PolicyKit, KDE, Qt, and integration
David Zeuthen
david at fubar.dk
Tue May 26 10:37:51 PDT 2009
On Tue, 2009-05-26 at 19:24 +0200, Dario Freddi wrote:
> > But we might want to break it if something better than PAM comes along.
> > But since libpolkit-agent-1.so is a small library, it shouldn't be very
> > painful and so-name-transitions is a pretty well-understood thing
> > anyway.
>
> My 2 cents: why not switching to a backend system? It would definitely make
> the transition easier, should the case happen, and will save you a lot of
> possible future work and binary compatibility of polkit-agent. I volunteer for
> helping you: if you're interested in such a thing, this is definitely the
> right time.
Well, the $64,000 question is how the interface from the app to the
authentication system is going to work, e.g. what is expressed in
http://people.freedesktop.org/~david/polkit-HEAD/PolkitAgentSession.html
which is rich enough for PAM and the non-PAM /etc/shadow stuff the
Slackware people wants.
For a multi-factor authentication system that has some features no-one
has even written down yet, it's going to be a lot more complicated. I
mean, it's not unrealistic you want such an authentication system to
also cover cases where you authenticate someone over the network. I
mean, people has lots of ideas about this - but not so many concrete
ones.
So I don't think it's going to be useful trying to redesign that
interface until we're in a place where we know how a new authentication
subsystem is going to work.
Also, if one were to push for a new authentication subsystem the number
one item you'd want would be PAM backwards compat. So things would work
fine even if a distro switched to a new system.
So, realistically, I don't think this is a big deal even if we were to
transition to using another authentication subsystem, e.g. bump the
soname for libpolkit-agent-1. Distros would just ship compat packages
for libpolkit-agent-1.so. I mean, it would work because PolicyKit proper
doesn't care about how you authenticate identities.
Also, at the end of the day, an PolicyKit authentication agent is just a
simple app that shows a dialog that interfaces with the authentication
subsystem and talks to the PolicyKit daemon. Rewriting that won't cause
changes in any apps and it wouldn't be a lot of work I think.
David
More information about the polkit-devel
mailing list