On Sat, 10.11.12 09:26, Richard W.M. Jones (rjones@xxxxxxxxxx) wrote: > On Sat, Nov 10, 2012 at 02:33:53AM +0100, Kevin Kofler wrote: > > Matthew Miller wrote: > > > Apparently the new version of polkit brings in javascript. The js package > > > is 6.5MB. I think anything that uses polkit will depend on it -- can we > > > remove it from core? > > > > Of course, the real question is why the heck PolicyKit needs a Turing- > > complete rule language (which also forced everyone to port their existing > > rules) when the previously-used simple INI-style pkla rule format did the > > job just fine! > > And Unix groups worked OK before that (and still do for the majority > of purposes). OK, I'll bite. So: Did they really? If you want to allow a user to execute a specific privileged operation once (let's say format a USB stick), and you grant him group membership for that, then he can drop a SETGID binary for that group somewhere and will have the permission forever. Effectively, you can never take group membership away. Also, creating individual groups for all the various privileged operations we have simply doesn't scale. So, PK's usecase is a valid and an important one. You cannot replace that by Unix groups. Making PK uninstallable hence really is not about removing something that was generally not necessary. It is simply about removing something that is not necessary in the specific usecase of a server setup where no local unprivileged users exist that might need to execute privileged operations interactively. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
