Bundled Flash

Adam Williamson awilliam at redhat.com
Fri Aug 23 11:03:00 UTC 2013 

On Thu, 2013-08-15 at 13:45 -0700, T.C. Hollingsworth wrote:
> It's come to my attention that a number of packages contain Flash (.swf) files,
> but absolutely none of them have BuildRequires on a free software Flash
> toolchain, nor do any of them seem to be shipping the source for these files.
> :-(
> 
> It has never been permissible to included prebuilt files of this nature in
> Fedora [1], and FPC unequivocally stated during today's meeting that they have
> no interest in making an exception for this.
> 
> Please remove this prohibited content from your packages, or ensure that any
> included .swf files are built from source using a free software toolchain like
> `swfc` during the %build phase.  A list of affected packages sorted by owner is
> included below, and I'll be filing bugs for these soon.
> 
> -T.C.
> 
> [1] https://fedoraproject.org/wiki/Packaging:Guidelines#No_inclusion_of_pre-built_binaries_or_libraries
> 

> limb roundcubemail
> ngompa tinymce

So, tinymce has a 'media' plugin which lets you embed media in HTML
you're editing with it. If it thinks the media might need playing with
Flash, it'll generate HTML that tries to use a Flash player -
moxieplayer.swf - to play it (sometimes as a fallback from HTML5).

Just nuking moxieplayer.swf doesn't stop tinymce generating HTML that
looks for it, so that's not really the way to go. But I think I found a
way to patch the plugin not to try and use moxieplayer.swf and just to
spit out nice clean HTML instead. I also bumped tinymce to the latest
upstream release, since it hadn't been bumped since 2011 and was
*ancient*. Testing of this is very welcome. I've sent the build to
Rawhide and F20 for now.

roundcubemail is on this list because it bundles tinymce, basically. I
think it should be trivial to replace its bundled tinymce with the
system-wide one. I'm going to test installing the updated and de-Flashed
tinymce along with a roundcubemail build patched to use a system-wide
tinymce on my own server and check that it works okay that way. If it
does, I'll submit that combination to all Fedora releases.

I suspect many other packages on the list may be there because they're
bundling tinymce. In most cases, unbundling it ought to be trivial; it
seems like the 3.x series of tinymce maintained compatibility well, so I
think it shouldn't be a problem to use system-wide tinymce. But I'll
look into it some more tomorrow.

askbot is the only package right now using the systemwide tinymce. I'm
assuming ask.fp.o runs on EL, but I'm not sure. Any infra folks reading
this, would you be interested in checking ask.fp.o behaves sensibly with
de-Flashed tinymce 3.5.8? I don't think the Flash issue should matter at
all because it looks like askbot customizes the tinymce editor widget
somewhat and doesn't actually expose the media plugin _at all_. I don't
see why it wouldn't work with tinymce 3.5.8 - in fact it ought to work
better - but we should probably check.

Random note: patching minifed javascript is a giant fucking PITA, and we
can't edit the 'source' javascript for tinymce and re-minify it because
Fedora doesn't have yuicompressor -
https://bugzilla.redhat.com/show_bug.cgi?id=745515 . Sigh.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list