back to article Mozilla's Flash-killer 'Shumway' appears in Firefox nightlies

In November 2012 the Mozilla Foundation announced “Project Shumway”, an effort to create a “web-native runtime implementation of the SWF file format.” Two-and-a-bit years, and a colossal number of Flash bugs later, Shumway has achieved an important milestone by appearing in a Firefox nightly, a step that suggests it's getting …

  1. phil dude
    Meh

    welcome with caution...

    Whilst it is welcome to have an opensource variant of the Beast-that-must-die plugin from Adobe, Mozilla had better make it OPTIONAL. i.e Only run when told to.

    The less code from the outside world that runs on the desktop , the better...

    P.

    1. Electron Shepherd

      Re: welcome with caution...

      Indeed. Replacing a bug-ridden piece of software with a re-write that achieves the same thing is rarely bug-free itself.

      Firefox itself has several critical vulnerabilities for every release* - it would be naïve to assume that Shumay will be any better.

      * Citation: Security Advisories for Firefox

    2. big_D

      Re: welcome with caution...

      On the other hand, I have removed Flash from my machines and I haven't noticed the difference, for the sites I visit regularly.

      1. phuzz Silver badge

        Re: welcome with caution...

        I've been trying to stop using flash, but so far the HTML5 version of Youtube just doesn't work as well. About 1 in 5 videos get stuck halfway through and won't play further no matter how many times I reload the page, or change the resolution.

        Youtube and iPlayer are about the only sites I've found a need for Flash though.

        1. Captain Scarlet

          Re: welcome with caution...

          I tend to find Youtube ignores the fact I have told it to use HTML5. Plays a few then goes back to Flash.

          I haven't really been that bothered to try anything other than go back to the selection page and re-click HTML5.

          1. illiad

            Re: welcome with caution...

            yup, just like it did years ago... there are too many out there who **hate** the new FF, and 'palemoon' does not do adblock, so many will not touch it...

            1. Ali 4

              Re: welcome with caution...

              >> 'palemoon' does not do adblock, so many will not touch it...

              Sorry but you're wrong. https://addons.palemoon.org/extensions/privacy-and-security/adblock-latitude/

  2. as2003

    Flash was a workaround made for a bygone era. We don't need it now, and seeking to prolong its demise just seems cruel.

    Joking aside, flash is an accessibility nightmare, it's a security nightmare, it's a nightmare for web crawlers and website indexers and it's a nightmare for underpowered computers. Project Shumway only solves one of these problems.

    1. Mark 85

      "Project Shumway only solves one of these problems."

      At this point, one of three is a good start. Maybe we need to shoot the developers who continue to use it? Maybe work on killing JavaScript next...?

      1. Anonymous Coward
        Anonymous Coward

        I wish they would replace Javascript, not kill it. You have all these major browser companies for ever competing for increasing the speed of JS, but it in itself is a race amongst browsers. They could all just agree on adopting Python or something similar. It's not that I don't like Javascript, it's that I don't like that different browsers will perform differently with it.

        Remember how the implementation of .css and .html was a race to meet conformity amongst browsers, it's like that with Javascript. Of course I just wish they would replace it, I don't feel it's required because after all it does work. I just get this feeling from time to time that JS performance is being used as leverage for 1 browser to use against others, which just really needs to stop. In the end, regardless of funding, the browser that uses the least amount of data mining *should* win regardless of JS support...should.

        1. Anonymous Coward
          Anonymous Coward

          I strongly suspect we're caught between Scylla and Charybdis here. The primary reason we need JavaScript is the need to run some code client-side. However, the primary vulnerability JavaScript has is that it runs code client-side. I strongly suspect that switching to another language won't help to close that fundamental vulnerability. And much as some web-Luddites would like us to go back to the dumb Web of all-server-side work, the popularity of things like Facebook tells me that boat left long ago, so we might as well live with it. Same with data mining. To block that would be to pretty much abandon the same stuff that's so popular.

          1. a_yank_lurker

            Any client side code is a risk; the language chosen will either minimize or magnify the risk. This assumes best practices by the dev,

          2. M. Poolman

            Scylla and Charybdis

            That's a bit high-brow for a red top news site!

