A while ago I split the policykit-1 package into two binary packages:
- polkitd: the authorization daemon and associated utilities
- pkexec: the sudo-like tool to run arbitrary commands as root
policykit-1 is a transitional package to pull in both. Since upgrading
to upstream version 121 which uses JavaScript as the primary format
for authorization rules, it also pulls in polkitd-pkla (also known as
polkit-pkla-compat upstream), which provides backwards compatibility
with sysadmins' existing .pkla authorization policies if any.
I'd like to reduce the number of dependencies on the transitional
policykit-1 package for bookworm, ideally to zero. This gives us two
desirable properties:
- The setuid /usr/bin/pkexec will be present on fewer systems, reducing
attack surface: for example CVE-2021-4034 only affected pkexec, and
polkitd was not vulnerable. After we get the dependencies fixed, I would
expect to see pkexec installed on typical laptop/desktop systems, but
not on typical servers.
- New installations won't get polkitd-pkla, so it's easier to see what
policies are applied and in what order (all backwards-compatibility
.pkla files get applied in the middle of the new sequence of .rules
files, which can be quite confusing).
A template bug mail:
-------------------------------- 8< -----------------------------------
This package has a Depends, Recommends, Suggests or Build-Depends on the
transitional package policykit-1, which has been separated into polkitd
and pkexec packages.
If this package communicates with polkitd via D-Bus, please represent that
as a Depends, Recommends or Suggests on polkitd, whichever is appropriate.
If this package runs /usr/bin/pkexec, please represent that as a Depends,
Recommends or Suggests on pkexec, whichever is appropriate.
If this package requires polkit at build-time (usually for the gettext
extensions polkit.its and polkit.loc), please build-depend on both
libpolkit-gobject-1-dev and polkitd, even if the package does not
actually depend on libpolkit-gobject-1 at runtime. This is because
the gettext extensions are currently in polkitd, but might be moved to
libpolkit-gobject-1-dev in future (see #955204). pkexec is usually not
required at build-time.
For packages that are expected to be backported to bullseye, it's OK to
use an alternative dependency: polkitd | policykit-1 and/or
pkexec | policykit-1.
-------------------------------- 8< -----------------------------------
dd-list attached. I've tried to filter out false positives for packages
that already use polkitd | policykit-1, such as flatpak.
The next Lintian release will emit a depends-on-obsolete-package error
for dependencies on policykit-1 (and several other transitional packages)
which will help to make progress in this direction.
Thanks,
smcv
Alessio Treglia <ales...@debian.org>
rtkit (U)
Andrea Bolognani <e...@kiyuko.org>
libvirt (U)
libvirt-dbus (U)
Andreas Messer <a...@bastelmap.de>
elogind (U)
Andrew Lee (李健秋) <ajq...@debian.org>
lxde-metapackages (U)
lxsession (U)
Andrew Pollock <apoll...@debian.org>
isc-dhcp (U)
Andriy Grytsenko <and...@rep.kiev.ua>
lxde-metapackages (U)
lxsession (U)
Anibal Monsalve Salazar <ani...@debian.org>
gparted (U)
Anthony Fok <f...@debian.org>
timekpr-next (U)
Antonio Cardoso Martins <digiplan...@gmail.com>
guidedog
Arnaud Ferraris <aferra...@debian.org>
modemmanager (U)
Aron Xu <a...@debian.org>
network-manager (U)
Axel Beckert <a...@debian.org>
wicd (U)
Barak A. Pearlmutter <b...@debian.org>
ettercap
ettercap (U)
Bertrand Marc <bm...@debian.org>
gnunet-gtk
Boyuan Yang <by...@debian.org>
galternatives (U)
mintstick
Carl Fürstenberg <azat...@gmail.com>
obs-studio (U)
Chris Lamb <la...@debian.org>
zoneminder (U)
Christopher James Halse Rogers <r...@ubuntu.com>
colord
Christopher Schramm <deb...@cschramm.eu>
blueman
Clément Hermann <nod...@debian.org>
libgsecuredelete (U)
Daniel Baumann <daniel.baum...@progress-linux.org>
bfh-metapackages
gnunet-gtk
progress-linux-metapackages
Daniel Jared Dominguez <jared.doming...@dell.com>
fwupd (U)
David Mohammed <fossfree...@ubuntu.com>
budgie-control-center
Debian Accessibility Team <pkg-a11y-de...@alioth-lists.debian.net>
brltty
Debian Accessibility Team <pkg-a11y-de...@lists.alioth.debian.org>
brltty
Debian Chinese Team <chinese-develop...@lists.alioth.debian.org>
galternatives
Debian Ecosystem Init Diversity Team
<debian-init-divers...@chiark.greenend.org.uk>
elogind
Debian Edu Packaging Team <debian-edu-pkg-t...@lists.alioth.debian.org>
veyon
Debian EFI <debian-...@lists.debian.org>
fwupd
Debian Electronics Team <pkg-electronics-de...@lists.alioth.debian.org>
arduino
Debian freedesktop.org maintainers
<pkg-freedesktop-maintain...@lists.alioth.debian.org>
accountsservice
malcontent
Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org>
deja-dup
gnome-applets
gnome-initial-setup
gnome-multi-writer
gnome-system-log
sysprof
Debian ISC DHCP Maintainers <isc-d...@packages.debian.org>
isc-dhcp
Debian ISC DHCP maintainers <pkg-dhcp-de...@lists.alioth.debian.org>
isc-dhcp
Debian Libvirt Maintainers <pkg-libvirt-maintain...@lists.alioth.debian.org>
libvirt
libvirt-dbus
Debian LXDE Maintainers <pkg-lxde-maintain...@lists.alioth.debian.org>
lxde-metapackages
lxsession
Debian Multimedia Maintainers <debian-multime...@lists.debian.org>
obs-studio
rtkit
Debian Printing Team <debian-print...@lists.debian.org>
hannah-foo2zjs
hplip
Debian Privacy Tools Maintainers
<pkg-privacy-maintain...@lists.alioth.debian.org>
libgsecuredelete
Debian Python Team <team+pyt...@tracker.debian.org>
bleachbit (U)
gui-ufw
timekpr-next
Debian Remote Maintainers <debian-rem...@lists.debian.org>
x2gothinclient
Debian Security Tools <team+pkg-secur...@tracker.debian.org>
ettercap
guymager
Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org>
selinux-dbus
selinux-python
Debian Sugar Team <pkg-sugar-de...@lists.alioth.debian.org>
sugar
Debian systemd Maintainers <pkg-systemd-maintain...@lists.alioth.debian.org>
systemd
Debian WICD Packaging Team <pkg-wicd-ma...@lists.alioth.debian.org>
wicd
Debian Wine Team <debian-w...@lists.debian.org>
winetricks
Debian Xfce Maintainers <debian-x...@lists.debian.org>
lightdm-gtk-greeter
Debian+Ubuntu MATE Packaging Team <debian-m...@lists.debian.org>
caja-admin
caja-dropbox
mate-applets
mate-polkit
mate-power-manager
mate-settings-daemon
mate-system-monitor
DebianOnMobile Maintainers
<debian-on-mobile-maintain...@alioth-lists.debian.net>
modemmanager
Devid Antonio Filoni <d.fil...@ubuntu.com>
gui-ufw (U)
Didier Raboud <o...@debian.org>
fprintd (U)
hplip (U)
Dmitry Shachnev <mity...@debian.org>
gnome-applets (U)
Dmitry Smirnov <only...@debian.org>
zoneminder
Emilio Pozuelo Monfort <po...@debian.org>
accountsservice (U)
Evangelos Rigas <e.ri...@cranfield.ac.uk>
cpupower-gui
Evgeni Golov <evg...@debian.org>
tuned
Fabian Wolff <fabi.wo...@arcor.de>
backintime (U)
Felipe Sateler <fsate...@debian.org>
rtkit (U)
systemd (U)
FingerForce Team <fingerforce-de...@lists.alioth.debian.org>
fprintd
gdebi developers <gd...@packages.debian.org>
gdebi
Gianfranco Costamagna <locutusofb...@debian.org>
ettercap (U)
guidedog (U)
Giap Tran <txg...@gmail.com>
wicd (U)
Graham Inggs <gin...@debian.org>
modem-manager-gui
modem-manager-gui (U)
Guido Günther <a...@sigxcpu.org>
libvirt (U)
modemmanager (U)
gustavo panizzo <g...@zumbi.com.ar>
tuned (U)
handsome_feng <jianfen...@ubuntukylin.com>
ukui-biometric-auth (U)
Henry-Nicolas Tourneur <deb...@nilux.be>
modemmanager (U)
Hugo Lefeuvre <h...@debian.org>
bleachbit
Iain Lane <la...@debian.org>
deja-dup (U)
gnome-applets (U)
gnome-system-log (U)
Ian Jackson <ijack...@chiark.greenend.org.uk>
elogind (U)
intrigeri <intrig...@debian.org>
libgsecuredelete (U)
James Lu <ja...@overdrivenetworks.com>
lightdm-gtk-greeter-settings
Jens Reyer <jre.wine...@gmail.com>
winetricks (U)
Jeremy Bicha <jbi...@debian.org>
deja-dup (U)
gnome-applets (U)
gnome-initial-setup (U)
gnome-multi-writer (U)
gnome-system-log (U)
sysprof (U)
Jeremy Bicha <jbi...@ubuntu.com>
deja-dup (U)
gnome-initial-setup (U)
sysprof (U)
Joao Eriberto Mota Filho <eribe...@debian.org>
grub-customizer
linssid
John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
Jonas Smedegaard <d...@jones.dk>
sugar (U)
Jonathan Carter <j...@debian.org>
calamares
Jonathan Wiltshire <j...@debian.org>
backintime
Joseph Bisch <joseph.bi...@gmail.com>
winetricks (U)
Josselin Mouette <j...@debian.org>
gnome-system-log (U)
Julian Andres Klode <j...@debian.org>
hplip (U)
packagekit (U)
Kamal Mostafa <ka...@canonical.com>
trace-cmd (U)
Kartik Mistry <kar...@debian.org>
scanmem (U)
Kylin Team <team+ky...@tracker.debian.org>
ukui-biometric-auth
Laurent Bigonville <bi...@debian.org>
deja-dup (U)
gnome-initial-setup (U)
gnome-system-log (U)
malcontent (U)
realmd (U)
selinux-dbus (U)
selinux-python (U)
sysprof (U)
Laurent Léonard <laur...@open-minds.org>
libvirt (U)
Luca Boccassi <bl...@debian.org>
systemd (U)
Luke Yelavich <them...@ubuntu.com>
rtkit (U)
Marcio de Souza Oliveira <marcioso...@debian.org>
zulucrypt
Marco d'Itri <m...@linux.it>
systemd (U)
Marco Trevisan <ma...@ubuntu.com>
fprintd (U)
Mario Limonciello <mario.limoncie...@dell.com>
fwupd (U)
Mario Limonciello <supe...@gmail.com>
fwupd (U)
Mark Hindley <m...@hindley.org.uk>
elogind (U)
Mark Purcell <m...@debian.org>
hplip (U)
Martin <deba...@debian.org>
modemmanager (U)
Martin Pitt <mp...@debian.org>
cockpit (U)
policykit-1-gnome (U)
systemd (U)
udisks2 (U)
upower (U)
Martin Wimpress <c...@flexion.org>
caja-dropbox (U)
mate-applets (U)
mate-system-monitor (U)
Mathieu Trudel-Lapierre <mathieu...@gmail.com>
modemmanager
Matteo F. Vescovi <m...@debian.org>
modem-manager-gui
Matthias Klumpp <m...@debian.org>
fwupd (U)
packagekit
Michael Biebl <bi...@debian.org>
cockpit (U)
gnome-multi-writer (U)
gnome-system-log (U)
network-manager (U)
policykit-1-gnome (U)
sysprof (U)
systemd (U)
udisks2 (U)
upower (U)
Michael Gilbert <mgilb...@debian.org>
isc-dhcp (U)
Michael Prokop <m...@debian.org>
guymager (U)
Michael Vogt <m...@debian.org>
gdebi (U)
synaptic
Mihai Moldovan <io...@ionic.de>
x2gothinclient (U)
Mike Gabriel <sunwea...@debian.org>
caja-admin (U)
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
veyon (U)
x2gothinclient (U)
Miriam Ruiz <mir...@debian.org>
gui-ufw (U)
Murat Demirten <mu...@debian.org>
ettercap (U)
Patrick Matthäi <pmatth...@debian.org>
needrestart-session
Petr Baudis <pa...@ucw.cz>
mate-power-manager (U)
Philip Hands <p...@hands.com>
arduino (U)
Phillip Susi <ph...@thesusis.net>
gparted
Phillip Susi <ps...@ubuntu.com>
gparted
Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org>
bleachbit (U)
gui-ufw
Ritesh Raj Sarraf <r...@debian.org>
sysprof (U)
Russell Coker <russ...@coker.com.au>
selinux-dbus (U)
selinux-python (U)
Samuel Thibault <sthiba...@debian.org>
brltty (U)
Santiago Ruano Rincón <santi...@debian.org>
isc-dhcp (U)
sugar (U)
Scott Howard <show...@debian.org>
arduino
arduino (U)
Sebastian Parschauer <s.parscha...@gmx.de>
scanmem
Sebastian Ramacher <sramac...@debian.org>
obs-studio (U)
Sebastien Bacher <seb...@debian.org>
deja-dup (U)
gnome-initial-setup (U)
Seth Forshee <seth.fors...@canonical.com>
trace-cmd (U)
Sjoerd Simons <sjo...@debian.org>
network-manager (U)
systemd (U)
Stefano Karapetsas <stef...@karapetsas.com>
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
Steve McIntyre <93...@debian.org>
fwupd (U)
Sudip Mukherjee <sudipm.mukher...@gmail.com>
kernelshark
trace-cmd
Thorsten Alteholz <deb...@alteholz.de>
hplip (U)
Till Kamppeter <till.kamppe...@gmail.com>
hplip (U)
Ubuntu Developers <ubuntu-dev-t...@lists.alioth.debian.org>
gdebi
Ubuntu Kernel Team <kernel-t...@lists.ubuntu.com>
trace-cmd
Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org>
cockpit
network-manager
policykit-1-gnome
realmd
udisks2
upower
Vangelis Mouhtsis <vange...@gnugr.org>
caja-admin (U)
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
xiao sheng wen <atzli...@sina.com>
grub-customizer
Yangfl <mmyan...@gmail.com>
galternatives (U)
Yanhao Mo <yanha...@gmail.com>
hotspot
Yann Amar <quid...@poivron.org>
bilibop
Yves-Alexis Perez <cor...@debian.org>
lightdm-gtk-greeter (U)
