Hacker News new | past | comments | ask | show | jobs | submit login
Apple Is No Longer Bundling Flash Player With Mac OS X (daringfireball.net)
102 points by pmjordan on Oct 22, 2010 | hide | past | favorite | 83 comments



Let me tell you a little story from the inside…

So, when you build something as big and complex as an operating system, your single biggest enemy is: change. The more things change, the more you need to test and retest to be absolutely sure that those changes didn't have any unintended side-effects. This is why, in the process of reaching a GM build, the ability for groups to change components is gradually locked down. The final lock-down is GM, and this usually happens around 1 month before the first customers see the next OS. This time is needed to "prime the channel". That is: you need to press the disks, prepare the marketing material and the packaging, do all of the final validation testing, and start shipping the software to stores.

In the case of SnowLeopard, that meant that development was done, and GM was declared, in the 3rd week of July. SnowLeopard shipped on Aug. 28th. Know what happened between those two dates?

Flash Player v10.0.32.18 ships on July 30 with critical security fixes: http://www.adobe.com/support/security/bulletins/apsb09-10.ht...

Remember all the fuss? No? Here's a reminder: http://www.zdnet.com/blog/security/snow-leopard-ships-with-v...

In particular, people were incensed that installing SnowLeopard on top of their Leopard systems that already had an updated Flash player actually reverted to the vulnerable version. Why? Because Flash was part of the OS. It was part of the install package that gets laid down fresh, instead of being part of the user installed software that gets migrated from old to new OS. And because Adobe didn't get the Flash update to Apple before GM was declared.


This is also what Gruber wrote at the time: http://daringfireball.net/2009/09/flash_snow_leopard


Gruber has good sources ;)


A little birdie told me that Gruber may have heard it from a hamster. Animals, they talk when we listen to them. :)


If you buy Snow Leopard today, has the disc been updated with all the security updates since its release? If not, that would have the same issue, that you are vulnerable for the time between you install and when you run system update for the first time.

I don't really see how Flash is special here.


The difference as I see it is that Snow Leopard will get the security updates via Apple's Software Update program. You're on your own for updating flash player, or at best you get notified by Adobe that a new version of flash player is installed.

Apple can control or at least heavily influence the updates for Snow Leopard. It can't for flash.


The example given was that Apple shipped an out-of-date Flash player because a new version was released after RTM. They then presumably updated that immediately with System Update. My point is that the same thing can happen with the actual OS. You can install Snow Leopard with a vulnerability that has already been fixed in a point security release of Leopard. So is it really a good reason to stop shipping Flash?


Huh? How does Apple get a security update in its own software too late for GM?

Apple handles the SDL for its own security flaws internally. It tends to know where it stands with them. Apple cannot say the same thing about Flash; Adobe (as a simple matter of course) may have tens of queued vulnerabilities, with some arbitrary subset of them having actual fixes in the pipe. That's the nature of software security on large projects.

Apple can't wash its hands of Snow Leopard vulnerabilities, but it essentially can do that for 3rd party software like Flash.


>Huh? How does Apple get a security update in its own software too late for GM?

Apple ships plenty of GNU code. What if an exploit is released between RTM and the ship date? That's the kind of thing I am thinking of.

But I don't disagree that this is Apple saying "this is somebody else's problem now". I just wonder if that somebody is Adobe or the end-user.


Apple has responsibility over the GNU code they ship. They had responsibility over the Flash code they shipped. By not shipping Flash, they no longer need to take responsibility for it. That makes sense. Apple never should have been responsible for Flash. Flash is a huge project, and Apple is not in the loop on Flash security updates.


Apple has historically updated shipped copies of OSX. As new point releases come up, they do update the master copy of what gets shipped to stores. Not different at all to what Microsoft does with their OS releases and service packs.


This is spot on, IdeaHamster. I think the main question Apple asked itself is "why do we ship Flash with every Mac?". The answer is that back in the day when Flash was added, Adobe was a very good partner, and Flash was cool.

These days, Adobe is turning more an more into an enemy - even holding talks with arch-enemy Microsoft. So if you asked again - why do we ship Macs with Flash - the answer would be: We shouldn't. It should just be yet another plug-in that needs to be installed.

