Hey Micahel. Thanks for giving a help :-)
On Fri, 2018-03-30 at 10:50 +0200, Michael Biebl wrote: > Fwiw, I don't agree here. A computer should be usable by default. > We have a conservative, but usable default policy in Debian, imho. > If a computer is not usable, users will start to employ hacks and > workarounds, which would be worse. Well I guess the difficulty here is to determine what's a common kind of computer that people can/should expect, and what's conservative/usable for that. Debian, runs probably on everything,... from the super-computer, over classic servers, the true multi-user-desktop/terminal, the typical single-user-desktop to embedded devices, right?! I'd guess that all bug the single-user-desktop might have quite easily an issue with such a policy as it is right now (especially also the embedded system). OTOH, for the single-user-desktop, you're of course absolutely right,... there it wouldn't make much sense to require people to enter roots passwords to e.g. the USB stick they plug-in, since they have anyway full control over it. polkit doesn't seem to be for desktops only and nothing in udisks really says "beware: our defaults are rather suited for single-user- desktops" btw: I've noticed that even udisks itself doesn't seem to have a clear understanding of what's a system disk or not: - A plain partition/fs on a "removable device" (well all devices are removable, so let's call it: "connected via USB") will be considered non-system, and users can modify it. - A fs below dm-crypt on the same USB-connected device (just on another partition) seemed to be not-considered a system disk. Just discovered this by accident and maybe I did something wrong,.. and since I'm already in my Easter holidays I cannot check it properly right now. Have you guys considered to simply ship multiple policies and give the user e.g. a debconf choice on to which is installed? There could be a simple choice between "desktop", "server", "secure" (with perhaps some better naming for the later, as it shouldn't imply the others are less secure). Alternatively, the policy could be split into it's own package, and udisks depend on either of several. In both cases, the default could be kept to match the current behaviour. > For a specialized lab setup you are indeed encouraged to setup you > own > policies and lock down stuff further. That's basically my plan :-) Happy Easter, Chris. _______________________________________________ Pkg-utopia-maintainers mailing list Pkg-utopia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-utopia-maintainers