> There was a proposal to use duktape instead of mozjs for the JavaScript > interpreter but I don't think that's been merged yet.
This was merged upstream, but unfortunately there has not yet been a release that contains this change. I don't really want to use an arbitrary git snapshot for security- sensitive software; but then again, all releases of polkit have security vulnerabilities (CVE-2021-4115 and CVE-2021-4034 were both fixed since 0.120) so in some ways an arbitrary git snapshot would be safer. I was surprised to see that Fedora is currently patching polkit to use mozjs91 (also merged upstream but not released), rather than patching it to use duktape. > My understanding is the Debian experimental version doesn't support both at > the same > time, it's one or the other depending on which binary package you install. That is correct. You can have the old PKLA policies with no runtime dependency on mozjs by installing polkitd-pkla, or you can have the JS policies with a runtime dependency on mozjs (which will switch to duktape in future) by installing polkitd-javascript, but you can't have both simultaneously. There is a separate package in e.g. Fedora that extends the JS backend to also read PKLA policies, but that's not currently in Debian or Ubuntu, and it isn't clear to me that it should be. I have also been very tempted to modify 0.120 so it only builds polkitd- pkla (dropping the JS dependency) and upload that to unstable, versioned 0.105+really0.120 or something, as a way to get a PKLA backend that isn't in a codebase from the distant past (look at the debian/patches of 0.105 and despair). ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4034 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4115 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1972654 Title: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental Status in policykit-1 package in Ubuntu: Confirmed Bug description: Please sync policykit-1 0.120-6 (main) from Debian experimental Changelog entries since current kinetic version 0.105-33: https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6 In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. It appears the Debian maintainer is considering switching Debian to the updated version in time for the next Debian Stable release (so uploading to unstable later this year). My requested deadline is August 25, Ubuntu 22.10 Feature Freeze. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp