Okay, i used your link and pulled up a 12 page document. I can't get to the mythical page 36
Well, I don't know what to tell you. I have 2 PCs and a Mac, and all three of them bring up a 97-page PDF. Here's that link one more time, with feeling: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
As for browser vulnerability counts, that's a red herring. We're talking about Flash. Why are you attempting to misdirect me to a discussion about browsers.
Why? Because it's all relative. It sounds to me like you're arguing Flash has poor security and other alternatives (e.g. HTML 5) are better... in which case you have to actually compare Flash to those alternatives in order to justify the statement that they're better.
Bloated in comparison to properly written code
The Flash-based apps currently in the app store don't seem much different in size from native ones. Fickleblox and Chroma Circuit are both ~8 MB. Compare that to native iPhone apps like Solitaire (8 MB), Mini Touch Golf (17 MB), Froggy Jump (9 MB), Bejeweled 2 (10 MB)... they blend right in. And if you're making claims about battery or CPU usage, please actually cite some sources?
Regarding Steve Jobs's famous anti-Flash rant, I think we'll just have to agree to disagree on its merits. I'm not really interested in having a long drawn-out debate over it in this thread, which has been mostly focused on security. Although I can't help but respond to this egregious one:
Again, you make a grand statement and couple it with a misdirection. I don't see where in Thoughts on Flash he says it ships with a fast HTML implementation.
Fifth paragraph: "Apple has adopted HTML5, CSS and JavaScript – all open standards. Apple’s mobile devices all ship with high performance, low power implementations of these open standards." (emphasis added)
I will also concede, however, that he doesn't outright state quite everything I discussed. He says things of the form 'Flash is bad; HTML+JS is good. Flash is bad because it has rollovers; [unspoken implication: HTML+JS is good because it doesn't].' But this is actually a little weasely: the argument is missing its justification unless you assume he also meant the implied part, but I'm apparently not allowed to argue against the implied part because he didn't explicitly state it.
You DIDN'T quote anything out of the report.
All the numbers I cited are straight out of the report. Please read it if you don't believe me: the browser vulnerability counts are on page 36, the browser bug fix lead times are on page 38, and the plugin vulnerability counts are on page 41.
that somehow gives it a free pass for its vulnerabilities, bloated and buggy implementation by Adobe
But see, you're arguing something that's not supported by the data. The study shows that Flash is actually less buggy than any browser security-hole-wise, often by a long shot. Now you could argue that because Flash is far more ubiquitous than any one browser, it should rise to a higher standard of excellence: i.e. it's not enough to have 6x fewer holes than Safari when it has 10-20x more users. But if you want to claim Flash is somehow more flawed than browsers, you should really be citing different numbers.
Btw, you keep saying "bloatware," but... Flash is only a 2.5/7.4 MB download (Win/Mac). Meanwhile Safari is 30 MB, Chrome is 7.3 MB, Firefox is 7.7 MB, QuickTime is > 30 MB. So, bloated in comparison to what exactly?
"what are you proposing as an alternative?"
- I propose Adobe pull their head out of their asses and release a quality product or they should STFU and enjoy their slide into oblivion. I was simply quoting part of the recommendation from Symantec to refute your Flash vs browser vulnerabilities shell game. Perhaps you should ask Symantec what they propose as an alternative since it was their quote.
Symantec's quote treats Flash and JavaScript the same, but you're using it to argue that HTML+JS is better than Flash. I don't understand how the quote backs up your argument.
"Apple has said a lot of disingenuous and/or outright false things about Flash lately"
- Name them please. Jobs mail was right on the money.
Sigh... well, for starters: he lectures Adobe about openness while pushing an unprecedentedly closed platform. He talks about openness but pushes H.264. He lectures Adobe about Cocoa support when major Apple software like Final Cut Pro and iTunes are still Carbon. He claims rollovers only exist in Flash and not in HTML+JS sites. He claims Flash doesn't support touch when in fact 10.1 supports it better than the HTML 5 draft. He implies anything conceived originally for desktops is hopeless on mobile (which is preposterous... HTML anyone? Safari? most casual games?). He claims iPhone ships with a fast HTML 5 implementation, when it's actually slower than other smartphones and much slower than Flash.
