They're actually up-to-date Adobe binaries as the article says that Adobe's Chinese Flash subsidiary still maintains Flash and releases security updates for it each month.
> The Chinese version of Flash receives one security update per month and can be freely downloaded from Flash.cn but also has significant strings attached. It comes preinstalled with an adware program called Flash Helper which, according to security sources, exhibits malicious behavior. Developed by ‘darktohka’ and previously located on Github, Clean Flash Installer solves these problems and more.
> “Clean Flash Installer installs this up-to-date freely available version of Flash, but it comes WITHOUT the adware program,” darktohka informs TorrentFreak.
I've never heard of a company being held liable for releasing even a paid product with defective security, let alone a free one. They're not even held liable for deliberately including spyware [1]! That any lawyer would believe a company would be held liable for releasing an imperfect security patch is beyond absurd, and nothing more than a convenient excuse for abusive practices.
That looks like a sweet project. I'm happy to see web assembly being used in it too. I'll have to add it my long list of things I want to get around to tinkering with.
One thing I can't understand is why Adobe is so insistent on keeping Flash really actually dead by saying it's "unsupported" yet still keeping the sources to themselves. If they aren't gaining anything from it anyway, why can't they just open-source it? I mean they won't lose anything either by doing that, right? The community would fix all the bugs eventually. Probably quicker and better than Adobe, too.
My guess is that to Adobe, "flash" was a set of authoring tools (developer IDE and bespoke language) and a runtime that allows execution in the browser.
Adobe, as a company, sells authoring tools. It doesn't make money building runtimes and then giving them away. Even the money from licensing runtimes (Air) is insignificant. The runtime was just a necessary overhead due to inconsistent and poor native rendering capabilities in the browser - it existed solely to allow the development of powerful authoring tools.
So after browsers improved their native support and announced they are dropping support for the plugin, Adobe migrated to a new version of the authoring tools (Adobe Animate) that can compile to the legacy flash player runtime if needed, but also to html/js, or svg, or other targets.
They still want to sell more of the authoring tools. They don't particularly care about flash, and are probably happy to be rid of it.
What they don't want is someone else taking control over the runtime and then building rival authoring tools for it, opening it up to other authoring tools, or creating any kind of rival authoring eco-system.
It's like if you give away razors to sell your own blades, and then you come up with razor 2.0, you still don't want people taking the razor 1.0 and keeping it alive by selling their own blades for it, or even giving away their own blades for it, as then you would be in competition with yourself.
Whether these business concerns are justified or not, or whether our IP laws are too extreme, is a separate question. These aren't simple questions.
As someone who got into game development by making Flash games as a kid, I would love to see Flash open sourced. I don't think it's necessarily true to say they have nothing to lose by open-sourcing it though. Who knows how many private shared libraries are in there that are still required by other still-active Adobe software. And they're also probably not excited to give up rights to a massive pile of code which they could conceivably want to use in future projects.
In other words Flash likely isn't some isolated directory they can just zip and share to the world, and even if it is they might want to pick the bones later so why throw it away? (from their perspective)
Can relate. Flash literally changed my life. I wouldn't have been the person I am without it. And my career path would've definitely been very different. I wouldn't have known most of my friends without those VKontakte Flash apps, because the connections to most of the people I know right now can be traced back to someone from that Flash app developer community.
I'm somewhat hopeful that Ruffle will somehow drive its resurgence. Older versions of Flash (the authoring software) aren't that hard to find, and maybe in due time someone would even build an open-source reimplementation of that, too. The SWF format itself definitely won't ever be dead by any means.
My own personal use case for flash is to access baseboard management interfaces on servers. e.g. the Cisco UCS220B3 series uses a flash based interface. No dice with ruffle. It can do the login form and that's all there is.
> My own personal use case for flash is to access baseboard management interfaces on servers. e.g. the Cisco UCS220B3 series uses a flash based interface. No dice with ruffle.
Networking is the one thing that can't be fully reproduced by using a wasm thing vs a browser plugin, requiring changes on the receiving side. Flash player did cross-origin security quite differently. When you sent the first request to a new origin, it would first fetch /crossdomain.xml from that domain to see if you're allowed to do that, and only then proceed. Browsers rely on the Access-Control-Allow-Origin header instead. Then there are sockets, for Flash it's mostly the same idea: you could specify an arbitrary host and TCP domain, then Flash player would connect to it itself and send the string "<policy-file-request/>". The server is supposed to respond with the contents of a crossdomain.xml and close the connection. Flash would then connect again and this time hand over the socket to your code. Websockets don't work anything like that; you get one by upgrading an existing HTTP connection, and you can't have that on an arbitrary port either, and there's mandatory encryption.
ActionScript 3? Bitmap filters and blending modes? I tried throwing all the swf's I have laying around at it, and the older one is the more likely it will work. Some AS2 games are fully playable even.
It'll get there eventually of course as it's very much WIP. I wonder when will it stop calling itself a "flash player emulator" tho. It plays flash files. It's literally a flash player.
This, in particular, is limited by manpower and reverse engineering. Simply documenting what Flash actually does would be a huge help. Volunteers welcome.
