Today the missing signature file preventing update of the nonfree flash was added to https://people.debian.org/~bartm/flashplugin-nonfree/D5C0FC14/ enabling updates -- eight (8) days after the publication of a CVE and five (5) days after detection of an exploit in the wild.
Could this be a learning opportunity? Bart is doing a yeoman's service in volunteering to provide a secure delivery mechanism for flash -- a non-free component none of us are happy with, but unfortunately one still requiring installation for many. I'd recommend some mechanism for automating the signature generation or the addition of co-maintainers or a specific mechanism for the security team (which understandably doesn't want to touch non-free software) to do NMU alterations, not to the package, but to the area where the signatures are kept. As always, thanks to DD Bart for his contributions to Debian.