And perhaps most importantly: he claims cross-platform technologies ruin app quality, which totally undermines the notion that he truly embraces HTML 5. HTML is just about the biggest cross-platform technology out there.
Actually NO they don't. They have a slow, processor spiking, battery eating implementation of it, which is exactly my point
If you'll read my post again you'll notice I cited sources that quantitatively refute both your slowness and battery use claims. So if you're going to argue, you should either cite different numbers or explain why these numbers don't support my claims.
Actually your meme is more of a meme than a fact. According to the April 2010 Symantec Internet Security Report ( http://www4.symantec.com/Vrt/wl?tu_id=Lfsd1271711507050126203 ) the number 2 attacked vulnerability in 2009 was in Adobe products.
I don't think accurately quoting statistics straight out of a core part of the report is "misrepresenting" it. You're now citing statistics that measure something different, and it's reasonable to disagree about which figures imply what, however.
Which I do: you could argue that number of vulnerabilities is a function of the quality of the product, while the popularity of exploiting any given vulnerability is more a function of the ubiquity of the product. So while Safari had about 6x more vulnerabilities than Flash in 2009, it also had only 5% market share vs. 99% for Flash. Which is the more attractive target?
Another quote from the report was "Browser security features and add-ons should be employed wherever possible to disable JavaScript(TM), Adobe Flash Player . . . ".
So if you disable both JavaScript and Flash, as they recommend... what are you proposing as an alternative? Do you think the HTML video tag can replace everything DHTML/JS and Flash do today?
And regarding buggy, I'll take Microsoft and Apple's word on Adobe Flash's effect on their browser/OS.
I don't know what MS has said about this (link?), but Apple has said a lot of disingenuous and/or outright false things about Flash lately, so I'm not inclined to trust their word, especially when no one else has access to the data to back it up.
It's been 3 years since the iPhone intro and Adobe still does not have a Flash runtime to show that runs fast, doesn't drain batter, etc.
Actually, yes they do. It is fast enough to outperform HTML 5, especially on mobile, and the unoptimized beta only drains the battery 5-15% faster than equivalent HTML content (while delivering up to 4x the framerate).
99% of Internet-connected computers isn't internet connected machines. Not all phones have flash and new devices are constantly coming out. There is no way your company can support them all compared to html+javscript.
Mobile currently accounts for an extremely tiny share of overall Internet traffic. One study suggests iPad, iPhone, and iPod Touch combined are < 1%. I'll take 99% over that any day. (The market is shifting, of course, but so is Flash's availability on mobile devices).
Flash doesn't support screen readers "just fine", it supports two, are you really trying to say it supports more then html. What a joke.
You're comparing apples to oranges -- I'm not talking about static text here. Your statement is like saying Firefox is a dog because Lynx renders
Yes it does. Almost every typical flash file is over 1 Meg and makes the user wait before they can do anything else on the web.
Care to back that figure up?
To take just one simple counterexample: I load nytimes.com and watch the traffic with a proxy. There are multiple Flash ads plus a Flash video player on the page. Total Flash content downloaded: 163 KB. And no preloaders to be seen anywhere.
Except they don't because most developers use Swfdec and a video using html5 would work 100% with or without javascript.
I'm not sure what your point you're making here... with JavaScript disabled, you can still watch Flash video. You can probably also still watch HTML 5 video, though it depends on whether the playback controls are implemented by the browser or using JS (both are possible). So, what's the difference?
For someone who works at Adobe you don't seem to know that actionscript is ECMAscript with stuff on top. How can it be superior when it's the same language.
You might want to do a little more research. JavaScript is based on ECMAScript 3, while ActionScript is based on the much more recent ECMAScript 4 effort. This means AS has more in common with Java than it does with JS, including: strong typing, true OOP, public/private scoping, package scoping, generic lists, and annotations. JS is borderline a toy language in comparison.
You're experience in clusterfuck jobs using non standard tools means nothing.
There is a huge movement behind HTML5 and jQuery.
YouTube, Vimeo are switching to HTML 5.
iPhone developers use HTML+javascript to develop their apps on iPhone and everything is being standardised around this.
Show me one major, popular iPhone app that is HTML rather than a native iPhone-only app. Apple has done a great job talking the talk about HTML 5, but until a solid chunk of major iPhone apps actually use it, they're not walking the walk. (And why should they? It would hurt their hardware sales).
Over a million flash developers compared to how many html+javascript developers? You're the minority and the only customers you have are fanbois whose skills are as dead in the water as pascal developers.
I'm not claiming there are more Flash developers than HTML developers. My point is only that there are good reasons why so many people continue to make a living creating Flash content -- it offers productivity and expressivity advantages that I just don't see a glimmer of in HTML today.
The point I was trying to make is that, from a pragmatic standpoint, it doesn't matter to your average website author whether something is open-source or not. Whether it's well-maintained is far more important -- because you're really, really unlikely to do the maintaining yourself in practice.
To make an analogy: I think of this as sort of Obama-style pragmatism vs. a Nader-style insistence on ideological purity (or insert your own preferred politicians).
No, not at all -- I'm probably a 4 on that scale, but I did my fact-checking. Gnash (an alternative Flash player) has been around forever and I've never heard of it being legally threatened by Adobe. And to the extent that "words posted on a corporate website" constitute the license for a spec you've just downloaded... they're not just words, they're a contract the company is legally bound to honor.
Also, I think it's important to look at motivation. Adobe profits from tools (which create Flash content, JPEG images, etc.). Anything that broadens the reach of the content produced by those tools is a win. Contrast this to Apple, who makes money off of hardware and thus wins when content is only available on their platform... giving them a vested interest against cross-platform efforts like Flash and HTML 5.
Although ActionScript and JavaScript share the same roots, AS is based off of a newer version of ECMAScript, making it a far more complete language than JS. It has strong typing, true OOP with well-defined classes, package scoping, public/private scoping, rich RTTI, metadata (akin to Java 5 annotations), generic lists, built-in E4X, etc. etc... Yes, there is a contingent that thinks strong typing and the like is just a lot of overhead... but for any sort of serious app development you really can't live without it.
Think of it from Apple's perspective. You dump a few million into doing something cool for the iPhone
The opposite way to look at it would be this: Every app has to be recompiled for it to work. So -- there are 100,000 apps in the app store, and every single one of those developers has to get off their butt, recompile, submit a new version, wait for it to get approved, and then convince all their customers to download the upgrade. It'd take forever for the benefits to truly add up for any given user. But, if many of those apps were Flash-based, then you might just need to update a single app (the Flash runtime) to take advantage of all those compiled-in savings.
They've had so many security holes over the past few years I hated installing Flash or Reader on anything.
According to Symantec, Flash and Acrobat are actually more secure than your browser: the two combined had fewer vulnerabilities than Safari, or Chrome, Firefox, or IE. Also fewer than QuickTime or Java.
There were times it took Adobe months to release critical security fixes and the only reason they didn't do it sooner was because they were too fat and lazy.
Care to cite a source? I don't remember reading any reports recently about Flash zero-day exploits. Which is less than you can say for most browsers.
(And as an aside: the Symantec report above also says that Apple took on average 13x longer than other browser vendors to patch their security holes...)
Point is, any computer exposed to the Internet is at risk, and no vendor can claim the high ground here.
So you're saying the only two platforms that matter are Apple's and... Apple's? That's not a very 'open' perspective. (Although I'm sure Apple would love for people to conceptualize the HTML RIA landscape that way).
If you look at Firefox, Safari, Chrome, and IE (which is still > 50% of the market), the APIs vary dramatically.
the problems are as follows. 1) My security attack surface just doubled. I have bugs in the browser, bugs in the player, and interactions between the two.
If you stuff all the same functionality as Flash into the core browser (which is what HTML 5 will have to do to eliminate Flash), your attack surface also just doubled, since the browser codebase doubled. If anything, isolating the rich runtime stuff in Flash gives you more security, in browsers like Chrome that run the browser and the plugin in two separate processes.
2) If I am a new hardware manufacturer, I don't get the full Internet till adobe supports my platform. 3) Adobe could give me a crap implimentation (or none) and there is nothing I can do about it.
The point of Adobe's "Open Screen Project" is to obviate those issues. If you are a new hardware manufacturer, you have complete freedom to port Flash to your platform yourself -- either using the newly-opened Flash porting layer to leverage Adobe's existing implementation, or using the openly-published SWF/FLV specs to create your own implementation from scratch.
With your bare hands?!?
