A while ago I split the policykit-1 package into two binary packages:
- polkitd: the authorization daemon and associated utilities
- pkexec: the sudo-like tool to run arbitrary commands as root
policykit-1 is a transitional package to pull in both. Since upgrading
to upstream version 121 which uses JavaScript as the primary format
for authorization rules, it also pulls in polkitd-pkla (also known as polkit-pkla-compat upstream), which provides backwards compatibility
with sysadmins' existing .pkla authorization policies if any.
I'd like to reduce the number of dependencies on the transitional
policykit-1 package for bookworm, ideally to zero. This gives us two
desirable properties:
- The setuid /usr/bin/pkexec will be present on fewer systems, reducing
attack surface: for example CVE-2021-4034 only affected pkexec, and
polkitd was not vulnerable. After we get the dependencies fixed, I would
expect to see pkexec installed on typical laptop/desktop systems, but
not on typical servers.
- New installations won't get polkitd-pkla, so it's easier to see what
policies are applied and in what order (all backwards-compatibility
.pkla files get applied in the middle of the new sequence of .rules
files, which can be quite confusing).
A template bug mail:
-------------------------------- 8< -----------------------------------
This package has a Depends, Recommends, Suggests or Build-Depends on the transitional package policykit-1, which has been separated into polkitd
and pkexec packages.
If this package communicates with polkitd via D-Bus, please represent that
as a Depends, Recommends or Suggests on polkitd, whichever is appropriate.
If this package runs /usr/bin/pkexec, please represent that as a Depends, Recommends or Suggests on pkexec, whichever is appropriate.
If this package requires polkit at build-time (usually for the gettext extensions polkit.its and polkit.loc), please build-depend on both libpolkit-gobject-1-dev and polkitd, even if the package does not
actually depend on libpolkit-gobject-1 at runtime. This is because
the gettext extensions are currently in polkitd, but might be moved to libpolkit-gobject-1-dev in future (see #955204). pkexec is usually not
required at build-time.
For packages that are expected to be backported to bullseye, it's OK to
use an alternative dependency: polkitd | policykit-1 and/or
pkexec | policykit-1.
-------------------------------- 8< -----------------------------------
dd-list attached. I've tried to filter out false positives for packages
that already use polkitd | policykit-1, such as flatpak.
The next Lintian release will emit a depends-on-obsolete-package error
for dependencies on policykit-1 (and several other transitional packages)
which will help to make progress in this direction.
Thanks,
smcv
Alessio Treglia <
alessio@debian.org>
rtkit (U)
Andrea Bolognani <
eof@kiyuko.org>
libvirt (U)
libvirt-dbus (U)
Andreas Messer <
andi@bastelmap.de>
elogind (U)
Andrew Lee (李健秋) <
ajqlee@debian.org>
lxde-metapackages (U)
lxsession (U)
Andrew Pollock <
apollock@debian.org>
isc-dhcp (U)
Andriy Grytsenko <
