----- Original Message ----- > So, talking about specific actions... > > I have recently had to search all existing polkit policies. This is > no longer possible to automate because various packages ship the > JavaScript policy, so I had to review those by hand. It seems that > (perhaps with the exception of polkit itself) any use of JavaScript > could be converted into the old format, which remains supported. > > So, as soon I find some free time (probably next week), I intend to > ask FPC to prohibit using JavaScript if the functionality can be > represented in the old .pkla, and to prepare patches to convert the 6 > JS-using packages. Not sure where you got that information. pkla files are not supported anymore. So, converting JavaScript rules to pkla syntax won't do any good. What is worthwhile doing though, is to review all existing packages that ship such rules, and stop them from doing that, if possible. JavaScript rules are only meant for admin use, no OS-provided package should install them. We only look in /usr/share to allow for the possibility of site-local configuration that is distributed in packages. A concrete action that we are going to take is to split the polkit daemon into its own subpackage. Then minimal / certifiable installs can contain clients that are using the polkit libraries, without pulling in the daemon. Polkit clients are already expected to handle this situation and fall back to allow only uid 0. All of this is documented in http://www.freedesktop.org/software/polkit/docs/latest/polkit-apps.html Matthias -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
