Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is flash safe to install
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Multimedia
View previous topic :: View next topic  
Author Message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1186

PostPosted: Sun Nov 19, 2017 1:32 am    Post subject: Is flash safe to install Reply with quote

What is the reason that flash is masked in the gentoo portage tree...ideally, like all packages in the tree it should be safe to use, correct? Are there any security concerns with it, or is there something that I should be careful about in terms of system stability with that?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22771

PostPosted: Sun Nov 19, 2017 1:49 am    Post subject: Reply with quote

Based solely on the history of Adobe security exploits, I would say that no, Flash is not safe to install, never has been, and very likely never will be. Yes, ideally, all in-tree packages should be safe, but certain exceptions apply in practice. In the case of Flash, despite its numerous security flaws over the years, some sites still insist on using it as an exclusive content distribution mechanism. None of the attempts to make a Free compatible replacement have achieved sufficient feature coverage to match Flash in all practical cases. There are sites that offer their content only in Flash format, only Adobe Flash can adequately render that content, and some users need access to that content. Thus, as a practical matter, Flash is in-tree despite being closed-source and having an infamous security background, because if people will use Flash regardless, it may as well be maintained at the distribution level instead of requiring users to manage it themselves.

It should not adversely impact system stability, since it is only a user process, not a kernel module. Due to its security record, I recommend avoiding Flash if at all possible; if that is not possible, run it only on sites you trust not to serve any malware.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54605
Location: 56N 3W

PostPosted: Sun Nov 19, 2017 10:02 am    Post subject: Reply with quote

LIsLinuxIsSogood,

What Hu said ++

Start off without Flash and see what you miss. You can add it later.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
havana8
n00b
n00b


Joined: 17 Nov 2017
Posts: 16

PostPosted: Fri Nov 24, 2017 2:26 pm    Post subject: Reply with quote

I don't think there are any security concerns with it, at least I haven't heard anybody complain
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6070
Location: Removed by Neddy

PostPosted: Fri Nov 24, 2017 2:34 pm    Post subject: Reply with quote

havana8 wrote:
I don't think there are any security concerns with it, at least I haven't heard anybody complain
wat oO
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0;
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria

PostPosted: Fri Nov 24, 2017 3:46 pm    Post subject: Re: Is flash safe to install Reply with quote

LIsLinuxIsSogood wrote:
What is the reason that flash is masked in the gentoo portage tree...ideally, like all packages in the tree it should be safe to use, correct? Are there any security concerns with it, or is there something that I should be careful about in terms of system stability with that?


Flash is a big source of issues.

--

Google chrome, opera-beta, firefox-bin. => one of those three can always play any video source on the web.

There is no need to install the buggy flash package.

It's a good habbit to have different browsers for different things. So the browser history is separated, user accounts and such.

edit: AFAIK chrome comes with pepper-flash. no idea on the recent status of that plugin. pepper-flash = the desired flash plugin you asked for.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1186

PostPosted: Fri Nov 24, 2017 8:15 pm    Post subject: Reply with quote

I must agree with Naib and Roman_Gruber here, and since this was a question about a minimal desktop installation I ended up going the route of not installing flash. The thing was I wanted to watch some videos online and what I found instead was a way of using a more basic browser (w3m) for associating certain filetypes with 2nd-ary and 3rd,4th, all the way up 9 different alternatives for opening links from the buffer. Hence, with some other basic tools (namely mpv the standard for playing movies in linux) I was able to bypass the need altogether for it.

The reason flash probably sucks is because it like windows it is so regularly used (e.g. Chrome-pepper) that it could be a major target for hacks. That is why on one installation at least of gentoo, which is my minimal installation environment, I am going to opt for without it instead.

However, Roman_Gruber, I don't know that the idea that Opera or Firefox which are browsers that I will use frequently, even Chrome on occasion (I don't like the API for it which is the only reason I stay away)...these browsers don't seem to always have a working flash installed so I'm a bit confused about the point you were making regarding flash and this list of browsers. Was it that these are a list of compatible browsers? Because if that's what you were saying then I think you might need to add in a host of others, including those built for windows like Int Explorer and all the all other browsers that mimic the layout in general. I am still considering how to apply the results of this discussion to the other gentoo installs I have such as my "go to" working and office environment which is my laptop that is really anything but minimal. Currently I have many browsers on that machine, like Roman_Gruber says I think it helps to ensure that various options or settings can be followed, but keeping track of that stuff can be sort of tough, like finding a needle in a haystack... But so far at least the flash-less browsers on this machine have been working fine, so we agree there at least. And if given a risk at all, which clearly there is at least some risk to it, then I would prefer to work around it at all costs.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1186

PostPosted: Fri Nov 24, 2017 8:18 pm    Post subject: Reply with quote

Quote:
Google chrome, opera-beta, firefox-bin. => one of those three can always play any video source on the web.

There is no need to install the buggy flash package.


Put yet another way,
Is that what flash is meant for in every case is just to play videos or is it also for other web related programs like web page navigating similar to some other platform/players like javascript with quicktime on Mac or whatever?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22771

PostPosted: Sat Nov 25, 2017 4:57 am    Post subject: Reply with quote

havana8 wrote:
I don't think there are any security concerns with it, at least I haven't heard anybody complain
I don't know how you missed the complaints, but I would be very curious to know why you think there are no security problems. There may not be any currently publicly known problems in the latest version (or there might be - I don't track Flash that closely since I don't install it), but Flash as a product line has a long history of nasty security vulnerabilities, and the manner in which Adobe maintains it does not inspire confidence that there are no remaining unpublished vulnerabilities lurking.
Back to top
View user's profile Send private message
havana8
n00b
n00b


Joined: 17 Nov 2017
Posts: 16

PostPosted: Mon Nov 27, 2017 4:33 pm    Post subject: Reply with quote

Hu wrote:
havana8 wrote:
I don't think there are any security concerns with it, at least I haven't heard anybody complain
I don't know how you missed the complaints, but I would be very curious to know why you think there are no security problems. There may not be any currently publicly known problems in the latest version (or there might be - I don't track Flash that closely since I don't install it), but Flash as a product line has a long history of nasty security vulnerabilities, and the manner in which Adobe maintains it does not inspire confidence that there are no remaining unpublished vulnerabilities lurking.

I meant that I haven't heard anything recently, I supposed they've fixed the problems. Haven't heard anything from 2015, not that I've been researching tho
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6070
Location: Removed by Neddy

PostPosted: Mon Nov 27, 2017 4:40 pm    Post subject: Reply with quote

havana8 wrote:
Hu wrote:
havana8 wrote:
I don't think there are any security concerns with it, at least I haven't heard anybody complain
I don't know how you missed the complaints, but I would be very curious to know why you think there are no security problems. There may not be any currently publicly known problems in the latest version (or there might be - I don't track Flash that closely since I don't install it), but Flash as a product line has a long history of nasty security vulnerabilities, and the manner in which Adobe maintains it does not inspire confidence that there are no remaining unpublished vulnerabilities lurking.

I meant that I haven't heard anything recently, I supposed they've fixed the problems. Haven't heard anything from 2015, not that I've been researching tho
you need to review what news sources you use for vulnerabilities... MSM is generally NOT a good idea...

The most recent Flash-base security advisment is dated 13th November 2017 14 DAYS ago

https://security.gentoo.org/glsa/201711-13


then the previous dates:
22nd Oct
16th Sept
15th July
12th May
4th Apr
2nd Mar
20th Feb
17th Jan

and then we are into 2016...
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0;
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Mon Nov 27, 2017 4:43 pm    Post subject: Reply with quote

I can still remember when Flash came out, it was such a fantastic thing.

Six months later, I was hoping it would someday get stable.

Six months after that, I was hoping it would someday get stable and free of exploits.

Six years after that, (sooner actually, but I started saying six so...) I was hoping it would die out and be replaced by something that could one day be stable and free of exploits. And that websites requiring it would vanish.

That said, almost all that time I've been stuck using it because some aspect of my income insists on having Flash.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1186

PostPosted: Mon Nov 27, 2017 4:57 pm    Post subject: Reply with quote

Does anyone know what language Flash is? Maybe skipping the idea of developing it and just working around the issues with patch like code for web designers to embed safer or more reliable access to the content. What 1clue says about the existence of it seeming to be good at first, means there's some reliable component to begin with it. Maybe. Or else did it just fill the void of web video content at that time? either way, there is obviously no sense in denying the multitude of issues in designing things for browsers that are themselves very unsafe on the whole, and worse yet none of those are actually doing what they need to do to make browsing the web more secure.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Mon Nov 27, 2017 5:24 pm    Post subject: Reply with quote

LIsLinuxIsSogood wrote:
Does anyone know what language Flash is? Maybe skipping the idea of developing it and just working around the issues with patch like code for web designers to embed safer or more reliable access to the content. What 1clue says about the existence of it seeming to be good at first, means there's some reliable component to begin with it. Maybe. Or else did it just fill the void of web video content at that time? either way, there is obviously no sense in denying the multitude of issues in designing things for browsers that are themselves very unsafe on the whole, and worse yet none of those are actually doing what they need to do to make browsing the web more secure.


Start reading up on html5 features. The implementations of some features are a bit rocky, but the idea is sound and would hopefully avoid any widespread reliance on a single flawed closed-source platform in the near future.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Multimedia All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum