Adobe Air on Linux - A Security Nightmare
Adobe Air is an application platform/framework which received some buzz recently. One of the most popular Twitter clients was written using Adobe Air. Air seems to make it relatively simple to write nice looking cross platform applications.
Two weeks ago, Adobe Air was released for Linux and I gave it a try on my Debian Etch system. The results were not very satisfying.
Installing Air
First you need to download the installer from the Air for Linux website. then make it executable and run it.
$> wget http://download.macromedia.com/pub/labs/air/linux/adobeair_linux_a1_033108.bin $> chmod +x adobeair_linux_a1_033108.bin $> ./adobeair_linux_a1_033108.bin
So far, so nice.
What's not so nice is that the installer will ask you for your root password. It won't tell you what it will do with your system, where it installs anything or what scripts will be run. There seems to be no way to install with user permissions only.
I was brave and let it do its magic anyway. It turned out that it installed itself as a Debian package called adobeair-enu
. That's really nice – but why not giving me a Debian package from the start?
Paths are not Debian-like though, everything is installed to /opt/Adobe AIR
. Yes, there's a blank in that path .
Installing an Application
The next thing needed is an Air application to install of course. I was most interested in the much praised FriendFeed client AlertThingy.
Installing Air applications is supposed to be very simple. On Windows and Mac, Air integrates with Flash. Application providers just need to put up some special flash file and user can enjoy a one-click install. Of course the one-click installer didn't work for me.
So I had a look at the HTML source of the AlertThingy site and got the download URL from there:
$> wget http://www.howardbaines.com/alertthingy/AlertThingy.air
Now how to run this? The Adobe Air installer is not added to the PATH so you need to give the full path your self:
$> /opt/Adobe\ AIR/Versions/1.0/airappinstaller
This will open a file browser where you can choose the just downloaded file.
Next: a scary warning.
Not helpful, eh? Just scary. Click install if you dare.
Okay, the next dialog asks you where to install the application. I did choose some place in my home directory and hit “Continue”.
Guess what came next. I had to enter the root password to install the application .
Seriously, why on earth do I need to give the root password to install some application in my own home directory?
Handling the Application
Yes, I continued installing the application. AlertThingy started right after finishing the installation. I configured my FriendFeed account and it works as promised.
The tool is nice but not exactly what I what I was hoping for - but that's another story.
While it ran, I noticed that there is no icon for it in my XFCE icon box. I don't know if this is Air problem or an AlertThingy problem.
Then I hit the little X icon to close the application. It vanished from my sight. No window. No icon in the icon box. No icon in the system tray. Until an alert popped up in the middle of my screen.
So AlertThingy was still running somewhere in the background. But without any obvious way to bring it back into sight. So I killed it and restarted it again.
Oh, did I mention the spaces in the installation path and binary name?
$> /home/andi/programs/Alert\ Thingy/Alert\ Thingy
So AlertThingy does not integrate well in my desktop environment. Additionally it felt very sluggish when scrolling or changing tabs – and my PC is quite powerful.
Summary
Adobe Air for Linux is still alpha and this shows. Performance and desktop integration have to improved.
Unfortunately Adobe Air for Linux also shows a huge lack of understanding of the “Unix way”. Forcing users to install applications as superuser might be a common practice on other operating systems, for a Linux system this is unacceptable!