andrej@rep.kiev.ua>
lxde-metapackages (U)
lxsession (U)
Anibal Monsalve Salazar <
anibal@debian.org>
gparted (U)
Anthony Fok <
foka@debian.org>
timekpr-next (U)
Antonio Cardoso Martins <
digiplan.pt@gmail.com>
guidedog
Arnaud Ferraris <
aferraris@debian.org>
modemmanager (U)
Aron Xu <
aron@debian.org>
network-manager (U)
Axel Beckert <
abe@debian.org>
wicd (U)
Barak A. Pearlmutter <
bap@debian.org>
ettercap
ettercap (U)
Bertrand Marc <
bmarc@debian.org>
gnunet-gtk
Boyuan Yang <
byang@debian.org>
galternatives (U)
mintstick
Carl Fürstenberg <
azatoth@gmail.com>
obs-studio (U)
Chris Lamb <
lamby@debian.org>
zoneminder (U)
Christopher James Halse Rogers <
raof@ubuntu.com>
colord
Christopher Schramm <
debian@cschramm.eu>
blueman
Clément Hermann <
nodens@debian.org>
libgsecuredelete (U)
Daniel Baumann <
daniel.baumann@progress-linux.org>
bfh-metapackages
gnunet-gtk
progress-linux-metapackages
Daniel Jared Dominguez <
jared.dominguez@dell.com>
fwupd (U)
David Mohammed <
fossfreedom@ubuntu.com>
budgie-control-center
Debian Accessibility Team <
pkg-a11y-devel@alioth-lists.debian.net>
brltty
Debian Accessibility Team <
pkg-a11y-devel@lists.alioth.debian.org>
brltty
Debian Chinese Team <
chinese-developers@lists.alioth.debian.org>
galternatives
Debian Ecosystem Init Diversity Team <
debian-init-diversity@chiark.greenend.org.uk>
elogind
Debian Edu Packaging Team <
debian-edu-pkg-team@lists.alioth.debian.org>
veyon
Debian EFI <
debian-efi@lists.debian.org>
fwupd
Debian Electronics Team <
pkg-electronics-devel@lists.alioth.debian.org>
arduino
Debian freedesktop.org maintainers <
pkg-freedesktop-maintainers@lists.alioth.debian.org>
accountsservice
malcontent
Debian GNOME Maintainers <
pkg-gnome-maintainers@lists.alioth.debian.org>
deja-dup
gnome-applets
gnome-initial-setup
gnome-multi-writer
gnome-system-log
sysprof
Debian ISC DHCP Maintainers <
isc-dhcp@packages.debian.org>
isc-dhcp
Debian ISC DHCP maintainers <
pkg-dhcp-devel@lists.alioth.debian.org>
isc-dhcp
Debian Libvirt Maintainers <
pkg-libvirt-maintainers@lists.alioth.debian.org>
libvirt
libvirt-dbus
Debian LXDE Maintainers <
pkg-lxde-maintainers@lists.alioth.debian.org>
lxde-metapackages
lxsession
Debian Multimedia Maintainers <
debian-multimedia@lists.debian.org>
obs-studio
rtkit
Debian Printing Team <
debian-printing@lists.debian.org>
hannah-foo2zjs
hplip
Debian Privacy Tools Maintainers <
pkg-privacy-maintainers@lists.alioth.debian.org>
libgsecuredelete
Debian Python Team <
team+python@tracker.debian.org>
bleachbit (U)
gui-ufw
timekpr-next
Debian Remote Maintainers <
debian-remote@lists.debian.org>
x2gothinclient
Debian Security Tools <
team+pkg-security@tracker.debian.org>
ettercap
guymager
Debian SELinux maintainers <
selinux-devel@lists.alioth.debian.org>
selinux-dbus
selinux-python
Debian Sugar Team <
pkg-sugar-devel@lists.alioth.debian.org>
sugar
Debian systemd Maintainers <
pkg-systemd-maintainers@lists.alioth.debian.org>
systemd
Debian WICD Packaging Team <
pkg-wicd-maint@lists.alioth.debian.org>
wicd
Debian Wine Team <
debian-wine@lists.debian.org>
winetricks
Debian Xfce Maintainers <
debian-xfce@lists.debian.org>
lightdm-gtk-greeter
Debian+Ubuntu MATE Packaging Team <
debian-mate@lists.debian.org>
caja-admin
caja-dropbox
mate-applets
mate-polkit
mate-power-manager
mate-settings-daemon
mate-system-monitor
DebianOnMobile Maintainers <
debian-on-mobile-maintainers@alioth-lists.debian.net>
modemmanager
Devid Antonio Filoni <
d.filoni@ubuntu.com>
gui-ufw (U)
Didier Raboud <
odyx@debian.org>
fprintd (U)
hplip (U)
Dmitry Shachnev <
mitya57@debian.org>
gnome-applets (U)
Dmitry Smirnov <
onlyjob@debian.org>
zoneminder
Emilio Pozuelo Monfort <
pochu@debian.org>
accountsservice (U)
Evangelos Rigas <
e.rigas@cranfield.ac.uk>
cpupower-gui
Evgeni Golov <
evgeni@debian.org>
tuned
Fabian Wolff <
fabi.wolff@arcor.de>
backintime (U)
Felipe Sateler <
fsateler@debian.org>
rtkit (U)
systemd (U)
FingerForce Team <
fingerforce-devel@lists.alioth.debian.org>
fprintd
gdebi developers <
gdebi@packages.debian.org>
gdebi
Gianfranco Costamagna <
locutusofborg@debian.org>
ettercap (U)
guidedog (U)
Giap Tran <
txgvnn@gmail.com>
wicd (U)
Graham Inggs <
ginggs@debian.org>
modem-manager-gui
modem-manager-gui (U)
Guido Günther <
agx@sigxcpu.org>
libvirt (U)
modemmanager (U)
gustavo panizzo <
gfa@zumbi.com.ar>
tuned (U)
handsome_feng <
jianfengli@ubuntukylin.com>
ukui-biometric-auth (U)
Henry-Nicolas Tourneur <
debian@nilux.be>
modemmanager (U)
Hugo Lefeuvre <
hle@debian.org>
bleachbit
Iain Lane <
laney@debian.org>
deja-dup (U)
gnome-applets (U)
gnome-system-log (U)
Ian Jackson <
ijackson@chiark.greenend.org.uk>
elogind (U)
intrigeri <
intrigeri@debian.org>
libgsecuredelete (U)
James Lu <
james@overdrivenetworks.com>
lightdm-gtk-greeter-settings
Jens Reyer <
jre.winesim@gmail.com>
winetricks (U)
Jeremy Bicha <
jbicha@debian.org>
deja-dup (U)
gnome-applets (U)
gnome-initial-setup (U)
gnome-multi-writer (U)
gnome-system-log (U)
sysprof (U)
Jeremy Bicha <
jbicha@ubuntu.com>
deja-dup (U)
gnome-initial-setup (U)
sysprof (U)
Joao Eriberto Mota Filho <
eriberto@debian.org>
grub-customizer
linssid
John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de>
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
Jonas Smedegaard <
dr@jones.dk>
sugar (U)
Jonathan Carter <
jcc@debian.org>
calamares
Jonathan Wiltshire <
jmw@debian.org>
backintime
Joseph Bisch <
joseph.bisch@gmail.com>
winetricks (U)
Josselin Mouette <
joss@debian.org>
gnome-system-log (U)
Julian Andres Klode <
jak@debian.org>
hplip (U)
packagekit (U)
Kamal Mostafa <
kamal@canonical.com>
trace-cmd (U)
Kartik Mistry <
kartik@debian.org>
scanmem (U)
Kylin Team <
team+kylin@tracker.debian.org>
ukui-biometric-auth
Laurent Bigonville <
bigon@debian.org>
deja-dup (U)
gnome-initial-setup (U)
gnome-system-log (U)
malcontent (U)
realmd (U)
selinux-dbus (U)
selinux-python (U)
sysprof (U)
Laurent Léonard <
laurent@open-minds.org>
libvirt (U)
Luca Boccassi <
bluca@debian.org>
systemd (U)
Luke Yelavich <
themuso@ubuntu.com>
rtkit (U)
Marcio de Souza Oliveira <
marciosouza@debian.org>
zulucrypt
Marco d'Itri <
md@linux.it>
systemd (U)
Marco Trevisan <
marco@ubuntu.com>
fprintd (U)
Mario Limonciello <
mario.limonciello@dell.com>
fwupd (U)
Mario Limonciello <
superm1@gmail.com>
fwupd (U)
Mark Hindley <
mark@hindley.org.uk>
elogind (U)
Mark Purcell <
msp@debian.org>
hplip (U)
Martin <
debacle@debian.org>
modemmanager (U)
Martin Pitt <
mpitt@debian.org>
cockpit (U)
policykit-1-gnome (U)
systemd (U)
udisks2 (U)
upower (U)
Martin Wimpress <
code@flexion.org>
caja-dropbox (U)
mate-applets (U)
mate-system-monitor (U)
Mathieu Trudel-Lapierre <
mathieu.tl@gmail.com>
modemmanager
Matteo F. Vescovi <
mfv@debian.org>
modem-manager-gui
Matthias Klumpp <
mak@debian.org>
fwupd (U)
packagekit
Michael Biebl <
biebl@debian.org>
cockpit (U)
gnome-multi-writer (U)
gnome-system-log (U)
network-manager (U)
policykit-1-gnome (U)
sysprof (U)
systemd (U)
udisks2 (U)
upower (U)
Michael Gilbert <
mgilbert@debian.org>
isc-dhcp (U)
Michael Prokop <
mika@debian.org>
guymager (U)
Michael Vogt <
mvo@debian.org>
gdebi (U)
synaptic
Mihai Moldovan <
ionic@ionic.de>
x2gothinclient (U)
Mike Gabriel <
sunweaver@debian.org>
caja-admin (U)
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
veyon (U)
x2gothinclient (U)
Miriam Ruiz <
miriam@debian.org>
gui-ufw (U)
Murat Demirten <
murat@debian.org>
ettercap (U)
Patrick Matthäi <
pmatthaei@debian.org>
needrestart-session
Petr Baudis <
pasky@ucw.cz>
mate-power-manager (U)
Philip Hands <
phil@hands.com>
arduino (U)
Phillip Susi <
phill@thesusis.net>
gparted
Phillip Susi <
psusi@ubuntu.com>
gparted
Python Applications Packaging Team <
python-apps-team@lists.alioth.debian.org>
bleachbit (U)
gui-ufw
Ritesh Raj Sarraf <
rrs@debian.org>
sysprof (U)
Russell Coker <
russell@coker.com.au>
selinux-dbus (U)
selinux-python (U)
Samuel Thibault <
sthibault@debian.org>
brltty (U)
Santiago Ruano Rincón <
santiago@debian.org>
isc-dhcp (U)
sugar (U)
Scott Howard <
showard@debian.org>
arduino
arduino (U)
Sebastian Parschauer <
s.parschauer@gmx.de>
scanmem
Sebastian Ramacher <
sramacher@debian.org>
obs-studio (U)
Sebastien Bacher <
seb128@debian.org>
deja-dup (U)
gnome-initial-setup (U)
Seth Forshee <
seth.forshee@canonical.com>
trace-cmd (U)
Sjoerd Simons <
sjoerd@debian.org>
network-manager (U)
systemd (U)
Stefano Karapetsas <
stefano@karapetsas.com>
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
Steve McIntyre <
93sam@debian.org>
fwupd (U)
Sudip Mukherjee <
sudipm.mukherjee@gmail.com>
kernelshark
trace-cmd
Thorsten Alteholz <
debian@alteholz.de>
hplip (U)
Till Kamppeter <
till.kamppeter@gmail.com>
hplip (U)
Ubuntu Developers <
ubuntu-dev-team@lists.alioth.debian.org>
gdebi
Ubuntu Kernel Team <
kernel-team@lists.ubuntu.com>
trace-cmd
Utopia Maintenance Team <
pkg-utopia-maintainers@lists.alioth.debian.org>
cockpit
network-manager
policykit-1-gnome
realmd
udisks2
upower
Vangelis Mouhtsis <
vangelis@gnugr.org>
caja-admin (U)
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
xiao sheng wen <
atzlinux@sina.com>
grub-customizer
Yangfl <
mmyangfl@gmail.com>
galternatives (U)
Yanhao Mo <
yanhaocs@gmail.com>
hotspot
Yann Amar <
quidame@poivron.org>
bilibop
Yves-Alexis Perez <
corsac@debian.org>
lightdm-gtk-greeter (U)
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)