Rendering flash requires that you be pixel compatible to something that is not documented anywhere. That requires someone to do a lot of experiments on something that barely runs anywhere anymore, document what they find, and then have someone convert that into code.
Flash being dead, and yet many enterprises still relying on it, opens the opportunity for Adobe to sell a pricey contract that allows an enterprise servicing company to provide Flash support.
So the top comment mentions ruffle.rs which is basically the same thing as CheerpX without the insane licensing fee (correct me if I'm wrong).
With that said why the hell would a company pay for this when there a good OSS alternative. Is it all about support and covering your ass from any lawsuits?
CheerpX is the actual Flash player virtualized. I haven't used it, but would expect that means something regarding reliability. And its customer segment probably doesn't bat an eye at that kind of pricing for something "properly supported", whatever that means for such a hack. Seriously, enterprise environments are often prepared to pay a lot for compatibility stuff/extended support/...
ruffle.rs is a reimplementation, and YMMV, but none of the things I tried playing with it worked properly (although afaik plenty other things do) and still in active development.
They may not be legally able to. It's likely that Flash includes some 3rd party code that they've licensed under commercial terms from other vendors and which they can't release.
It depends how big the missing piece is. First, let me be clear that I know nothing about Flash's internals. Everything I'm saying here is just as an example. But suppose Flash depended on a specific 3rd-party graphics engine, and a lot of Flash's own code was written to adapt and work around bugs in that code. Replacing it might mean either 1) making a clean graphics engine and rewriting a large part of Flash to work with it, or 2) implementing a bug-compatible engine.
May instead of a graphics engine, it's a proprietary video codec, or a bytecode interpreter, or a network stack, or a sound library.
Things like these are a big reason lots of projects aren't released as FOSS. Take something that looks simple on the outside, rip out its guts, and you're left with what exactly?
Flash Video FLV files usually contain material encoded with codecs following the Sorenson Spark or VP6 video compression formats. As of 2010 public releases of Flash Player (collaboration between Adobe Systems and MainConcept) also support H.264 video and HE-AAC audio.[3] All of these compression formats are restricted by patents. - Wikipedia’s page on FLV, the video format that YouTube was built around.
And these are definitely not a problem if ripped out because ffmpeg has them all. Source: I once wrote a (somewhat terrible) FLV player for an Android app that used libavcodec/libavformat.
> I mean they won't lose anything either by doing that, right?
Not directly, but if someone were to use some of that code that a company put significant resources into developing, in a product that made someone else money, most companies would probably have a hard time mentally justifying that.
Interesting — I just checked the standalone flash player I still have (and use sometimes), the "about" window doesn't list any free software. So either they aren't using any, or... But I find it unlikely that a company with this many lawyers would not read every letter of the license of every library they include in any of their projects.
I've worked with the Flash Player source code in the far off past (I worked for a company called Chumby which licensed Adobe's Flash Player to power apps running in a device similar to the modern Amazon Dash Look) and while you would see things in that codebase that make your head spin, improper use of GPL libraries was not one of them.
The most astounding thing in this article is that the developer is denying copyright infringement.
There are many arguments to be made for preserving flash and providing a clean, easy way to install a modified version of Flash with the necessary security updates. But claiming that there was no copyright infringement? The Gitlab screenshot [0] uses Adobe's copyrighted logo, looks suspiciously like it's affiliated with Flash by mimicking its installer and installs an illegally distributed Flash binary.
The real problem here is that the binary does contain propietary Flash code, but the code itself doesn't. I can't verify if the releases page hosted the full-fat executables or not; if they did, the DMCA seems quite standard. If they didn't, the DMCA was definitely filed under false pretenses because it claimed a violation of _Adobe's code_ rather than their resources.
The use of the Flash logo may be a trademark violation, but it's not a copyright violation. The logo is so simple that Wikimedia Commons has it labeled "does not meet the threshold of originality needed for copyright protection, and is therefore in the public domain":
“Secure”… not a chance. Flash was a tyre fire and even Adobe would say so. They did their best with massive resources, and still couldn’t claim it was secure. Please please please don’t claim this project is secure. It isn’t.
Adobe may have had massive resources, but either they are incompetent, or didn't spend any time on flash.
Multiple times, single devs working solo, wrote full flash interpreters over a few month.
Adobe just doesn't know what they're doing. Look how they cratered cold fusion too.
They also had a security / license daemon, lmgrd. What a joke, used MAC addresses for license issuance, was buggy, could be defeated with a simple ifconfig command.
Why would people be using Adobes insecure implementation if multiple random guys wrote replacements in a few months? The answer is that these of course are not the complete, bug for bug backwards compatibility monstrosities that Adobe Flash Player is.
Adobe is competent in some regards, but seemingly not in others. Flash was riddled with bugs and vulnerabilities, so in this regard Adobe seems incompetent, or lazy at best. But the flip side to this coin is the reason flash became so popular; artists and designers saw in it a tool that scratched their itch well, not knowing or caring about the technical shortcomings. In this particular regard, making software that designers and artists like to use, Adobe seems to have a track record of competence.
This is the same company that assigned a whopping 0.5 FTE to porting the Director plugin from OS9 to OSX, which subsequently took years and killed the platform.
I would not make the assumption that Flash development was well resourced. Which is a shame because despite the bad rep it was an amazing tool for creatives.
One way the developer can work around this is to provide a program that doesn't distribute Flash at all, but allows the user to either modify the Flash installer or binary, or modify the system post-install, to achieve what the original project achieved.
Wouldn’t be too hard to extract the files out of the installer and install it yourself with a companion program and just hot link the installer. No clue why they didn’t just do that.
Having read about the situation more, the author of the code claims that they didn't distribute any copyrighted software that they don't have a right to distribute. Maybe they actually did what either of us suggested.
Is it not still possible to run an outdated browser version with Flash installed in a container? Don't get me wrong, that's a hassle but at least it's not lights out for Flash for these people.
I am still running an outdated version of the flash plugin shared library plugin that I downloaded and installed manually because I need it to handle some tasks for a specific client. Maybe one day I will have a monopoly and become really rich.
What's even stranger is that there is an open source project under Apache for Flex. One that even has not only the blessing of Adobe but the support of the company. Their answer has been write an app in Flex and get in compiled to JS. No need for Flash! Several developers using it happily in the Lansing area.
I thought they were going after Ruffle. I was all ready to be outraged and -- nope, if he's illegally redistributing the binary that's a legit action. If he distributed a patchkit, maybe that would technically be on the right side of copyright law (at least in the USA), but Adobe would still probably cry havoc and let slip the dogs of lawfare.
I read elsewhere in these comments that Adobe keeps Flash alive in China. If this is true and Adobe doesn't want China to take over Flash (Re: China & ARM), they won't open source it and they'll keep clones down/DMCA requests going to keep business with China. Just my 2¢.
When people say to not rely too much on proprietary software, this is why. "Oh, flash will be around forever! There's nothing to worry about". Same could be said about so many other things.
How so? This is identical to piracy. Taking IP one doesn't own, stripping it of it's ability to make money (removing ads), and redistributing it without permission.
Copyright infringement can get complex but this is one of the simple cases. Was the software under protection? Yes. Did the redistributor have permission? No.
The .NET file that Adobe served a DMCA512 notice on doesn't contain any of Adobe's copyrighted code. It's an unpacker and installer that users run on the software they download separately from Adobe's Chinese distributor.
This is emphatically not a copyright violation of ANY kind, but it's especially not a violation of copyright that would entitle Adobe to use DMCA 512 to have it expeditiously removed. A DMCA 512 claim is explicitly - and solely - a mechanism for removing unauthorized copies of a copyrighted work. Again, this is a .NET file that has instructions for unpacking a standards-defined .ZIP archive and then installing its components. It's NOT a copy of Adobe's code. DMCA 512 has no place here.
And while it's NOT a violation of DMCA 512 to host this batch file, it IS a violation of DMCA 512 to file a baseless takedown against it. The DMCA's requirement for a "good faith belief" that a file infringes copyright, "on pain of perjury," makes Adobe the sole lawbreaker in this story.
==
Separately: You might be wondering if this is a DMCA 1201 violation (that's the part of the DMCA that deals with "circumvention" of "a technological protection measure" that "controls access" to a copyrighted work.
It's not. There's no TPM in a ZIP file, so there's no circumvention in unpacking it.
But even if it was, Adobe didn't send a 1201 takedown (those don't really exist, because there's no 1201 safe harbor, though sometimes firms send 1201-related cease-and-desists), they sent a 512 takedown.
Again, a 512 takedown only ever applies when there is distribution without authorization. There is no distribution. It's inarguable - and provable. The .NET code is (was) on github for anyone to inspect. It is unequivocally NOT a copy of Adobe Flash or any other work that originated with Adobe.
BTW, it looks like at least one version of the installer included a binary, though the creator says that's not true anymore, so you were (partially) right and I was (partially) wrong.
P.S. If the CleanFlash installer contains the Flash Player distribution, instead of downloading and patching it on the user's machine, then the author indeed deserves to be slapped with a complaint for such an obvious blunder.
Obviously the decay effects on finances aren’t seen for a while. However Adobe is currently around a top 25-30 company in the US by market cap. Their profits and revenue are enormous nowadays.
Still waiting for the day JavaScript isn't one of the top Pwn2Own contenders. The idea that there is any part of the web stack that isn't a Swiss cheese of security issues would be funny if reality wasn't so depressing.
Maybe you want to play/watch the thousands of Flash games/animations that exist? Use legacy software that depends on Flash?
I agree that it's an insecure piece of crap that shouldn't be used in any modern system, but that doesn't mean that everyone should be restricted from trying to use old software that depends on it, as long as they asume the security risks of doing so.
There’s a lot of original content (animations and games mostly) that only lives in .swf format. It would be nice to keep flash around if just for archival purposes.
So that Ferry Halim's Orisinal page does not have to show this message instead of presenting you with wonderful games: https://www.ferryhalim.com/orisinal/