Re: SV: MATE 1.8 has now fully arrived in Debian
https://lists.debian.org/debian-devel/2 ... 00455.html
That is one of the main points of the thread, so far (another huge read in my quest)... I hope you readers like it too.Simon McVittie wrote:The interesting dependency chain is:On 25/06/14 15:43, Svante Signell wrote wrote: Regarding mate desktop policykit-1 build-depends on libsystemd-login-dev only for linux-any. What functionality is missing for other architectures?
Runtime dependencies on systemd support libraries like libsystemd-login0 are harmless for people who don't want to run the systemd-logind daemon, the same way a dependency on libselinux0 has no effect on people who don't boot Linux with SELinux enabled.Code: Select all
policykit-1 Depends libpam-systemd [linux-any] (degraded functionality on !linux) libpam-systemd Depends systemd (i.e. systemd binaries are installed) libpam-systemd Depends systemd-sysv (i.e. systemd is pid 1) or systemd-shim (i.e. systemd-logind runs, but systemd is probably not pid 1)
At a guess, the desired capability here is the ability to have policies of the form "users may $verb, but only if they are logged-in locally, not from a remote login or a cron job". $verb might be something like "suspend the computer", "reconfigure networking" or "use the microphone/webcam to record the local user of the computer", for instance; it's fine for a sysadmin to be able to set up users who can do those things remotely, but the sensible default for all of them is "only if you're logged-in locally".
In Debian 7, PolicyKit could answer the question "is Svante logged-in locally?" by asking ConsoleKit. ConsoleKit is no longer maintained upstream, so in the current version of PolicyKit, the only implementation of an answer to that question is asking systemd-logind, which CK's upstream maintainers consider to have superseded CK. In the absence of systemd (or an actively-maintained ConsoleKit code path), the best available answer to "is Svante logged-in locally?" is "I have no idea, assume 'no'".
#751028 (policykit-1's dependency on libpam-systemd, which is the component that tells systemd-logind that you are logged in locally, and depends on systemd-logind itself) is marked wontfix. I would guess that this is because the maintainers of policykit-1 are not willing to deal with the support burden of users opening bugs of the form "PolicyKit won't let me $verb" which turn out, after investigation, to be because they do not have libpam-systemd installed.
In practice, many (most?) of the actions controlled by PK have a default policy of "only if you're logged-in locally", so the lack of logind is a significant functionality loss: you'd need to give the root password or add additional local group-based PK policies to be able to do a lot of "reasonable desktop things" like suspending, configuring networking, using audio.
Upstream developers in various projects increasingly oppose group-based access, because membership of many "desktop stuff" groups essentially means "can ssh in and do bad things to a local user". For instance, putting desktop users in group 'audio' or 'video' is no longer a requirement for access to sound cards on systems with systemd-logind (it hands out access using temporary ACLs instead) - which is just as well, because putting those users in a group with permanent rw access to the sound device or webcam would essentially mean they can ssh in while someone else is using a computer, and spy on what is said near it.
The ability to have policies of the form "users may $verb if they do so from a process in the foo_t SELinux context", presumably.Svante Signell wrote:What about libselinux for olicykit-1, this dependency is also linux-any.
S
EDIT START: I think I make the first four posts of mine at the start of this topic much much clearer and easier to read, just now.
I allow that the objections were partly justified.
I hope anyone studying this thread will later not find _so_ many objections (some of the things, such as on my search, I can't find time (I really input a lot work in this improvement), to properly improve...
EDIT END
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr