Control: forwarded -1 https://salsa.debian.org/debian/colord/-/merge_requests/3
Control: tags -1 + patch
On Tue, 06 Dec 2022 at 13:17:50 +0000, Simon McVittie wrote:
> This package has a Depends on the transitional package policykit-1, which
> has been separated into polkitd, pkexec and (deprecated) polkitd-pkla
> packages. Its Build-Depends seems to have already been replaced with
> polkitd, which might have been a previous partial fix for this bug.
Please see the attached patches, also available as a merge request at the
link above.
While preparing the first patch, I noticed that the installed-tests
probably only work if polkitd-pkla is installed, but they can easily be
adapted to work without that package (that's the second patch).
> If this package communicates with polkitd via D-Bus, please represent that
> as a Depends, Recommends or Suggests on polkitd, whichever is appropriate
> for the strength of the requirement.
It looked like this package only needs polkitd...
> If this package runs /usr/bin/pkexec, please represent that as a Depends,
> Recommends or Suggests on pkexec, whichever is appropriate for the strength
> of the requirement.
... and not pkexec. Not pulling in pkexec would be a good piece of
security hardening, since pkexec is a setuid-root executable that has
had CVEs in the past.
> For packages that are expected to be backported to bullseye, it's OK to
> use an alternative dependency: polkitd | policykit-1 and/or
> pkexec | policykit-1.
I used the alternative dependency in the interests of being minimally
disruptive.
> This is part of a mass bug filing, see
> <https://lists.debian.org/debian-devel/2022/10/msg00211.html>.
If my recent team upload of malcontent migrates to testing, this is one of
only 3 remaining source packages that would need similar changes to stop
including policykit-1 in new installations of a Debian 12 GNOME desktop
(the others are rtkit and synaptic). I haven't yet tried the equivalent
with other desktop environments.
smcv
>From 187c197a80b9d81f36b346fbca521a3eb06ee095 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Tue, 7 Feb 2023 16:47:01 +0000
Subject: [PATCH 1/2] d/control: Depend on polkitd | policykit-1, not just
policykit-1
This allows colord to be installed without pulling in the transitional
package policykit-1.
Closes: #1025554, #1025379
---
debian/control | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 11a74489..726e67a1 100644
--- a/debian/control
+++ b/debian/control
@@ -77,7 +77,7 @@ Depends:
acl,
adduser,
colord-data,
- policykit-1 (>= 0.103),
+ polkitd | policykit-1 (>= 0.103),
${misc:Depends},
${shlibs:Depends},
Suggests:
--
2.39.1
>From 50b64ce0a3046a2ebc847ef711f03d2b32e04348 Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Tue, 7 Feb 2023 16:50:47 +0000
Subject: [PATCH 2/2] d/tests/installed-tests: Make the rules override work
without polkitd-pkla
Installing policykit-1 is no longer guaranteed to provide support for
the legacy .pkla rules language.
---
debian/tests/installed-tests | 2 +-
debian/tests/overrides/99-allow-all-colord.pkla | 4 ----
debian/tests/overrides/99-allow-all-colord.rules | 9 +++++++++
3 files changed, 10 insertions(+), 5 deletions(-)
delete mode 100644 debian/tests/overrides/99-allow-all-colord.pkla
create mode 100644 debian/tests/overrides/99-allow-all-colord.rules
diff --git a/debian/tests/installed-tests b/debian/tests/installed-tests
index 0ebf55ce..abf98144 100755
--- a/debian/tests/installed-tests
+++ b/debian/tests/installed-tests
@@ -3,7 +3,7 @@ set -eu
# Override polkit checks for colord daemon. Normally this would allow
# locally-logged-in users to do things, but our autopkgtest user isn't locally-logged-in.
-cp debian/tests/overrides/99-allow-all-colord.pkla /etc/polkit-1/localauthority/90-mandatory.d
+cp debian/tests/overrides/99-allow-all-colord.rules /etc/polkit-1/rules.d/
mkdir -p /etc/systemd/system/colord.service.d/
cp debian/tests/overrides/colord.service /etc/systemd/system/colord.service.d/10-add-dummy-sensor.conf
diff --git a/debian/tests/overrides/99-allow-all-colord.pkla b/debian/tests/overrides/99-allow-all-colord.pkla
deleted file mode 100644
index 18019af3..00000000
--- a/debian/tests/overrides/99-allow-all-colord.pkla
+++ /dev/null
@@ -1,4 +0,0 @@
-[Allow All for Tesnting]
-Identity=unix-user:*
-Action=org.freedesktop.color-manager.*
-ResultAny=yes
diff --git a/debian/tests/overrides/99-allow-all-colord.rules b/debian/tests/overrides/99-allow-all-colord.rules
new file mode 100644
index 00000000..b13fa6a3
--- /dev/null
+++ b/debian/tests/overrides/99-allow-all-colord.rules
@@ -0,0 +1,9 @@
+polkit.addRule(function(action, subject) {
+ if (action.id.indexOf("org.freedesktop.color-manager.") === 0) {
+ return polkit.Result.YES;
+ }
+
+ return polkit.Result.NOT_HANDLED;
+});
+
+// vim:set ft=javascript:
--
2.39.1
