[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-10-13 Thread Jeremy Bicha 
policykit-1 121+compat0.1-5 is now in Debian Unstable.

Could I get a clear answer from the Ubuntu Security Team if this is
acceptable to autosync when Ubuntu 23.04 development opens?

** Tags added: block-proposed

** Summary changed:

- [security review] Sync policykit-1 0.120-6 (main) from Debian experimental
+ [security review] Sync policykit-1 121+compat0.1-5 (main) from Debian unstable

** Description changed:

- Please sync policykit-1 0.120-6 (main) from Debian experimental
+ Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable for
+ Ubuntu 23.04
  
  Changelog entries since current kinetic version 0.105-33:
- https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6
+ 
https://metadata.ftp-master.debian.org/changelogs/main/p/policykit-1/policykit-1_121%2Bcompat0.1-4_changelog
  
  In particular, see the 0.120-4 changelog entry.
  
  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.
  
  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.
  
  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.
  
  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).
- 
- My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

** Description changed:

  Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable for
  Ubuntu 23.04
  
  Changelog entries since current kinetic version 0.105-33:
  
https://metadata.ftp-master.debian.org/changelogs/main/p/policykit-1/policykit-1_121%2Bcompat0.1-4_changelog
  
  In particular, see the 0.120-4 changelog entry.
  
  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.
  
  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.
  
  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.
- 
- It appears the Debian maintainer is considering switching Debian to the
- updated version in time for the next Debian Stable release (so uploading
- to unstable later this year).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 121+compat0.1-5 (main) from Debian
  unstable

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable
  for Ubuntu 23.04

  Changelog entries since current kinetic version 0.105-33:
  
https://metadata.ftp-master.debian.org/changelogs/main/p/policykit-1/policykit-1_121%2Bcompat0.1-4_changelog

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-09-12 Thread Marc Deslauriers 
I also don't think this is a blocker anymore, as long as polkitd-pkla is
a strong dependency in Ubuntu, so we don't inadvertently stop shipping
it. It would be nice to get a similar list of packages in Ubuntu, as I
suspect we have many more than Debian. We may also need to update the
policykit-desktop-privileges package to ensure it still applies
appropriate policy.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-09-02 Thread Alex Murray 
> I do not intend to take further action to modify those packages. If it is a 
> blocker for Ubuntu 
> that they are fixed, then someone from Ubuntu will need to do that work.

Given the relationship between the packages has now changed - ie.
polkitd-pkla is not mutually exclusive from the javascript backend and
then allows both legacy pkla policies as well as the "new" javascript
policies to be handled - then this is not a blocker anymore from my
point of view. I suspect Marc may also agree (especially given the
relatively small number of packages in this category).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-09-01 Thread Simon McVittie 
As of version 121+compat0.1-1, the relationship between packages has
changed to this:

* polkitd always requires polkitd-javascript and duktape, and always
interprets JavaScript policies

* polkitd-pkla is now an optional addon (the upstream polkit-pkla-compat
project, as shipped in e.g. Fedora) which evaluates legacy .pkla files
and reports their results via a JavaScript policy

polkitd currently Suggests polkitd-pkla, but this might change to either
a stronger or weaker dependency.

> Get Debian to transition all packages in the archive from PKLA policy
files to JS policy files

I've reported bugs which are collected in .

I do not intend to take further action to modify those packages. If it
is a blocker for Ubuntu that they are fixed, then someone from Ubuntu
will need to do that work.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-06-08 Thread Simon McVittie 
More discussion here: https://salsa.debian.org/utopia-
team/polkit/-/merge_requests/6

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-06-08 Thread Simon McVittie 
> There was a proposal to use duktape instead of mozjs for the JavaScript
> interpreter but I don't think that's been merged yet.

This was merged upstream, but unfortunately there has not yet been a
release that contains this change.

I don't really want to use an arbitrary git snapshot for security-
sensitive software; but then again, all releases of polkit have security
vulnerabilities (CVE-2021-4115 and CVE-2021-4034 were both fixed since
0.120) so in some ways an arbitrary git snapshot would be safer.

I was surprised to see that Fedora is currently patching polkit to use
mozjs91 (also merged upstream but not released), rather than patching it
to use duktape.

> My understanding is the Debian experimental version doesn't support both at 
> the same
> time, it's one or the other depending on which binary package you install.

That is correct. You can have the old PKLA policies with no runtime
dependency on mozjs by installing polkitd-pkla, or you can have the JS
policies with a runtime dependency on mozjs (which will switch to
duktape in future) by installing polkitd-javascript, but you can't have
both simultaneously.

There is a separate package in e.g. Fedora that extends the JS backend
to also read PKLA policies, but that's not currently in Debian or
Ubuntu, and it isn't clear to me that it should be.

I have also been very tempted to modify 0.120 so it only builds polkitd-
pkla (dropping the JS dependency) and upload that to unstable, versioned
0.105+really0.120 or something, as a way to get a PKLA backend that
isn't in a codebase from the distant past (look at the debian/patches of
0.105 and despair).

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4034

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4115

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-06-06 Thread Marc Deslauriers 
My understanding is the Debian experimental version doesn't support both
at the same time, it's one or the other depending on which binary
package you install. We definitely don't want that.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-06-06 Thread Jeremy Bicha 
Marc, the current Debian experimental version supports both PKLA and JS
policy files. Are you saying that you only want one style to be
supported in an Ubuntu release?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-05-09 Thread Marc Deslauriers 
We do not want policykit to use the unmaintainable mozjs backend. That
would be a hard NACK from the Security Team.

The duktape backend has been merged upstream. So in order to sync this
to Ubuntu, the following must be done:

1- Get Debian to switch to the duktape backend
2- Get Debian to transition all packages in the archive from PKLA policy files 
to JS policy files
3- Transition Ubuntu packages not in Debian from PKLA policy files to JS policy 
files
4- Investigate Snap policykit support, and if required, transition Snaps from 
PKLA policy files to JS policy files.

Once the transition has been done for all software, policykit can be
switched to the duktape policykit backend by syncing the package from
Debian. Hopefully at that point it will be in Unstable, and not in
experimental.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp