For those who still believe that flash is the only internet component with serious bugs.... about open-source-flash HOT 14 CLOSED

@Brian151 You made some super interesting points, especially in regards to:

They brag about how secure the alternatives are.

From my perspective, it's always been about the lack thereof, since there has yet to be any alternative tool for developing interactive content that has been as animation-centric as Flash. There are absolutely fantastic tools out there for 2D game development that save time with coding that deserve some credit (Unity, GameMaker, Monogame, Godot, etc), but absolutely nothing (afaik) has as robust and flexible of an animation system and asset workflow as Flash. I know how to program 2D games, but I sure as heck don't know how to manage my assets more efficiently than I could with SWFs. Animators unsatisfied with Flash can move over to ToonBoom, but game developers are left in the dark

Anyway, I digress a bit from the topic of security. tl;dr I would be fine with alternatives if they were actually replacements, but given the state of Animate's mediocre HTML5 export capabilities I'd say we're on our way back to Flash 5 at this point if nothing is done.

from open-source-flash.

Wow, I do feel we might be going off-topic from the original point, although I do agree.

@ROBERT-MCDOWELL
RE: someone gets it
No problem!

@toolforger
a little lost what you're saying here. I don't think anyone explicitly said this was about reviving flash. More so it was about striking-down the straw man arguments used to destroy its reputation so significantly. Well, this specific issue, anyways

@Cleod9
Again, a bit hard to follow.
I did not address how inadequate the "alternatives" are, either, simply because it felt off-topic. I currently have my own spaghetti code of a library/engine written for HTML5. shudders Also, I have just from the user perspective had numerous problems with HTML5 exports. Unity webGL has had script errors, at worse. About 50% of them encounter major GL errors, causing graphics to render poorly, if at all. That's the best-day scenario. I've also read numerous complaints from actual Unity developers about just how awful it really is to work with. Animate exports work for me, but are insanely slow on older hardware, and there's something that goes wrong when exporting any flash vector asset from a SWF. I have an associate? I guess you would say, and he knows a great deal more than me, can't fix it. Tried. Asset Management is indeed a pain. Due to a project of mine. (well, technically two), I looked at how SWF is actually structured, aided first by the JPEXS Free Flash Decompiler, and then re-visted the official specs. Honestly, the format is brilliant, and every bit as relevant for data transmission as it was back when it was invented, and its structure in general is actually quite logical. It's also considerably easier to work with than Unity asset bundles. I do have some plans to invest more time and effort into the format, but right now I need to focus on the Shockwave formats. Haven't done this on account of depression issues. Also, there's been some debates about how even to do things...

re: tl;dr
yes...
And that's another benefit of the flash player being open-sourced. Those more mysterious aspects of rendering? We learn them. Maybe we can correct them in HTML5 stuff (well, i kinda doubt that) , or in other implementations

@ROBERT-MCDOWELL
@Cleod9
If anyone would maybe like to more directly discuss Flash formats and things with me, I'd be alright with doing this on discord. I'm also on deviantart. If you'd share any way to contact you by, then I will try to get in touch as soon as possible. I'd sahre my own stuff, but for variety of reasons, I'd prefer not. Sorry if this is any hassle

I need to sleep soon, and if any of my reply seems a bit screwy or rushed, that's why.

from open-source-flash.

I notice that only one person understood my comment (thanks Brian)
My1 and Pakastin:
No, meltdown and spectre are not fixed, for now there is just a so called "mitigation"
which does not mean "fixed". Btw this word is widely used to not scare DC and servers admin,
especially when it concerns crypto currency nodes.... My guess is it's only the start in 2018.
So the fairy tale has a new insane episode this year...

from open-source-flash.

Fixed in MacOS and soon in other operating systems as well..and a little unrelevant – closing

from open-source-flash.

this doesnt make the flash issues any less relevant.

from open-source-flash.

Open-sourcing Flash does not change anything about this threat - if Flash vanishes, the attackers will simply use Javascript, or offer free installable software.
So it is indeed orthogonal to the petition.

from open-source-flash.

well, so why not stop javascript in 2020 too?
The subject is not if flash is good or not, it's the non sense made to stop an advanced technology
since 20 years in 2 years and leave millions websites out of work

from open-source-flash.

Stopping Javascript will do no more than move this particular problem to installable software.

from open-source-flash.

@toolforger sure fixing this doesnt address the other issues, but in the end meltdown and spectre are already in fixing (or rather migitation as you cant just fix hw issues, you can just work around them)

the problem in security is that it behaves like a chain, the weakest link will be the one that breaks, so in the end all links need to br strong but this repo is only for flash, other stuff happens elsewhere.

from open-source-flash.

I personally believe that this is not by any means irrelevant to the matter at hand.

One of the common reasons that Flash is both being let-go (and especially, bashed into oblivion by so many), and that people do not take the goals of this project seriously, is because of securivulnerabilities.

The argument is made time and time again that Flash is insecure. Or, being more general, " is insecure, get rid of it." They brag about how secure the alternatives are. Sure, the alternative may or may not be secure. (thx to efforts of the NSA and the many reported cases of companies NOT fixing reported vulnerabilities, AFTER being told how to do it, I'm going with "not secure") However, like the linked article in the OP suggests, this problem exists frighteningly, much deeper than Flash, or the preferred scape goat at the time. Might be fixing it, but that's besides the point. The point is that this shit was out there, was for decades, undiscovered (or maybe covered-up, if you're into that) , and who knows what kind of damages could have been done then. But some people continue just to blame Flash, and only Flash.

Security is indeed only as good as its weakest link. @My1

Flash's (alleged, i find it amazing this stuff is so far only reported exploited in demonstrations (from my understanding), but not the wild) insecurity is used as a counter-example to why flash should be allowed to live in any form, and that includes being open-source. This article acts as a counter-example to those arguments, proving what everyone with a BRAIN knew this whole time, that the stuff many layers deeper than Flash is just as insecure, if not MORE. Many of the exploits in Flash probably aren't even flash, itself, it's whatever insecure systems it was built on top of. I would say that writing it off as nothing is a mistake @pakastin That article makes a valuable point in regards to security. Basically, what's stated there can be interpreted as "Even if Flash actually were secure, it wouldn't matter, because the processors and web servers, themselves, are afflicted with some very scary weaknesses of their own". It doesn't matter if Flash is even discussed or not. It does not matter if the specific issues are actually being addressed or not. This kind of information is leverage, because for all of those that pick-apart Flash solely for its flaws, this is a reminder that whatever technology they praise as being so superior, has its own flaws, perhaps beyond the knowledge or power of its developers to fix, as is often the case with security.

Sorry if this is not worded the best. I hope you will re-consider your decision on this matter. Articles like this are more powerful than you may know. Hardwareee-level exploitseeee are a big deal. They will never be irrelevant in any topic regarding the security of a particular piece of computer software, because hardware exploits can bypass EVERYTHING that is put in place at the software level. In this scenario, EVERYTHING claimed to be more secure than flash is just as insecure, because it shares an exploit that runs so much deeper than the surface layer can reach. And whether or not it's being fixed, who cares? Problems like this can only reliably be fixed by getting new hardware, and that's just not feasible for every device out there. (Nor is constantly replacing your device, as a certain company would have you do, rather than get a minor repair for a minor problem)

That's just how I feel, and there's nothing you can do to convince me otherwise.

@ROBERT-MCDOWELL
thanks for sharing that article! More of these bigots who choose to preach about the evils of flash because of its insecurity need to read it. Maybe it'll knock them off their high horse. I'm so sick of hearing "Flash is insecure, use JavaScript, use Native Code" , and every similar argument. Gets old, real fast...

from open-source-flash.

This is not about reviving Flash. It is about whatever people may do with it. Possibly a revival, which would indeed be insecure - but maybe as a testbed for compatible (safe) implementations, for making better sandboxes to investigate still-existing malware, for making better sandboxes to run archived software.

from open-source-flash.

The potential and human resources are real to find several ways to continue to accept the swf format for the web or create a robust swf2xxx without to burden the entire developer/user community. Btw as Brian said, a lot of people don't have a clue of what is really flash and what you can do with. it's up to us to decide.

from open-source-flash.

@Brian151 The issues you're talking about sound remarkably similar to ones i've run into, which is why i can't fully commit to HTML5. It's just not as reliable/consistent across different hardwares, and you're at the mercy of the browser vendor if something will break your game that isn't backwards compatible anymore. (Adobe Animate's HTML5 export is still quite immature too and it's development has stagnated)

Anyway, here's a temporary link to my Discord username, I'd be happy to add you to chat further: https://pastebin.com/raw/5w770VhG

--EDIT--

Dose this group happen to have its own Discord server btw?

from open-source-flash.

I still think this is off-topic – closing now.

from open-source-flash.