | you need to review what news sources you use for vulnerabilities... MSM is generally NOT a good idea...
The most recent Flash-base security advisment is dated 13th November 2017 14 DAYS ago
https://security.gentoo.org/glsa/201711-13
then the previous dates:
22nd Oct
16th Sept
15th July
12th May
4th Apr
2nd Mar
20th Feb
17th Jan
and then we are into 2016... _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Nov 27, 2017 4:43 pm Post subject: |
|
|
I can still remember when Flash came out, it was such a fantastic thing.
Six months later, I was hoping it would someday get stable.
Six months after that, I was hoping it would someday get stable and free of exploits.
Six years after that, (sooner actually, but I started saying six so...) I was hoping it would die out and be replaced by something that could one day be stable and free of exploits. And that websites requiring it would vanish.
That said, almost all that time I've been stuck using it because some aspect of my income insists on having Flash. |
|
Back to top |
|
|
LIsLinuxIsSogood Veteran
Joined: 13 Feb 2016 Posts: 1186
|
Posted: Mon Nov 27, 2017 4:57 pm Post subject: |
|
|
Does anyone know what language Flash is? Maybe skipping the idea of developing it and just working around the issues with patch like code for web designers to embed safer or more reliable access to the content. What 1clue says about the existence of it seeming to be good at first, means there's some reliable component to begin with it. Maybe. Or else did it just fill the void of web video content at that time? either way, there is obviously no sense in denying the multitude of issues in designing things for browsers that are themselves very unsafe on the whole, and worse yet none of those are actually doing what they need to do to make browsing the web more secure. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Nov 27, 2017 5:24 pm Post subject: |
|
|
LIsLinuxIsSogood wrote: | Does anyone know what language Flash is? Maybe skipping the idea of developing it and just working around the issues with patch like code for web designers to embed safer or more reliable access to the content. What 1clue says about the existence of it seeming to be good at first, means there's some reliable component to begin with it. Maybe. Or else did it just fill the void of web video content at that time? either way, there is obviously no sense in denying the multitude of issues in designing things for browsers that are themselves very unsafe on the whole, and worse yet none of those are actually doing what they need to do to make browsing the web more secure. |
Start reading up on html5 features. The implementations of some features are a bit rocky, but the idea is sound and would hopefully avoid any widespread reliance on a single flawed closed-source platform in the near future. |
|
Back to top |
|
|
|