On Mon, Nov 30, 2009 at 01:11:29PM -0500, David Zeuthen wrote: > There's a bunch of prior art where application store data like this > in /var and not /etc. Many people use "application data" and > "configuration" interchangeably (even myself) - iscsi-initiator-utils is > one example. Don't let the FHS fool you that these are totally separate > things.
Oh, the FHS is full of flaws, no question. I'm just surprised that this particular thing is controversial. (And let's not hold up iscsi-initiator-utils as a paragon of something to follow....) > What happened in F12 was not a polkit issue, it was a PackageKit issue. > And the defaults did get changed within 48 hours because of the > over-whelming push-back. So it was a bug in PackageKit. And it got > fixed. Yeah, I don't meant to push that particular button here, sorry. I certainly don't blame polkit for that at all. I've been very in favor of polkit ever since you talked about it fudcon way back when, and my take-away from the incident was that it'd be valuable to make policykit configuration more transparent to systems administrators, which will encourage more buy-in. (The ideas about logging are motivated by the same thing -- enterprise sysadmins want to see logs!) > (If there's anything positive about that incident it's that maybe it > opened peoples eyes to the problem that Fedora maybe shouldn't be a > "general purpose OS" - we really need different policies (such as > different .pkla-files) in e.g. desktop and server spins - e.g. we want > the stock F12 behavior but only in a desktop-spin, never in a > server-spin) Definitely. > > I hope you can reconsider, because while the actual change is trivial, it's > > really the right thing to do. > The only possible solution that I could be made to agree with involves > reading files .pkla files from both > /var/lib/polkit-1/localauthority > /etc/polkit-1/localauthority > though this really sucks. But there is a ton of prior art where this is > done (hal, udev, etc.) so I guess we could do this. If you take a look at the patch I posted (here and in the Fedora bug), that's exactly what it does. (Except it uses /etc/security/polkit-1, which I think is a good idea particularly given your comments on making sure users realize this is security-sensitive configuration. And because it matches how where the consolehelper configuration lives, and since I think replacing consolehelper entirely with polkit is a reasonable goal, that makes the mental migration path easier for admins and doc writers.) > So if you want to do this, file a bug with a patch and we'll take it > from there. Would you like a new freedesktop.org bug filed? > Btw, it would be nice also to use inotify to watch > directories in polkit-1/localauthority instead of hardcoding this > |-- 10-vendor.d > |-- 20-org.d > |-- 30-site.d > |-- 50-local.d > ‘-- 90-mandatory.d Yeah, that's mentioned in the Fedora bug too, but I figured one thing at a time. Thanks, David. I appreciate the reconsideration. -- Matthew Miller mat...@mattdm.org <http://mattdm.org/> _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
