policykit-1 121+compat0.1-5 is now in Debian Unstable. Could I get a clear answer from the Ubuntu Security Team if this is acceptable to autosync when Ubuntu 23.04 development opens?
** Tags added: block-proposed ** Summary changed: - [security review] Sync policykit-1 0.120-6 (main) from Debian experimental + [security review] Sync policykit-1 121+compat0.1-5 (main) from Debian unstable ** Description changed: - Please sync policykit-1 0.120-6 (main) from Debian experimental + Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable for + Ubuntu 23.04 Changelog entries since current kinetic version 0.105-33: - https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6 + https://metadata.ftp-master.debian.org/changelogs/main/p/policykit-1/policykit-1_121%2Bcompat0.1-4_changelog In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. It appears the Debian maintainer is considering switching Debian to the updated version in time for the next Debian Stable release (so uploading to unstable later this year). - - My requested deadline is August 25, Ubuntu 22.10 Feature Freeze. ** Description changed: Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable for Ubuntu 23.04 Changelog entries since current kinetic version 0.105-33: https://metadata.ftp-master.debian.org/changelogs/main/p/policykit-1/policykit-1_121%2Bcompat0.1-4_changelog In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. - - It appears the Debian maintainer is considering switching Debian to the - updated version in time for the next Debian Stable release (so uploading - to unstable later this year). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1972654 Title: [security review] Sync policykit-1 121+compat0.1-5 (main) from Debian unstable Status in policykit-1 package in Ubuntu: Confirmed Bug description: Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable for Ubuntu 23.04 Changelog entries since current kinetic version 0.105-33: https://metadata.ftp-master.debian.org/changelogs/main/p/policykit-1/policykit-1_121%2Bcompat0.1-4_changelog In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
