https://fedoraproject.org/wiki/Changes/polkit_recommends_pkla_pkexec
== Summary == Split `pkexec` from the polkit package and make it a recommended only sub-package. Similarly, make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them. == Owner == * Name: [[User:Siosm| Timothée Ravier]], Jan Rybar * Email: si...@fedoraproject.org, jry...@redhat.com == Detailed Description == `pkexec` and `pkla-compat` ([https://src.fedoraproject.org/rpms/polkit-pkla-compat package]) are legacy tools that are no longer needed on a desktop and increase the attack surface as they are SetUID binaries (`pkexec`) or not maintained anymore (`pkla-compat`). This change will thus split `pkexec` from the polkit package and make it a recommended only sub-package. Similarly, it will make the polkit-pkla-compat package a recommended package too. This will enable users and desktop no longer relying on those features to avoid installing them. Users that still need those features will easily be able to install them. See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2 == Feedback == Related discussion in https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/thread/ZDZACAMG2E3P4K4P2CVBQ3XBBZ7CYSXA/#Q6EK5NXFV5GEMW3RFTXIWT4NVNDKYKLG See in progress PR: https://src.fedoraproject.org/rpms/polkit/pull-request/2 == Benefit to Fedora == Increased security, less legacy software installed by default, moving to a more secure desktop by default. == Scope == * Proposal owners: ** Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec. * Other developers: ** Test as many desktop environments as possible and add the new dependencies for the packages requiring either polkit-pkla-compat rules support or pkexec. * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A * Alignment with Objectives: == Upgrade/compatibility impact == Nothing should happen during upgrades for existing systems as the packages are still available and will be kept as is and the new polkit-pkexec package will be installed for users not deselecting recommends. Only new installations that will not have those packages will be impacted and the risk of security issues with the pkla rules removal is low. == How To Test == 1. Install the polkit package from https://copr.fedorainfracloud.org/coprs/siosm/polkit/ 2. Remove the polkit-pkexec sub-package and polkit-pkla-compat package 3. Ensure that your applications and desktop environment are still working as intended. Focus on applications that require privileges. == User Experience == N/A == Dependencies == N/A == Contingency Plan == Revert the change. == Documentation == N/A (not a System Wide Change) == Release Notes == TODO -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
