The decision was wrong, because, out of fear of introducing new features into stable / volatile, it made flashplugin-nonfree too hard to install via Debian. With the result that many of the users who wanted flash chose to install it in other ways, which in turn prevents them from getting security updates for their flash installation.
* Popcon data[2] indicates that 50% of desktop users install
flashplugin-nonfree,
but another 15% go to adobe.com and download their adobe-flashplugin deb[3]
directly.
* Popcon can't tell us how many people chose to download a tarball,
or install the plugin in ~/.mozilla/ in some other way. Let's guess
that this is also somewhere around 15%.
* Also, some unknown percentage of people add unstable to sources.list
just long enough to install flashplugin-nonfree from it onto their
stable or testing system, and then remove it. Or download the deb manually
from packages.debian.org. I think this is the obvious thing to do
if you don't know it's in backports and are not thinking ahead and
need the package. I know I've done it, quite a few times.
End result of all of these choices is a system with flash installed but with
no security upgrade path. I wouldn't be too suprised if half of the Debian
stable/testing systems that have flash installed are in such a situation.
That's not good.
There are two ways to look at the flashplugin-nonfree package:
1. It is the package that provides Adobe flash (somehow); if a new version of
flash comes out and has new bugs/features, then that means the package
needs an upgrade, which is not suitable for stable or volatile.
2. If is a package that downloads some binary from adobe.com and allows
users to use it. No guarantees are made about the binary working
or being the same today as it was yesterday. If you have problems
with it, complain to Adobe. All the package is responsible for is
downloading it and helping you keep it up-to-date, especially when
Adobe releases a new version to fix a security hole.
I suggest that the second mindset might be better both for users of Debian
and for your own peace of mind/sanity.
--
see shy jo
[2] name inst vote old recent no-files
(maintainer)
flashplugin-nonfree 7940 1581 3866 1549 944 (Bart
Martens)
adobe-flashplugin 2300 1852 209 208 31 (Not in
sid)
swfdec-mozilla 15481 8184 2942 4266 89 (Santiago
Garcia Mantinan)
[3] Which claims to be for Ubuntu, but will work on Debian, I assume.
BTW, I think that flashplayer-nonfree should conflict with it..
signature.asc
Description: Digital signature
