Polkit on Duktape

Jasper St. Pierre jstpierre at mecheye.net
Wed Aug 12 20:28:37 PDT 2015


For performance reasons related to boot speed on our platform, today I
ported polkit to use Duktape. I recently got pointed to a post that
said for security reasons, it's unlikely to see this land, which is a
bit disappointing.

Out of curiosity, what would the threat model be here? How would an
attacker put bad input into the JS engine to be exploited by a

Having been a maintainer of gjs alongside Colin, I know first-hand
what it is to work with the mozjs API. Mozilla is *not* focused on
embedders, but instead performance and ES6 compliance, which we turn
off inside polkit. As such, Mozilla is also not going to release
security fixes for js185, js17, js24, etc. When a security bug is
found, it basically means we do a wholesale port to the new API, and
only after we chase down a guy who can roll a new tarball.

I think duktape, which is actively maintained, which has active
standalone and security releases, and is focused on embedding, makes
for a much better choice for a system like polkit.

Anyway, since I already did the work, might as well publish it. The
branch with changes is here:


More information about the polkit-devel mailing list