Unfortunately I don't buy into the 'safe because everyone can look at it' argument either; as much as I like Open Source (in a MIT/zlib style), the fact of the matter remains people DON'T check thing so bugs and problems, even pretty sizable ones, are left in to be exploited later.

Maybe, once it has been found, "anyone" can fix it.. but lets be realistic about the number of people with the skill set to do it, to the Average Person if software is open, closed, or summoned into existence by Blood Rituals too horrible to consider doesn't matter one bit they are still beholden to someone else to fix it and kick out an update.

Which brings me back to my opening statement; people don't check these things.

Maybe, once it has been found, "anyone" can fix it

This is working under the assumption the finder is the scrupulous type who will report or fix it and not a black hat who will file it away for later abuse...

Even if you migrate everything to HTML5...all you have to do is right click to view the source.

Let's not perpetuate the myth that obscurity is a form of security.

One of the major drawbacks of Flash relative to HTML5 is the fact that Flash is proprietary. Anyone can go find and fix security bugs in the Chrome or Firefox source code - not so for Adobe's.

I never defended that notion. Quite the opposite, actually. I was saying that if someone wanted to exploit someone's computer/information, they could do it in any language, and on any platform. I think we're on the same page on your second point of "OK, I can prevent this myself." versus "Will Adobe prevent this in future releases?".

What I do not understand is why so many of you seem fixated on browser-based delivery.

I was talking to some friends about this the other night and one of them made a comment that had me look completely revolted at their comment: "The only people who play online indie games these days are other indie devs like you". I just kind of stammered for a while trying to think of a counter-point, failed, then grouchily finished my beer in shocked silence.

Reading your post today seems to be coming at it from a similar angle - why are we focusing on browser-based delivery so much? It's a bit of a wake-up question.

I think a lot of it has to do with the generation we grew up in. For a lot of us, the last decade has been the desktop-consumption era: Newgrounds, Kongregate, Weebl, Homestar runner, pretty much every indie game jam, - growing up in an era of flash meant that we also grew up thinking primarily nothing but desktop. When I think of making a game, my first thoughts are all the flash (and somewhat more recently Unity) based games I grew up playing with a mouse and keyboard, in any browser on any computer, sending the link around to friends on message boards and chat programs. The very game mechanics that I sit around thinking about revolve around having access to things like a mouse and keyboard. Making a mobile game is a completely different thought process that requires considering touch controls, tiny screens, a type of game design I don't often think about.

Not only that, but for me I primarily associate browser-based game as a no-barrier no-entry requirement to playing a game. No exe's/apks to download, nothing to install, just go to this link and play the game. The same friend above then made another statement that me revile in disgust again: "Oh desktop games are much harder to play - a phone game I can download at any time and then play when I get a chance. Desktop games I can't try at work when I have a few minutes waiting for something to compile".

Ugh, what what what? Going to the app store, finding the game, hoping it works on your device and installing it is easier?

Unfortunately I don't buy into the 'safe because everyone can look at it' argument either; as much as I like Open Source (in a MIT/zlib style), the fact of the matter remains people DON'T check thing so bugs and problems, even pretty sizable ones, are left in to be exploited later.

Maybe, once it has been found, "anyone" can fix it.. but lets be realistic about the number of people with the skill set to do it, to the Average Person if software is open, closed, or summoned into existence by Blood Rituals too horrible to consider doesn't matter one bit they are still beholden to someone else to fix it and kick out an update.

While this is true, if even a small percentage of the user-base has the interest and expertise to look at the source code of a project, their doing so still results in more people taking a hand in the project than in the case of closed source software, given equal numbers of internal team members.

Further, if none of the user-base of a project takes an interest in the source code, then how is the result effectively different to the project being closed-source, and thus what is lost?

There is, of course, the possibility that only people with ill intent take interest in the project, but I doubt the probability of this particular case--although I stand to be corrected.

... I doubt the Internet will explode ...

Isn't that something that it does regularly, whether squeeing in delight or screaming in anger?

[edit]

There's still some things though that I still think are big problems on mobile like touch controls, difficulty testing on devices you don't own, singular marketplaces that are also over-saturated etc, but is thinking primarily of browser-based delivery just me being an old man?

Don't forget that there's also the option of native desktop development--you don't have to choose between "browser" and "mobile" when developing a (non-console) game.

One only has to look at Heartbleed to show that open-source does not inherently make things more secure. Most developers do not understand how to code securely, much less being able to find security issues in someone else's code. The problem was compounded by people generally not finding security "interesting" and having no external motivation (like money) to ensure OpenSSL is secure.

Say what you will about closed-source software, but the companies generally have monetary incentives to make sure their software actually works. (Last year's releases of incredibly broken AAA games notwithstanding)

I was saying that if someone wanted to exploit someone's computer/information, they could do it in any language, and on any platform. I think we're on the same page on your second point of "OK, I can prevent this myself." versus "Will Adobe prevent this in future releases?".

If you keep up to date with Wikileaks/etc, you'd know that recently a whistle-blower disclosed a zero-day bug (i.e. has always been there) in Flash which allows any flash developer to include a bit of actionscript with the ability to live-patch the browser's flash plugin with whatever assembly code they want. Both repressive and Freedom loving(tm) governments, and dodgey corporations around the world have been using this bug to silently install virusus/trojans/spyware on innocent people's computers in their quest for omniscience.
These same people who developed this Flash exploit also develop malware that infects UEFI BIOS chips, USB firmware and Hard drive firmware, so even if you format your computer, their malware can reinfect it immediately.

If you can write a javascript which is capable of installing malware just by loading a page, then you'll probably see the same over-the-top security responses that we're seeing now (and be able to land a good job as a security researcher).

This flash exploit has mostly been used by government spies up until this point, but now that it's "burned" by the leak, Adobe and anti-virus companies are quickly patching it up. In the meantime, criminal hackers are quickly trying to use the same exploit to spread botnets and other malicious viruses before everyone updates their browsers. There's a very good reason for browser vendors to be disabling flash by default at the moment... Every single flash banner ad on the internet could potentially be as dangerous as downloading and running random EXE files.

... I doubt the Internet will explode ...

Isn't that something that it does regularly, whether squeeing in delight or screaming in anger?

Hmm. Good point.

... Every single flash banner ad on the internet could potentially be as dangerous as downloading and running random EXE files.

Which...a lot of people still do, surprisingly. Really, we're taking a gamble by just getting online. There's no guarantee that our anti-virus software will know about every single harmful file on the internet, even with regular updates.

One only has to look at Heartbleed to show that open-source does not inherently make things more secure. Most developers do not understand how to code securely, much less being able to find security issues in someone else's code. The problem was compounded by people generally not finding security "interesting" and having no external motivation (like money) to ensure OpenSSL is secure.

Let's dwell on that a minute. Despite the lack of funding, OpenSSL is staffed pretty much entirely by volunteers, most of whom *are* incredibly interested in security - why else volunteer your time working on SSL?

And let's also keep in mind that Heartbleed was in the wild for only 2 years, and was corrected quite quickly, given that we had update most of the servers on the internet, and revoke certificates all over the place. The Flash vulnerability has been there for what, a decade or more, if the articles are to be believed. And right after Adobe patched that one, two more existing vulnerabilities were discovered in the same set of data...

Say what you will about closed-source software, but the companies generally have monetary incentives to make sure their software actually works. (Last year's releases of incredibly broken AAA games notwithstanding)

Last year's releases of incredibly broken AAA games is actually very relevant. Companies have monetary incentives to make sure that advertisers do not abandon their platform in favour of a competitor. In turn, that typically means they have monetary incentives to make sure their users do not abandon their platform.

But as this thread ably demonstrates, plenty of people still consider Flash the holy grail, and have no intention of abandoning it (and this is a pretty tech-savvy crowd - how do you think the public sees it?). Thus, where is the monetary incentive to do better next time?

Much like with Halo, where despite an unplayably broken release, we'll still all buy Halo 5.

But as this thread ably demonstrates, plenty of people still consider Flash the holy grail, and have no intention of abandoning it (and this is a pretty tech-savvy crowd - how do you think the public sees it?).

Did anyone in this thread ever say that Flash is a holy grail, or anything that could possibly imply they like Flash? Withholding dislike does not imply the opposite.

Personally, I hate Flash. But I hate every browser-based alternative even more.