Package: hal
Version: 0.5.12~git20090406.46dc48-2
Severity: important

I think that it is a bad thing that HAL started depending on PolicyKit in the
latest versions. PolicyKit introduces a whole new, parallel security system,
and it does not seem to be well-known how it works or how to properly
administer it (I, for one, certainly don't know how it works, at least).

Therefore, it may introduce security holes unknown to the maintainer of some
systems. In particular seeing how HAL is required by so many things (GNOME and
KDE, for example), it may even install PolicyKit without the administrator
knowing about it (installing GNOME or KDE pulls in so many other packages
anyway that it might be hard to spot PolicyKit among them; I almost missed it
in the latest dist-upgrade).

I have not researched it in detail yet, so I don't really know if it's a good
solution, but I would suggest some optional bridge package which integrates HAL
and PolicyKit, and which can be installed by those who want PolicyKit.

Of course, it is true that the same thing may be said of HAL as well, put
since the entire purpose of PolicyKit is to introduce a new layer of security
and permissions, I would consider it even more dangerous.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (400, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages hal depends on:
ii  adduser      3.110                       add and remove users and groups
ii  dbus         1.2.12-1                    simple interprocess messaging syst
pn  hal-info     <none>                      (no description available)
ii  libc6        2.9-4                       GNU C Library: Shared libraries
ii  libdbus-1-3  1.2.12-1                    simple interprocess messaging syst
ii  libdbus-glib 0.80-3                      simple interprocess messaging syst
ii  libexpat1    2.0.1-4                     XML parsing C library - runtime li
ii  libgcc1      1:4.3.3-3                   GCC support library
ii  libglib2.0-0 2.20.0-2                    The GLib library of C routines
ii  libhal-stora 0.5.12~git20090406.46dc48-2 Hardware Abstraction Layer - share
ii  libhal1      0.5.12~git20090406.46dc48-2 Hardware Abstraction Layer - share
ii  libsmbios2   2.0.3.dfsg-1                Provide access to (SM)BIOS informa
ii  libstdc++6   4.3.3-3                     The GNU Standard C++ Library v3
ii  libusb-0.1-4 2:0.1.12-13                 userspace USB programming library
ii  libvolume-id 0.125-7                     libvolume_id shared library
ii  lsb-base     3.2-22                      Linux Standard Base 3.2 init scrip
ii  mount        2.13.1.1-1                  Tools for mounting and manipulatin
ii  pciutils     1:3.1.2-3                   Linux PCI Utilities
pn  pm-utils     <none>                      (no description available)
ii  udev         0.141-1                     /dev/ and hotplug management daemo
ii  usbutils     0.73-10                     Linux USB utilities

Versions of packages hal recommends:
ii  eject           2.1.5+deb1+cvs20081104-5 ejects CDs and operates CD-Changer
pn  libsmbios-bin   <none>                   (no description available)

Versions of packages hal suggests:
pn  gnome-device-manager          <none>     (no description available)



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to