I think the bottom line is, there are good technical reasons, and there are good political reasons to dump Flash from the OS. It's about 50/50. Adobe has some power with Flash but it's standing on pretty shaky ground - videos work just as well in HTML5 which leaves Facebook games as the one application that really matters.


The problem is not whether the latest version shipped with the installation disc. It's how quickly it got put up on Software Update. Lots of products have downloadable updates on the day it appears. Flash should have been a required update within days of Adobe releasing the new version.

There would have been no story if the headline was "Snow Leopard requires Flash update on install." I seem to remember I got my Snow Leopard late and I still had to go straight to Adobe for my update.


I didn't think about the aspect of Flash updates. If Flash is no longer installed updated by Apple, I will have to download and install the Flash updates myself, or count on Adobe to handle updates. (Which judging from past experience with Adobe Flash player updates in Windows, might be suboptimal.)

Ultimately I would like to go no flash, and probably could today. I don't play flash games, so I won't have a problem there. Both YouTube and Vimeo, the two video sites I use most, have an HTML 5 version, so I don't even need flash for that.

Chances are if I uninstalled Flash today all I would miss are flash ads, and that would be a good thing, especially since getting rid of Flash closes another potential security hole.


You can install ClickToFlash to get a taste of it, so when you absolutely need to see some flash content, you can just click on it.

http://clicktoflash.com/

Actually I don't miss Flash at all except for one place: street view on Google Maps, which is done in Flash and I find it useful to take a look when I have to go in some place I don't know (it helps a lot being familiar with the surroundings once you are there).

Apart of that, I never enable Flash on other websites.


I would like to see clicktoflash pre-installed on Macs ;-)


Clicktoflash is the first thing I install on any new Mac - my own, or friend's. I find the internet unusable without Flash blocker.

Flash uses are as follows: - Ads. Nobody needs those, and I actually dread the day Flash dies, because then these annoying ads will be HTML5 and maybe not as easy to block anymore. - Games. I know lots of people who play nothing but Facebook games all day. - Video. Not an issue anymore as most content is available in HTML5.

If Apple finds an alternative solution for Flash games, they can kill Flash off completely. I don't feel like they're going there though, probably knowing that the day they try to kill Adobe will be the day Microsoft buys Adobe out.


Maps for iOS has a native implementation of Google Street View. It's much better than the desktop version, so I don't even use Flash for that.


Chrome actually ships with its own, integrated copy of Flash. Which, coupled with Chrome's automatic updates, should keep you nicely patched.


I'll have to try a performance comparison, but the native HTML 5 video only uses about 10-11% processor power on my MacBook, allowing me to run it on batteries longer. I doubt that even Chrome's integrated flash can provide that sort of performance.


That's true on my Macbook as well, but it's also a lot less stable for some reason. Flash plays perfectly fine, while HTML5 video on YouTube in Chrome will fairly frequently cause weird graphics glitches or freeze a tab. Works perfectly fine in Linux, so not sure what the deal is.


Battery usage is dependent on both cpu and gpu power draw. It's more complicated to determine what the overall difference is between html5 and flash power drain.


I would strongly doubt there'll be any difference in penetration in the short-term. You may not be able to think of common use cases, or any at all, off the top of the head, but over the course of a year, chances are you'll come across some interesting website or feature on the web that requires flash. And the barrier to viewing it (installing Flash yourself) is really not that high.

If you want to test it without actually uninstalling flash, just install ClickToFlash (for Safari) and you'll see many sites even use flash for non-dynamic things like buttons.


Quite a few sites use Flash sockets instead long-poll to maintain connections. Hypem.com is the first that comes to mind. Zed Shaw's Mongrel2 also features JSsockets [1] which uses a .swf for connection persistence as well. There's quite a few apps use Flash behind the scenes, and you won't notice it until it breaks.

[1] http://code.google.com/p/jssockets/


I've had FlashBlock on for quite some time now, and I haven't noticed any apps mysteriously breaking. So at the moment I'd count that as pro-Flash FUD. (yes, I do use a lot of online apps)


Some flash blocking plugins automatically allow flash applets that are very small (which are often used for sockets, etc).


