Debian Template: installation of flashplugin-nonfree incomplete

[adrelanos]

Installation of https://packages.debian.org/jessie/flashplugin-nonfree fortunately succeeds on the apt level, but on functionality level it's defunct. It's to be expected, because flashplugin-nonfree's scripts fail to connect to destinations, which are not allowed by the template VM's default firewall/network config.

This is not too bad. But I am wondering how we want to deal with this. At least this should be documented.

Running sudo update-flashplugin --install in an AppVM based on Debian templates however is functional. (Does not persist reboots as expected.) I am wondering if we should just recommend to run this command as part of rc.local in AppVMs where users want to use flash. (Not the most usable solution, but a stopgap.)

[marmarek]

On Tue, Jul 14, 2015 at 07:19:55AM -0700, Patrick Schleizer wrote:

Installation of https://packages.debian.org/jessie/flashplugin-nonfree fortunately succeeds on the apt level, but on functionality level it's defunct. It's to be expected, because flashplugin-nonfree's scripts fail to connect to destinations, which are not allowed by the template VM's default firewall/network config.

This is not too bad. But I am wondering how we want to deal with this. At least this should be documented.

Running sudo update-flashplugin --install in an AppVM based on Debian templates however is functional. (Does not persist reboots as expected.) I am wondering if we should just recommend to run this command as part of rc.local in AppVMs where users want to use flash. (Not the most usable solution, but a stopgap.)

Is it possible to install flash player in user home this way? If so,
IMHO it would be even more functional, as the user can install/enable it
only in subset of VMs without cloning the template.

Otherwise you can temporarily enable network access for the template in
VM settings (by default for 5 minutes) - this was implemented exactly
for such situations.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Tue, Jul 14, 2015 at 07:19:55AM -0700, Patrick Schleizer wrote:

Installation of https://packages.debian.org/jessie/flashplugin-nonfree fortunately succeeds on the apt level, but on functionality level it's defunct. It's to be expected, because flashplugin-nonfree's scripts fail to connect to destinations, which are not allowed by the template VM's default firewall/network config.

This is not too bad. But I am wondering how we want to deal with this. At least this should be documented.

Running sudo update-flashplugin --install in an AppVM based on Debian templates however is functional. (Does not persist reboots as expected.) I am wondering if we should just recommend to run this command as part of rc.local in AppVMs where users want to use flash. (Not the most usable solution, but a stopgap.)

Is it possible to install flash player in user home this way? If so,
IMHO it would be even more functional, as the user can install/enable it
only in subset of VMs without cloning the template.

Otherwise you can temporarily enable network access for the template in
VM settings (by default for 5 minutes) - this was implemented exactly
for such situations.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[adrelanos]

Is it possible to install flash player in user home this way?

update-flashplugin is a bash script that does not support installation to home. I don't know if they would be interested in a patch or if that would a way to go. [Apart from this, the update-flashplugin script has other security issues, such as relying on gpg exit codes for verification is not secure.] [And not ensuring freshness, user has to manually keep running the update script.] Dunno if investing time into this is worth it.

If so, IMHO it would be even more functional, as the user can install/enable it only in subset of VMs without cloning the template.

Having it only in single dedicated AppVMs seems also sensible to me from a security point of view.

Otherwise you can temporarily enable network access for the template in VM settings (by default for 5 minutes) - this was implemented exactly for such situations.

We could document this [wrt to flash]. And/or the rc.local install solution [that would also ensure freshness [[under the assumption that users restart their AppVMs every now and then]]].

[adrelanos]

Is it possible to install flash player in user home this way?

update-flashplugin is a bash script that does not support installation to home. I don't know if they would be interested in a patch or if that would a way to go. [Apart from this, the update-flashplugin script has other security issues, such as relying on gpg exit codes for verification is not secure.] [And not ensuring freshness, user has to manually keep running the update script.] Dunno if investing time into this is worth it.

If so, IMHO it would be even more functional, as the user can install/enable it only in subset of VMs without cloning the template.

Having it only in single dedicated AppVMs seems also sensible to me from a security point of view.

Otherwise you can temporarily enable network access for the template in VM settings (by default for 5 minutes) - this was implemented exactly for such situations.

We could document this [wrt to flash]. And/or the rc.local install solution [that would also ensure freshness [[under the assumption that users restart their AppVMs every now and then]]].

[nvesely]

I think we should let the user decide to install this by themselves. So far it seems there has been a policy of not installing non-free software except firmware and microcode and I really appreciate that.

Flash does not come in either the Fedora or Debian distros by default.

Some users (including myself) would be upset if they visited a site and a Flash video started playing. It of course poses a security risk and being a "freetard", I don't like it wrecking my freedom high anymore than Intel ME already does (I'll be running on Coreboot and ath10k thanks to some new hardware very soon!).

I think most people, if they run flash, run it in one or two untrusted domains. And further, I'd wager half those who run it, run it via Google Chrome. Netflix movie service is very popular in the US and requires DRM codecs only available in Google Chrome (at least as far as Linux browsers are concerned).

Maybe take a poll on the Google Group and see what users want, but I doubt that most people want easy and especially not default flash access in every AppVM. It's really not that hard to install yourself if you want it in an untrusted domain or two.

Just my 2 cents.

[nvesely]

I think we should let the user decide to install this by themselves. So far it seems there has been a policy of not installing non-free software except firmware and microcode and I really appreciate that.

Flash does not come in either the Fedora or Debian distros by default.

Some users (including myself) would be upset if they visited a site and a Flash video started playing. It of course poses a security risk and being a "freetard", I don't like it wrecking my freedom high anymore than Intel ME already does (I'll be running on Coreboot and ath10k thanks to some new hardware very soon!).

I think most people, if they run flash, run it in one or two untrusted domains. And further, I'd wager half those who run it, run it via Google Chrome. Netflix movie service is very popular in the US and requires DRM codecs only available in Google Chrome (at least as far as Linux browsers are concerned).

Maybe take a poll on the Google Group and see what users want, but I doubt that most people want easy and especially not default flash access in every AppVM. It's really not that hard to install yourself if you want it in an untrusted domain or two.

Just my 2 cents.

[adrelanos]

For the record: No one was ever suggesting to install flash by default for whole Qubes.

[adrelanos]

For the record: No one was ever suggesting to install flash by default for whole Qubes.

[nvesely]

👍

[nvesely]

👍

[unman]

@marmarek QubesOS/qubes-doc#155 merged, so issue now documented in FAQ with detail on how to install in template or in qube as desired. Close?

[unman]

@marmarek QubesOS/qubes-doc#155 merged, so issue now documented in FAQ with detail on how to install in template or in qube as desired. Close?

[marmarek]

Yes, thanks!

[marmarek]

Yes, thanks!