Revision as of 10:15, 16 February 2022

Make pkexec and pkla-compat optional

Summary

Split pkexec from the polkit package and make it a recommended only sub-package. Similarly, make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them.

Owner

Name: Timothée Ravier
Email: siosm@fedoraproject.org

Current status

Targeted release: Fedora Linux 37
Last updated: 2022-02-16
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

pkexec and pkla-compat (package) are legacy tools that are no longer needed on a desktop and increase the attack surface as they are SetUID binaries (pkexec) or not maintained anymore (pkla-compat).

This change will thus split pkexec from the polkit package and make it a recommended only sub-package. Similarly, it will make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them. Users that still need those features will easily be able to install them.

See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2

Feedback

See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2

Benefit to Fedora

Increased security, less legacy software installed by default, moving to a more secure desktop by default.

Scope

Proposal owners:
- Test as many desktop as possible and add the new dependencies for the packages requiring either pkla-compat rules support or pkexec.

Other developers:

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Objectives:

Upgrade/compatibility impact

Nothing happens during upgrades for existing systems as the packages are still available and will be kept as is and the new pkexec package will be added for user not deselecting recommends.

Only new installations that will not have those packages will be impacted and the risk of security issues with the pkla rules removal is low.

How To Test

Install the latest polkit, remove pkexec subpackage and pkla-compat package and ensure that your application and desktop environment are still working as intended.

User Experience

N/A

Dependencies

N/A

Contingency Plan

Revert the change.

Documentation

N/A (not a System Wide Change)

Release Notes

TODO

@@ Line 1: / Line 1: @@
-= Make pkexec and pkla-compat optional
+= Make pkexec and pkla-compat optional =
 == Summary ==
@@ Line 43: / Line 43: @@
 == Feedback ==
+Related discussion in https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ZDZACAMG2E3P4K4P2CVBQ3XBBZ7CYSXA/#Q6EK5NXFV5GEMW3RFTXIWT4NVNDKYKLG
 See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2
@@ Line 52: / Line 54: @@
 == Scope ==
 * Proposal owners:
+** Test as many desktop as possible and add the new dependencies for the packages requiring either pkla-compat rules support or pkexec.
 <!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
@@ Line 77: / Line 80: @@
 == How To Test ==
-Install the latest polkit, remove pkexec subpackage and pkla-compat package and ensure that your application and desktop are still working as intended.
+Install the latest polkit, remove pkexec subpackage and pkla-compat package and ensure that your application and desktop environment are still working as intended.
 == User Experience ==

Search

Changes/polkit recommends pkla pkexec: Difference between revisions