Correct. ClickToFlash's default (AFAIK) setting is to allow 1x1 and 0x0 flash items to load in the background. At least, that's how I think it operates.

I block everything, and press command-control-f when a site doesn't work properly.


I don't think I'd call it FUD so much as a non-visible use of Flash.

HTML5 and jQuery audio players are another example that often discretely relies on Flash as a fallback.


Many sites use Flash to embed fonts as well.


I really haven't seen that. Font solutions such as Google Font Directory (http://code.google.com/webfonts), or Typekit (http://typekit.com/) are already better solutions compared to replacing text with flash.


It's not something that sticks out like a Flash video, so it's easy to miss. I use ClickToFlash so it sticks out for me.

I agree that those new font solutions are nice, but they're also just that, new.


ClickToFlash has a "Text Replacement" setting in its preferences to automatically load Flash used for fonts.


Or even better, it lets you suppress sIFR. Note to web developers: if you need to enable custom fonts on your website, nowadays there exists better non-flash alternatives to sIFR, e.g. Cufón and Typekit.


Apple doesn't want to spend their time on any other platform's maintenance, make sense.


OK. So, shouldn't Apple remove perl, php, ruby, apache, and every other 3rd party software that it currently ships with since I'm sure Apple doesn't want to spend time maintaining those either.

Curious mind wants to know, why just Flash and Java?


How about because all those you list don't have user interface ties. Maybe because all those you list aren't heavily used by the majority where an outdated or exploit-prone version would matter. People who do use the examples you listed often install their own versions because the Apple versions are out of date.


Very good point there! Speaking of exploits - both Java and Flash run in the browser and are therefore susceptible to web based drive by attacks. None of the other technologies are exposed to the outside world.


To the extent that Apple depends on (say) Ruby, then they own the system ruby and have a responsibility to keep it up to date. So, for instance, when someone finds an Apache flaw, Apple has to bundle a security update for it, and may even have to alter ship dates to account for it.

To the extent that Apple can decide that it does not depend on, say, Flash, then it makes sense for them to not to ship it. If they ship it, they own it, they have to fix it. If they don't ship it, they don't own it, and the vendor has to fix it. Which, in Adobe's case, makes perfect sense; Adobe's security flaws should not be Apple's problem if they don't have to be.


Apple can't fix bugs in Flash.


Darwin is a decent UNIX-like operating system underpinning OS X. The inclusion of standard open source packages like the ones you mentioned increase the utility of the system for the extremely valuable minority of OS X users who happen to be programmers with barely any far-reaching implications for the vast majority who never touch them.


That's a weird way to put it. OS X is certified Unix (capital U).


Some folks consider OS X Unix-like in the same way that we consider Linux Unix-like. It's not strictly speaking exactly equivalent to the original Unix, but it walks like a duck, and talks like a duck, so it's pretty much a duck.


The parent's point is that OS X has Unix certification. It's not just Unix-like, but according to The Open Group (IIRC), it is Unix.


I understood that. But just because Some Folks Use Capital Letters doesn't really mean much. ;)


Look at it the other way. Why should Apple ship software it can't take responsibility for? Does Silverlight come bundled on Snow Leopard?


Ubuntu and just about any Gnu/Linux distribution haven't been bundling the Flash player for years, nice to see Apple doing the same.


Neither has Microsoft. I know people are interested in anything that has to do with Apple, but I'm still attempting to determine what makes this newsworthy.


Apple is not interested in advancing "Free Software", so this has nothing to do with that.


The first thing that crossed my mind was: "Apple wants to force Adobe Flash into the Mac App Store".

Now, the current App Store terms of service seem to preclude the distribution of plugins like Flash. But let's pretend, just for a minute, that they didn't. Apple would see the following advantages to having the Flash plugin on the App Store:

1) No need to worry about syncing Flash updates to OS X updates. No more risk of shipping an "outdated" version of Flash like happened with 10.6.4 back in the summer.

2) There is a visible, user friendly update stream (that is separate from the OS update stream.) This should enable users to easily always be using the latest version.

3) Apple can wield the hammer (as hard or as soft as it chooses) against bugs in the plugin--that's part of the terms of service in App Store. It makes it easy to push back on Adobe when they find bugs during the review process (even if the bugs they "find" are bugs that were known from previous releases.)

And, who knows? Now that Safari 5 has an official plugin mechanism, perhaps the App Store will open up for Safari plugins in the not too distant future.


I was thinking the same thing although current app store rules would seem to disallow installing something like flash and Java. I really hope that Apple does end going this way and let 3rd parties manage their libraries in this manner.


It really does make sense to move non Apple stuff out of the system updater, and into the app store updater. Flash and Java being the two main items.

OTOH, it would make even more sense to wait until the app store exists.


Would Flash and/or Java even pass muster for admittance into the OS X AppStore?


They would not. No plugins, no system infrastructure, not even System Preferences panes, just single-package apps.


Rightly or wrongly, I think the truth is probably closer to: "Apple wants to force Adobe Flash into the Trash"


1st, what made macs awesome is how well they target multiple platforms. having access to apple, linux and windows user on one device was awesome.

2nd, chrome and firefox will still auto download flash, so really what this does is it makes safari users act like IE users in that they won't have all of the plugins.

it seems that apple is doing this so they rapidly iterate for Mac OS (next) without vendor support. sounds like apple is getting quite before something big in the next OS.


Apple is all about rapid iteration. With the iOS, they're moving at lightning speed. Perhaps they want to achieve the same on Mac OS. Steve Jobs has called Java a "ball and a chain" years ago, so this is not too surprising. Strategically, Apple doesn't care about cross-platform technologies because per definition they don't take advantage of platform innovations. See Job's Flash-on-iOS open letter. Nobody say Apple is not consistent in their strategy and vision - in fact, I've never seen such a razor sharp focus in a company that size.


This is where "You need Flash to view this. Get it [here]" comes in.

Non-technical users aren't going to manually install Flash if all they're presented with is a blank space. Luckily for Abobe they only need to see the former once.


The platform provider should always be responsible for installation/upkeep whenever possible. In retrospect it seems a bit odd that OSX ever included Flash in the first place. Adding that extra distribution layer may give the user the illusion that Apple is responsible for keeping Flash updated. No one wants that responsibility. Not even Adobe. As far as I can tell the only way to keep Flash updated is to check Adobe's website every so often. I didn't hear a peep from Apple or Adobe about 10.1 being released. No automatic update here.


If Apple's serious about being anti-Flash, this is another way, over time, to reduce the overall number of copies of Flash in the world (they say there are 50M active Mac OS X users), if everyone has to download it first.

In fact, if they just drop the percentage of pre-installed Flash engines from 95% to 90% to 85% to 80%, etc., then the Flash ubiquity argument falls apart, and further hastens the decline of its influence.

(Personally, I'm all for it. I just see Flash as Adobe's cynical attempt to create an alternative (and lousy) operating system that runs on all the existing systems.)


I really don't think it's a big deal. If people need flash they'll make sure they have it. This just throws the responsibility to the user. It's reasonable for apple to do this, but looks/sounds a little over the top.


This is potentially a step backward for security. Apple had the right idea of providing Flash and Java through the System Updates mechanism. They have just historically failed to be timely with security updates.

Putting security updates in the hands of users is a recipe for no security.


Look, people. This move was done because Apple totally has your best interests at heart and is absolutely not in any way any sort of anti-competitive thing, because Apple simply doesn't have any sort of Flash-competitor.

http://en.wikipedia.org/wiki/Gianduia_%28software_framework%...

It was done because Apple loves you and wants to protect you, like a soft warm blanket over your head, pressing down tightly.


Pardon me pointing out the difference between a plug-in and a web framework. Believe you me, this is a headache, but you have the right to your own opinion, not your own facts.


You probably ought to google "rich internet apps" to achieve a slightly greater level of understanding before commenting.


Apple's Flash competitor which it is engaging in anticompetitive practices to force on people is standard HTML, CSS and JavaScript? That's not exactly anticompetitive, given that those are not proprietary Apple technologies.

Also, Apple has several more of these "Flash competitor" frameworks. There's at least SproutCore and PastryKit, and I think a few in addition to those.


Apple's Flash competitor is iOS, which normally requires fewer hardware resources, but doesn't run on anything other than Apple hardware. Among the advantages for Apple are better developer lock-in, better access to user data and stronger branding.


