Make pkexec and pkla-compat optional
Summary
Split pkexec
from the polkit package and make it a recommended only sub-package. Similarly, make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them.
Owner
- Name: Timothée Ravier, Jan Rybar
- Email: siosm@fedoraproject.org, jrybar@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-02-24
- devel thread
- FESCo issue: #2766
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The pkexec
tool is an optional tool that is no longer required for the correct function of most server and desktop environments. This is also a SetUID binary.
The polkit-pkla-compat
package is a legacy compatibility package that is no longer maintained.
This change will split pkexec
from the polkit package and make it a recommended-only sub-package. Similarly, it will make the polkit-pkla-compat
package a recommended package too.
This will enable users and desktop no longer relying on those features to avoid installing them. Users that still need those features will easily be able to install them.
If we end up confident that we will not break the default user experience, we can make those packages fully optional so that they are not installed by default anymore.
See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2
Feedback
Related discussion in https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ZDZACAMG2E3P4K4P2CVBQ3XBBZ7CYSXA/#Q6EK5NXFV5GEMW3RFTXIWT4NVNDKYKLG
See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2
Benefit to Fedora
Less SetUID binaries and less legacy software installed by default. Moving to a more secure desktop by default.
Scope
- Proposal owners:
- Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec.
- Other developers:
- Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
Nothing should happen during upgrades for existing systems as the packages are still available and will be kept as is and the new polkit-pkexec package will be installed for users not deselecting recommends.
Only new installations that will not have those packages will be impacted and the risk of security issues with the pkla rules removal is low.
How To Test
1. Install the polkit package from https://copr.fedorainfracloud.org/coprs/siosm/polkit/ 2. Remove the polkit-pkexec sub-package and polkit-pkla-compat package 3. Ensure that your applications and desktop environment are still working as intended. Focus on applications that require privileges.
User Experience
N/A
Dependencies
N/A
Contingency Plan
Revert the change.
Documentation
N/A (not a System Wide Change)
Release Notes
TODO