PolicyKit releases and !AWOL
David Zeuthen
david at fubar.dk
Wed Dec 5 23:19:16 PST 2007
Hi,
First sorry for not being more active on the list. Been busy with lots
and lots of stuff including PolicyKit and trying to put my thoughts down
about the next major version of HAL (basically a rewrite, more on that
soon!).
Sorry again. I'll try to catch up on the mails tomorrow and Friday;
fortunately all the mails I haven't replied to are still marked as
unread so I should be able to get back to most of you.
Second, and the reason I'm surfacing from hide + seek, here's a new
PolicyKit release
http://hal.freedesktop.org/releases/PolicyKit-0.7.tar.gz
http://hal.freedesktop.org/releases/PolicyKit-gnome-0.7.tar.bz2
For all intents and purposes, software (such as intlclock, PackageKit,
gnome-system-monitor, pulseaudio and so on) built against PolicyKit 0.6
will continue to work unmodified with 0.7 (there's a few semantic
changes in API that mechanisms don't use but not enough to warrant
bumping the so-name since we're pre-1.0).
However, there's, literally, tons and tons of changes and new API in
both tarballs, see [1] for details.
I was fortunate enough to have a few people at Red Hat review the 0.6
release for security issues; there's a few of changes in 0.7 too (the
whole auth backend was basically redone) so review of the new bits would
be welcome. I'm pretty confident there are no bugs / security issues
(having a test suite makes me sleep better!) but nonetheless this is new
code so do exercise caution. In other words, I'd wait for 0.8 to ship it
in a stable release (0.6 is fine though).
Also, packagers should be careful, there's a few new setgid helpers; the
blurb at the end of ./configure should be useful. And here's the Fedora
spec files for reference
http://cvs.fedoraproject.org/viewcvs/devel/PolicyKit/PolicyKit.spec?rev=1.9&view=auto
http://cvs.fedoraproject.org/viewcvs/devel/PolicyKit-gnome/PolicyKit-gnome.spec?rev=1.14&view=auto
where all the juicy permissions bits are repeated again.
Also, specifically, since HAL runs unprivileged and reading of PolicyKit
authorizations of other users is now a privileged operation (it now
requires an authorization for org.freedesktop.policykit.read), one will
need to do things like this in %pre for the hal packages
# User haldaemon needs to be able to read authorizations
/usr/bin/polkit-auth --user haldaemon --grant org.freedesktop.policykit.read >& /dev/null || :
See here for details:
http://cvs.fedoraproject.org/viewcvs/devel/hal/hal.spec?rev=1.140&view=auto
Here are some screenshots of the new UI
http://people.freedesktop.org/~david/polkitg-auth-1.png
http://people.freedesktop.org/~david/polkitg-auth-2.png
http://people.freedesktop.org/~david/polkitg-auth-3.png
http://people.freedesktop.org/~david/polkit-icon-and-vendor.png
and here are the docs for 0.7
http://hal.freedesktop.org/docs/PolicyKit/
http://hal.freedesktop.org/docs/PolicyKit-gnome/
The next release of PolicyKit will likely break some ABI and so-name
bumping (I do plan to keep the API for mechanisms intact so just a
recompile is needed) and after that we should be good to go to 1.0. The
plans are roughly sketched out in the TODO list here
http://gitweb.freedesktop.org/?p=PolicyKit.git;a=blob_plain;h=b865d2ca583afce8eb2cf5ebfe3bfc96cbe8996d;f=doc/TODO
Patches welcome (there's one from the Slackware guys about not relying
on PAM that is in my queue already). Comments on the direction on the
project / feature requests etc. also welcome.
David
[1] :
PolicyKit
http://gitweb.freedesktop.org/?p=PolicyKit.git;a=blob_plain;h=b054407bbb529b415810529d12c5c3981e180915;f=NEWS
PolicyKit-gnome
http://gitweb.freedesktop.org/?p=users/david/PolicyKit-gnome.git;a=blob_plain;h=f9e13fb526e7318b30de51b42e441746ecabdb16;f=NEWS
More information about the hal
mailing list