This seems to confirm an interesting and decisive change of strategy from Apple, and totally parallels the Java decision very closely. If you put these three things together:

1) Deprecate Java on Macs

2) Deprecate Flash on Macs

3) Deprecate all non-Apple-controlled apps on Macs by introducing the store

If you put the three together it shows a strong and coordinated move to start reigning in free development on Macs and move it to a model where Apple totally controls the experience.


I think, in order to have a compelling argument here, you'll also need to include:

4) Deprecate Safari on Macs

5) Deprecate Terminal.app on Macs

6) Deprecate XCode.mpkg from Mac OS install media

But you won't, because you're trying to fit facts to a theory, rather than the other way around.


> 3) Deprecate all non-Apple-controlled apps on Macs by introducing the store

Seriously? Providing an additional distribution platform declares that "non-Apple-controlled" software is DEPRECATED?

Yarr.


You don't think that once established, the Apple software store will quickly become the preferred way to distribute software on the Mac? Any time a platform owner gives their official blessing to 3rd party software it gives a huge plus to that software. Hence why we have all kinds of Microsoft certification etc. you can do to have your app blessed.

"Deprecated" may seem a little strong, but they are Job's own words that he used to simply describe the fact that Java will be provided by a third party:

http://developer.apple.com/library/mac/#releasenotes/Java/Ja...


I know people give Jobs credit for just about anything Apple does, but come on, he is not writing the release notes for minor OS releases. And what that release note says is that Apple's JVM is deprecated. Not even Apple is bold enough to deprecate an entire third-party programming language.


I think you're grasping, here. Apple is deprecating poor user experiences on their platform.


That's exactly what I said (!)

I just don't make the assumption that all Apple's choices === good user experience.


Adobe and Oracle are gaining control over Java and Flash, two things that previously Apple controlled themselves. The app store isn't replacing the ability to install application on your own, it's just another option to purchase and install apps in a way that may be more familiar and user friendly for those who use Apple's phones. This seems more like Apple reducing their control over the user experience.


In what ways did Apple control Sun or Adobe more than Oracle or... Adobe? What do you mean?


Currently, Apple controls the Java implementation for OS X. In the future they will not. Currently Apple controls what version of Flash ships with OS X. In the future they will not. The OP asserts that these changes will increase Apple's control over the user experience. To me, it looks like with these changes Apple is actually giving up control over some things.


Sorry, I think I read your earlier statement backwards. Thanks for the clarification.


I wish Apple would stop with these games and just do what's best for the consumer. Unless you can explain why it made sense to include Flash last week and it doesn't today.

OTOH it would make sense to move Flash to the OS X App Store when that is released, so that Adobe could manage their own updates. We'll see if that is an option, and it would be nice if Apple had waited until the App Store existed. Instead Adobe will need to have its own updater for Flash, right when Apple is coming out with a centralized update system. How dumb is that?


> just do what's best for the consumer

Apple got caught shipping a Flash player with known security vulnerabilities, that's not good for "the consumer". They also claim that half the reported OS X crashes are due to Flash - which seem exaggerated, but if true, also bad for "the consumer".


Honestly I don't think it's an exaggeration, even if technically I think they were talking about Safari crashes. Flash has crashed my Safari more times than I can excuse as 'these things happen'.


And now Flash won't be included in the system updater, so now way more people are going to be running back-level versions. Bet that will really help with the crashing and security issues.

This is exactly the reason Chrome moved to shipping with Flash included, and why Firefox now checks the flash version when it starts up. Apple is going backwards on this.


This is exactly the reason Chrome moved to shipping with Flash included

No, Chrome ships with Flash because it is in Google's competitive interests to do so both as a browser vendor and advertiser.


Unless you can explain why it made sense to include Flash last week and it doesn't today.

You may have noticed that Apple cleaned house on Wednesday. They announced the Mac app store, deprecated Java (and listed deprecated-Java as a disqualification to get into the app store), and shipped significant new hardware which offered a clean break on the software configuration, including the end of Flash as default kit.

There's no provision in the app store as currently defined to carry anything except self-contained single-package application bundles, so no, you won't see Flash or any other plugins carried there in the foreseeable future.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: