Weblog entry #84 for dkg

Adobe leaves Linux AIR users vulnerable
Posted by dkg on Mon 21 Nov 2011 at 17:41
A few months ago, Adobe announced a slew of vulnerabilities in its Flash Player, which is a critical component of Adobe AIR:
Adobe recommends users of Adobe AIR 2.6.19140 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.7.0.1948.

[...]

June 14, 2011 - Bulletin updated with information on Adobe AIR

However, looking at Adobe's instructions for installing AIR on "Linux" systems, we see that it is impossible for people running a free desktop OS to follow Adobe's own recommendations:
Beginning June 14 2011, Adobe AIR is no longer supported for desktop Linux distributions. Users can install and run AIR 2.6 and earlier applications but can't install or update to AIR 2.7. The last version to support desktop Linux distributions is AIR 2.6.
So on the exact same day, Adobe said "we recommend you upgrade, as the version you are using is vulnerable" and "we offer you no way to upgrade".

I'm left with the conclusion that Adobe's aggregate corporate message is "users of desktops based on free software should immediately uninstall AIR and stop using it".

If Adobe's software was free, and they had a community around it, they could turn over support to the community if they found it too burdensome. Instead, once again, users of proprietary tools on free systems get screwed by the proprietary vendor.

And they wonder why we tend to be less likely to install their tools?

Application developers should avoid targeting AIR as a platform if they want to reach everyone.

 

Comments on this Entry

Posted by Anonymous (76.15.xx.xx) on Mon 21 Nov 2011 at 19:25
Well, as Adobe has dropped support for at least one platform, it means that Adobe AIR is less cross-platform than it used to be.

Your post made it to Debian Planet, and I'm glad it did. I just found out something a bit interesting about Debian's flashplugin-nonfree package which is worth pointing out, which is that it doesn't automatically update. The package contains a script that downloads Adobe Flash and installs it, but this only happens upon initial installation, or by manually running /usr/sbin/update-flashplugin-nonfree. Since the flashplugin-nonfree package doesn't need to be updated with new releases of Flash, it isn't, so by default the installed version of Flash on the local machine becomes stale.

Reinstalling flashplugin-nonfree is a quick way to update the version of Flash again, which at present updates the version of Flash to 11.1.102.55.

-- Chris Knadle

[ Parent | Reply to this comment ]

Posted by dkg (216.254.xx.xx) on Mon 21 Nov 2011 at 19:40
[ View dkg's Scratchpad | View Weblogs ]
as you say, the simplest way to update the plugin is to run update-flashplugin-nonfree --install as the superuser, no need to reinstall the package.

You could also put this in a cronjob if you want to subject your computer to the latest craziness from Adobe.

[ Parent | Reply to this comment ]

Posted by Anonymous (76.15.xx.xx) on Tue 22 Nov 2011 at 08:07
I like to know when I update my own machine; I don't like it doing that automatically on me. :-P

But your idea brings up another interesting question: how can you tell within a script whether the local machine it's running on is online? Even better, how can this be done *generically* within a script so that it could be done within a Debian package?

I'm asking it this way because it illustrates another problem I'm working on. I could do a 'ping -c 3 www.yahoo.com' to figure out if the machine is online, but that probably isn't appropriate for doing for a program that's packaged in Debian. And without knowing whether the machine is online, it's unclear whether the network task to be done is worth starting.

So if anyone has ideas on this -- please let me know. Thanks.

-- Chris Knadle
Chris.Knadle@coredump.us

[ Parent | Reply to this comment ]

Posted by Anonymous (131.155.xx.xx) on Thu 24 Nov 2011 at 11:00
Use NetworkManager, that's what it was invented for:

hxxp://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/ex amples/python/nm-state.py

(no http because I can't post links)

[ Parent | Reply to this comment ]

Posted by Anonymous (108.27.xx.xx) on Sun 27 Nov 2011 at 21:11
It's not good enough to rely on NetworkManager -- and besides, I gave up on it and went over to using Wicd anyway -- but I'm looking for solution that's more generic and can be used regardless of whether the machine is a laptop, desktop, or server, and regardless of which connection manager is being used.

What I'm currently looking into is /etc/network/run/ifstate which states which network devices are "up", or adding a script within the /etc/network/if-up.d/ and /etc/network/if-down.d/ areas.

-- Chris

[ Parent | Reply to this comment ]

Posted by mcortese (20.142.xx.xx) on Mon 5 Dec 2011 at 13:48
[ View Weblogs ]
I'm afraid the Linux distributions have not settled on a common tool, yet. That's why we see different implementations like NM, wicd... And that's why NM, for example, must be a real application and not a mere applet.

[ Parent | Reply to this comment ]

Posted by ajt (109.170.xx.xx) on Mon 21 Nov 2011 at 21:34
[ View Weblogs ]

I think it's fair to say that AIR and Flash are both mortally wounded. Adobe had clearly stated that their long term goal is to move to HTML5, and the abandonment of AIR on some platforms and mobile Flash are the first in a series of steps which will see them change direction. It's not nice but at least Debian will survive, there are lot of big companies that invested a lot of cash in AIR and aren't going to realise any profit...

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by mlc (69.22.xx.xx) on Mon 21 Nov 2011 at 23:11

To be clear, even when it was "supported," AIR on Linux was incredibly buggy. If I had an AIR app running, it would make my web browser crash when visiting pages with certain Flash applets.

(No, I am not making this up; an Adobe engineer confirmed the issue to me on Twitter).

[ Parent | Reply to this comment ]

Posted by Anonymous (62.210.xx.xx) on Tue 22 Nov 2011 at 08:57
There is a precedent to this: one or two years ago, Adobe stopped distributing their Flash player unavailable for GNU/Linux amd64, officially stating that it was because it had major security issues and they were not to fix them. In other word: do not use our software as it is a big hole.

[ Parent | Reply to this comment ]