remove polkit from core?

[Lennart Poettering]

On Fri, 09.11.12 11:27, Matthew Miller (mattdm at fedoraproject.org) wrote:

> Apparently the new version of polkit brings in javascript. The js package is
> 6.5MB. I think anything that uses polkit will depend on it -- can we remove
> it from core?

We can work towards that but it requires a bit of changes in systemd. A
number of systemd services check with PK for authorization if an
unprivileged user tries to execute a privileged operation. Since we
never really tested this on systems that lack PK the fallback code that
bypasses PK if it is not around didn't really get the testing it
deserved. Just today I made a minor fix to systemd git to deal nicely
with PK-less systems.

So, I think it makes sense to make PK truly optional, but this needs a
bit of love in some layers of our stack, not just systemd but others as
well, I presume. If somebody wants to work on it, please do, and file
bugs whenever you notice that you get a PK related error message where a
fallback to classic Unix UID-based security doesn't work as it should.

David actually documented explicitly that daemons should fall back to
classic Unix-style uid-based authoization if PK is found not to be
around. It's clearly systemd's fault that we so far didn't follow this
fully.

Of course, it should be clear that making PK optional if a desktop is
installed is not desirable, but other than that I think for head-less
systems such as servers or embedded making PK optional would be
desirable goal and worthwile to spend a bit of work on.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.