          3. Frumious Bandersnatch

            re: Scylla and Charybdis

            Not a response to your post, AC, (though I agree), just a comment to say that this particular classical reference seems to be cropping up in the register quite a lot recently. Or maybe I've just got a case of Baader-Meinhof syndrome...

            site:forums.theregister.co.uk scylla charybdis (151 hits)

            1. Anonymous Coward
              Anonymous Coward

              Re: re: Scylla and Charybdis

              Would you rather I used "between a rock and a hard place" or "between the Devil and the Deep Blue Sea"? I like Scylla and Charybdis because I've read Homer's Odyssey and recognized the origin of the terms (plus we each have our Shout-Outs--Sci-Fi and classical literature seem to be favourites). A lot of the problems in the computing world today are becoming intractable: where trying to solve it simply slides you down the scale to the other undesirable end with no third option available. So either we drop the stuff that makes the Web so much fun or we shrug and realize we can be pwned with the next web page. Sure, we can try to mitigate things as best we can, but eventually they'll intersect: say a drive-by on a popular site that requires the use of JS to operate.

          4. JLV
            Thumb Up

            >Scylla and Charybdis

            Can I upvote you twice for inserting a lot of common sense?

            The problem is basically running code on your machine that comes from potentially untrusted sources anywhere. Moving to a different language will not change that. For all JS's supposed security failings, it shines brightly when compared to Java applets, Flash, ActiveX, etc... Think especially about Java in this context - this is a language that used to be marketed as security-first ;-)

            Keep Javascript where it belongs - heavily sandboxed and untrusted.

            Much as I like Python, and that is a lot, the very last thing I want executing in my browser is a language that is so OS-savvy that I am only now getting around to learning bash because Python covered most of my system needs on Windows.

            Plus, I suspect a good deal of the Javascript doubters are in the compile vs dynamic camp. Would a true compile language work on browsers? Would it be desirable, again for security reasons? I agree there are a bunch of design fails in JS. Still it is not without elegance and not a bad result for something that was designed in a few weeks/months by one guy mostly. Use something like jquery or d3 and you can see that whatever the language's shortcomings, clever programmers (not claiming me) did really spiffy things with it. It's just hard to use it well and it suffers from a partial demographic of incompetent coders, unlike say C++.

            Me? I'd wish for a Javascript 2.0 with the nastiest gotchas removed, proper modules natively, and a much lesser tendency for silent errors. But we all know that backward compatibility will preclude too much cleanup. Python 3x is still lagging 2x and that is both with a quite limited set of breaking changes and a focus on running code locally.

            1. sabroni Silver badge

              Re: and a much lesser tendency for silent errors.

              While I understand your concern, javascript's desire to keep on running when things go a bit wrong is one of the things that makes it so usable in the browser. Sometimes I go to the console on a site that I'm allowing to run js and there are tons of exceptions listed there, none of which are interfering with the 'correct' operation of the site from my perspective.

            2. Anonymous Coward
              Anonymous Coward

              Re: >Scylla and Charybdis

              Sure, a compiled language could work in-browser. JavaScript ~7.0 (ecmascript really) is heading in that direction... shifting from prototype OO to classes, support for static variable types, etc.

              I was hopeful about it a few years ago, and I've done a lot with JS, but there's too much inertia. Maybe in 10 years it'll be halfway there. In that case, I don't want to still be developing for this platform.

            3. Charles 9

              Re: >Scylla and Charybdis

              "Keep Javascript where it belongs - heavily sandboxed and untrusted."

              Recall that one of Java's selling points was the sandbox memory model. Until someone developed the sandbox escape exploit...

        2. a_yank_lurker

          The problem with JS is it is not a particularly well designed language. It would be nice if it could/would be replaced by a better designed language such as Python or Ruby. The alternative is to use Coffeescript or Dart and "compile" to JS.

          1. sabroni Silver badge
            Thumb Up

            Re: The problem with JS is it is not a particularly well designed language.

            And annoyingly it's a lot better than a lot of the 'well designed' ones... (once you learn which chunks of it to avoid.)

  3. Anonymous Coward
    Anonymous Coward

    BBC

    They want Flash Player to view videos.

    I won't be watching...

    1. Phuq Witt

      Re: BBC

      "...I won't be watching..."

      I will. Who needs Flash to enjoy what your licence fee paid for —either to watch or to download from iPlayer, anyway?*.

      [*OSX-flavoured references, but similar alternatives for other OSes exist]

      1. paulf
        Alert

        Re: BBC

        Video clips on the BBC News website do demand Flash to work (on a desktop browser) and generally aren't available in BBC iPlayer.

        The BBC have the technology for non-Flash video on their website as the BBC News website plays nicely (in Desktop mode) with Flash Free mobile Safari on the jPhone. This is what they need to fix IMO.

