Skip to content
Naked Security Naked Security

Should Adobe make Flash open source? [POLL]

Some of us are counting down to the end of Flash; others are trying to give it life after death. Who's right? Have your say...

Last week, we wrote that Adobe was “calling time” on Flash, according to a blog post from Adobe Corporate Communications with the rather unexciting title of Flash and the Future of Interactive Content.

Other reports were rather more blunt.

Techradar wrote Adobe finally kills Flash, WIRED couldn’t resist the tautological Adobe Finally Kills Flash Dead, and BGR Media went for the unequivocal Adobe Flash is finally dead.

None of those headlines was quite right – least of all BGR’s, which actually dates back to December 2015, thus making it nearly two years ahead of this year’s headlines…

…which themselves turned out to be three years too early.

In fact, Adobe has said simply that it “will stop updating and distributing the Flash Player at the end of 2020.”

In other words, even those of us who have been trying for years to wean the world off Flash still don’t have much to celebrate.

In more than three years’ time, people will still be using Flash, and Adobe will still be stuck in the ongoing process of “encourag[ing] content creators to migrate any existing Flash content to [the] new open formats [like HTML5, WebGL and WebAssembly].”

With all this in mind, why would anyone want to keep Flash going even longer?

Long live Flash!

Finnish software developer Juha Lindstedt thinks he has an answer, and a petition to go with it:

Flash along with its sister project Shockwave is an important piece of internet history and killing Flash and Shockwave means future generations can’t access the past. Games, experiments and websites would be forgotten.

So he’s asking Adobe to release Flash as open source, just in case.

Open sourcing Flash and the Shockwave spec would be a good solution to keep Flash and Shockwave projects alive safely for archive reasons. Don’t know how, but that’s the beauty of open source: you never know what will come up after you go open source!

We’ve not convinced.

After all, we already live in a world from which many other important pieces of internet history have as good as vanished, apparently without causing us to lose our grip on either the past or the future.

(OS/2, Macromedia Director, Google Gears, Netscape Navigator, Gopher, Usenet and France’s ultra-low bandwidth Minitel all spring unbidden, and unchronologically to mind.)

But it’s not up to us, it’s up to you!

Have your say

Have your say by voting in our poll:

And have more say by telling us what you think in the comments below.

(You may remain anonymous.)


29 Comments

I’m a little mixed on this one. On one hand, I’d LOVE to get rid of Flash once and for all on ongoing and new websites. On the other, I hate to see history vanish… and there is a LOT of history wrapped up in Flash applets. Many of them aren’t simple animations that can just be converted to video for hosting somewhere like Youtube.

What I think I’d like to see is it go open source, but “official” development/maintenance be mainly aimed at a standalone player version… you know, like the one Adobe used(?) to offer as part of the dev kit. Sure, people could technically go ahead and continue updating plugin versions, but that should be discouraged.

What about online emulator…like a sort of cloudy MAME for Flash? So it’s HTML5 in your browser, with the Flash rendering done in the backend?

I’d certainly be good with that, as long as it’s compatible enough to run most flash applications. I’d still want something that could be stored locally without jumping through too many hoops, though – it’s the archivalist in me.

That said, I’d still like to see websites completely shift off using it for their main system or anything important. If you make a shim too easy to just drop in, it tends to encourage not actually updating or redesigning the codebase… I’ve heard a few stories about some old mainframe applications running inside two or more layers of system emulation as they had to move off old hardware but refused to rewrite the application itself. I can’t verify that personally, but it does sound like something that would happen.

When I want to play a classic dos game or purchase one that hasn’t been updated in a decade, GOG does a decent job wrapping them in a DOSBox emulator. Flash can survive the same way – in an emulation sandbox – never to be a vector for threats again.

Don’t open source it… take it out back and put it down like the rabid beast it has become.

I am mixed about this too. Flash needs to die a quick death, and it needs to be done in a way that discourages zombies as much as possible. But there is a lot of great old flash content that would be wonderful to preserve. If push came to shove I would say no to preserving flash, but if it could be done in such a way that it could not be available for continued use then I would not have a problem with it.

I voted that it should be released as open source.

Not so that it can be maintained in perpetuity, but so that truly better, more secure software projects, such as lightspark and pepper, can make use of the now-open API and create secure interfaces that can run flash objects without all the security problems.

I honestly don’t think the OSS community will improve its security… the code is inherently insecure. So many hooks into the browsers and vectors for attack… there maybe someone out there willing to take on this – but I suspect it would be much more useful in the hands of nefarious ne’er do wells that want to utilize the code to find more hacks.

Miscreants would love it to be open source…more hacking opportunities.

It’s already so hackable, I’m honestly not sure it would make much of a difference in the big picture.

How many websites were built by contracted Flash devs who haven’t the time or inclination to contact all their former clients, each ignorant of their problem and unaware that their site will gradually see less traffic?

There will always be stragglers who choose to remain on old technology (WinXP, anyone?). Whether it’s ignorance, apathy, laziness, or a lack of funding/planning/resources the ‘net will still have Flash on F-Day.

With major browsers and outlets already tapering its use, smaller entities may be unable to follow so quickly. I’ll feel more at ease with the belly of this beast exposed for inspection. While the “many eyes make all bugs shallow” philosophy is imperfect,

“zero eyes will spot approximately zero bugs.”

Both! Make it open source for emulators to be made and for history to be viewed. And also KILL IT WITH FIRE!!!, meaning uninstall it everywhere.

Last patch should be an uninstaller. Just quietly get rid of it on 99% of computers, and only let people opt out if they are paying attention.

Like foistware, but in reverse :-) If you aren’t paying attention then the upgrade leaves you with fewer installed software components, not more…

Hah, great idea. Also reminds me of the DirecTV “Game Over” strike against pirated television, Black Sunday.

If they took out access to the machine/OS yeah. But that was the feature/flaw they refused to remove. It never should have been more that just a player.

Adobe FLASH has a long history of security issues. Without a significant effort to rip out the areas that have caused FLASH to have such a poor security profile, releasing FLASH as OSS would be bad.

Adobe has had the opportunity to really fix FLASH. They, however, have chosen not to remove problematic APIs or capabilities. An OSS release of FLASH would probably not solve any of these issues either.

If they are keeping the code to archive it, then whatever.
If they are giving it to us to archive, Im fine with that too since we’d finally be able to find a way for flash to work without having to update it every 12 minutes and 21 seconds.

I also agree it should have never been more than just a player.

Internet browsers are already increasingly reducing support for Flash (and plugins in general in some cases). If archived versions of Flash Player exist to install on legacy browsers to view old websites, that should be enough for “Internet History”, but don’t expect future browsers to support old code in any form just to view “historical” websites made a decade ago.

I’d make it open source, but not necessarily so it can live longer. Simply because of the fact that Flash won’t just die in 2020, and people won’t just stop using it only because it’s no longer supported. So I think I’d prefer it doesn’t get less secure than it is by not getting any fixes.

Should it be killed and not open sourced, I have little doubt that someone will eventually release an emulator for it. I feel sorry though for some companies whose major source of income is the ever popular flash games that so many people play. Poof! Those companies will be crushed. And OddTodd who, after losing his job, created his website and livelihood from his mostly flash web site… Poof! His replacement income source destroyed. I’m sure there are many, many others.

To be fair, there are still more than three full years to move from Flash to HTML5…it’s not as though there isn’t an alternative.

I ditched Flash several years ago, and haven’t missed it at all. Except, perhaps, the inability to view an amazing scale of the universe animation, which was very hypnotic and mind-blowing. But Flash itself? Kill it with an update that wipes Flash from a computer on a specific date, thus giving users time to prepare for its demise.

Except when word gets out that the “final update” will remove Flash, panicked stragglers will turn to the reverse engineers to block it. That would only work if it was an unannounced wipe.

And despite Adobe announcing “Flash will no longer receive updates after next week,” if they were to instead execute a global uninstall they’d be applauded by us security nerds, but the masses would see it as a sneak attack and feel betrayed. And those masses are the ones paying for Photoshop, so it won’t happen.

I voted that it should be made open source for reasons of preserving history, but I don’t think it will result in a more secure version.

The flash codebase is almost certainly a crufty mess that contains all sorts of bad assumptions and design decisions that makes good security very hard, so as a result fixing security bugs is a tedious exercise in papering over yet more cracks. (If the code base was well designed from a security standpoint, then security bugs would be rare and would get fixed quickly, and we know that is not the case).

Open source developers choose what projects they contribute to, and they mostly choose things that are cutting edge, exciting, or necessary for their professional day jobs. Flash is none of these, so I don’t think it will get much love from volunteer devs.

Apart from playing old flash games, The only use I can see for an open source flash player is as a reference implementation to help guide and debug a full ground up re-write.

Why not treat HTML5 (which isn’t going away any time soon, so we’ll have it in our browsers anyway) as a rewrite? (If you are after a ground-up rewrite, that seems to fit the bill.)

OS/2 still lives (sort of) – I remember seeing it on an Italian train ticket vending machine during the last decade and a quick Google throws up someone releasing new versions (licensed with IBM) …

Let’s not allow this poor creature to suffer any longer. It should be put out of our misery and euthanized. The sooner the better, as I see it.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?