patch -- config files in /etc
mattdm at mattdm.org
Mon Nov 30 10:31:37 PST 2009
On Mon, Nov 30, 2009 at 01:11:29PM -0500, David Zeuthen wrote:
> There's a bunch of prior art where application store data like this
> in /var and not /etc. Many people use "application data" and
> "configuration" interchangeably (even myself) - iscsi-initiator-utils is
> one example. Don't let the FHS fool you that these are totally separate
Oh, the FHS is full of flaws, no question. I'm just surprised that this
particular thing is controversial. (And let's not hold up
iscsi-initiator-utils as a paragon of something to follow....)
> What happened in F12 was not a polkit issue, it was a PackageKit issue.
> And the defaults did get changed within 48 hours because of the
> over-whelming push-back. So it was a bug in PackageKit. And it got
Yeah, I don't meant to push that particular button here, sorry. I certainly
don't blame polkit for that at all. I've been very in favor of polkit ever
since you talked about it fudcon way back when, and my take-away from the
incident was that it'd be valuable to make policykit configuration more
transparent to systems administrators, which will encourage more buy-in.
(The ideas about logging are motivated by the same thing -- enterprise
sysadmins want to see logs!)
> (If there's anything positive about that incident it's that maybe it
> opened peoples eyes to the problem that Fedora maybe shouldn't be a
> "general purpose OS" - we really need different policies (such as
> different .pkla-files) in e.g. desktop and server spins - e.g. we want
> the stock F12 behavior but only in a desktop-spin, never in a
> > I hope you can reconsider, because while the actual change is trivial, it's
> > really the right thing to do.
> The only possible solution that I could be made to agree with involves
> reading files .pkla files from both
> though this really sucks. But there is a ton of prior art where this is
> done (hal, udev, etc.) so I guess we could do this.
If you take a look at the patch I posted (here and in the Fedora bug),
that's exactly what it does.
(Except it uses /etc/security/polkit-1, which I think is a good idea
particularly given your comments on making sure users realize this is
security-sensitive configuration. And because it matches how where the
consolehelper configuration lives, and since I think replacing consolehelper
entirely with polkit is a reasonable goal, that makes the mental migration
path easier for admins and doc writers.)
> So if you want to do this, file a bug with a patch and we'll take it
> from there.
Would you like a new freedesktop.org bug filed?
> Btw, it would be nice also to use inotify to watch
> directories in polkit-1/localauthority instead of hardcoding this
> |-- 10-vendor.d
> |-- 20-org.d
> |-- 30-site.d
> |-- 50-local.d
> ‘-- 90-mandatory.d
Yeah, that's mentioned in the Fedora bug too, but I figured one thing at a
Thanks, David. I appreciate the reconsideration.
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
More information about the polkit-devel