  4. McHack

    Also on Linux

    For now, Shumay also works only on Windows Vista or later versions of Windows, and OSX.

    Works on at least some Linux. Debian links to it on their Flash page, click to download add-on.

    https://wiki.debian.org/Flash

    http://mozilla.github.io/shumway/extension/firefox/shumway.xpi

    My experience with Flash first and then Shumway installed, Shumway tries it first. There's an upper-right "Shumway" red box on the Flash. If Shumway doesn't do it for you, either click the little box away or right-click + "Reload in Adobe Flash Player", same effect.

    1. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Re: Also on Linux

      You're right but so am I! I'll amend the story so it makes it plain that the Firefix nightlies only run on certain Windows and OSX.

  5. Anonymous Coward
    Anonymous Coward

    Better to just remove flash

    I never miss flash when I visit sites on my iPhone, so hard to imagine I will miss it on my desktop. When I get Fedora 21 installed I'm planning on leaving the flash plugin out and seeing how it goes. I have a feeling I won't miss much since most sites that do video can do h.264 even if too many still default to flash when it is available...

  6. Sebastian A

    So which is it?

    Shumay or Shumway?

    1. McHack

      Re: So which is it?

      Shumway. I think it was named after Gordon...

      1. Eddy Ito

        Re: So which is it?

        Well it's certainly alien. Maybe it will be the savior of the universe?

        Nah, the savior will rightly be called Ming and Flash will truly be dead. Wait, no Ming the Merciless icon?

    2. Muckminded
      Joke

      Re: So which is it?

      "There must be Shumway out of here," said the joker to the thief.

  7. Sarah Balfour
    WTF?

    I thought that HTML5

    Was meant to kill off Flash…? Why do we need summat that plays SWF files now…? Me no understandee. Someone explain for the hard-of-thinking (it IS only 07:10, and I've not topped up my blood caffeine yet!).

    1. big_D

      Re: I thought that HTML5

      Because some web developers learnt Flash and haven't learnt HTML5, JS and CSS properly, so it is still quicker and easier for them to develop using Flash... Plus legacy sites.

      Now that YouTube has dropped the requirement for Flash on the desktop, we might start to see a move away - although I noticed that the BBC site is displaying photos instead of video with "Flash is required" superimposed. Luckily I rarely play the videos on the BBC website, I just read the stories.

      1. albaleo

        Re: I thought that HTML5

        "...and haven't learnt HTML5, JS and CSS properly..."

        That made me smile. I'm one of those that is currently trying to move applications from Flash to html/javascript. It's a bloody nightmare. Once upon a time, I used to make desktop applications. But then clients wanted things in the browser. So Flash, using the Flex framework, seemed a good way to do this, and it generally was.

        But it appears I have sinned in forcing the satanic Flash plugin on users, and my penance is to do it all again in html/javascript, knowing that others will view this as almost as big a sin. I can say with certainty that I haven't learned to do this "properly". If there is indeed a "proper" way to develop applications in html/javascript, please show me the way. So far, I've learned that it involves a lot of this and that.

        1. Anonymous Coward
          Anonymous Coward

          Re: I thought that HTML5

          Good for you, for attempting.

          I know devs who know enough HTML to copy and paste the demo code produced in Flash into an HTML document to load their Flash objects!

          They are writing for Motorola ARM based Windows Mobile 6 scanners, running RDP to a Terminal Server and IE with a Flash object for touch friendly use...

        2. Lallabalalla

          Re: I thought that HTML5

          There is definitely a right way and a wrong way, but after 2.5 years of it I still haven't got it all down perfect - every day is a schoolday as they say.

          There's a right way to do Javascript IMO but there's more than one right way. Ditto HTML5 and CSS. I prefer to do as little HTML and CSS as possible, and do everything else on the Canvas using Javascript in a strictly O-O way. But that's just me and the people I work with.

      2. Lallabalalla
        Boffin

        Re: I thought that HTML5

        Despite all the razzmatazz, getting HTML5 to do everything Flash can do - at a reasonable framerate (24 and above) - on a reasonable subset of devices (S4, S5, iPhone5, iPod Touch, iPad 4+ .... nobody doing HTML5 codes for *just* desktop) - is Quite Hard. Simple stuff, yes of course, but tens or hundreds-of-thousands-of-lines applications? Games, slot machines, anything properly interactive? Not easy, trust me. Much easier to knock out a swf. Apart from anything else it has built in support for loading all the assets gracefully, playing sounds RELIABLY,all sorts of stuff which you otherwise have to write yourself or use a 3rd party framework. And DON'T get me started on those. You're back to relying on other people and that might as well be Adobe as anyone.

        1. SilentLennie

          Re: I thought that HTML5

          Anyone serious about porting a large game as a webapplication uses WebGL.

          For example, you take your existing OpenGL C++ game engine and 'just' recompile it with Emscripten/LLVM to 'asm.js' and run that in the browser:

          https://www.youtube.com/watch?v=BV32Cs_CMqo

          (Mozilla and the game engine developers did that port in only 4 days !)

          But people have been using it for other things as well, how about porting emulators of old computers to asm.js/Javascript. For example to play old games:

          https://archive.org/stream/The_Hobbit_v1.0_1982_Melbourne_House/The_Hobbit_v1.0_1982_Melbourne_House.z80?module=spectrum

          They ported MESS which emulates a large number of devices:

          https://archive.org/details/consolelivingroom

          Or a DOS-emulator, so you can play 2400 old DOS games, like:

          https://archive.org/details/msdos_Wolfenstein_3D_1992

          If DOS works, you can make WIndows 3.1 work too, so they did, with Internet access:

          http://ascii.textfiles.com/archives/4546

    2. Dan 55 Silver badge

      Re: I thought that HTML5

      Ancient educational .swfs that aren't going to get rewritten.

      DataTables TableTools? (Although why it would need Flash to generate PDFs is beyond me if pdf.js works.)

      Um, can't think of anything else.

    3. Caspy7

      Re: I thought that HTML5

      Yes, HTML5 is now getting (and has gotten in many ways) to a place where it can replace the functions of Flash.

      However there are folks and companies still producing it - and much content already made in it that nobody wants to bother porting - but still frequently used (like games).

      In recent years the NPAPI version of Flash (the one Firefox uses) has been allowed by Adobe to languish. There have been longstanding issues unattended to and Adobe primarily issues updates when yet-another-exploit has been discovered. Their treatment of this version of Flash has genuinely hurt user experience in Firefox and Mozilla knows it.

      So beyond an overall better experience, security should be better, Firefox can finally detect which tab is playing sound (and mute it) and it's being built in web tech, so any browser maker can take and use it (like Opera did with PDF.js) - meaning that potentially Adobe can stop punishing us with their half-assed fixes.

    4. Michael Wojcik Silver badge

      Re: I thought that HTML5

      Why do we need summat that plays SWF files now…?

      As I've pointed out in the last N stories about Flash, it's hugely important for the existing corpus of electronic literature. No doubt it's still being used by some authors for new work, though even five years ago there was widespread acknowledgement that it was a dangerous medium.

      Take Homestuck, for example; while Andrew's transitioned to HTML 5 for later chapters, significant portions of the earlier material are still SWF and likely to be unless and until some enterprising team decides to recreate them in another format. And Homestuck is widely considered the most important hypertext novel yet written, as well as being the longest web comic, and an important cultural phenomenon in its own right. It might not be your cup of tea, but it's quite important to many people, whether fans or scholars (or both).

      1. illiad

        Re: I thought that HTML5

        ....and until ** ALL** browser young and old can patched to 'just do html5' & a cheap easy way of translating SWF for this, then flash will still be needed...

  8. Nifty

    The vSphere web console seems to need flash.

    Or is there an alternative?

    1. Alistair
      Coat

      @Nifty

      KVM and VMM work for me.

      That however might be overkill.

    2. Matt Piechota

      vSphere Console

      The console works in Chrome without adding any extra plugins. Under Linux, it's essentially the only option as the Adobe Linux Flash Plugin is too old for vSphere 5.5's web client.

      1. Charles 9

        Re: vSphere Console

        "The console works in Chrome without adding any extra plugins."

        Chrome contains an internal Flash unit (Google does this to maintain a fixed frame of security reference). The free fork Chromium doesn't, so you have to install it manually (if at all possible).

  9. CaptainBanjax

    Sounds like

    Sean Connery was misheard in the naming meeting.

    There musht be shum mishtake.

  10. illiad

    if you have not been following it, pale moon will now do most FF addons!! :) :) (that includes adblock!)

    http://www.palemoon.org/releasenotes.shtml

  11. Matt 75

    "Flash is a security nightmare"

    As opposed to Internet Explorer, Chrome and Firefox - ALL of which had more security issues last year than Flash?

    As mentioned in one of your own articles, in fact: http://www.theregister.co.uk/2015/02/26/windows_beats_apple_linux_with_fewest_bugs_for_2014/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like