Red Hat Bugzilla – Bug 967354
Impossible to uninstall polkit-pkla-compat
Last modified: 2013-05-27 09:05:14 EDT
I'm trying to uninstall the polkit-pkla-compat package but this is causing the polkit package to be uninstalled which then causes most of the OS to be uninstalled. So, basically, the polkit-pkla-compat package is not optional.
FWIW (but I think you already know this), this package is very problematic it is causing a lot of extra processes to be created (at least one on *every* authorization check). The way it works *directly* contradicts what the polkit(8) man page says
namely "The spawn() method should be used sparingly [...]".
I'd really rather you didn't ship this in Fedora (I don't care what you do in RHEL). And if you really think that .pkla support is important (I've failed explaining to you and other that it's not) I'd rather you patch your polkit packages to do it without wasting processes power like this.
It's really quite disappointing that you are shipping this in the default install. Please don't do this. Thanks.
Thanks for your report.
IMO, consistent results of the policy trump performance, and that's why polkit-pkla-compat needs to stay mandatory.
It would be great to improve the performace, however I don't currently have any more time to spend on this; patches would be definitely welcome.
(And re: the recommendation in polkit(8), it doesn't really apply because the pkla-* helpers can't run for a "very long or indeterminate amount of time", and polkitd does not handle other requests until the current one is answered ion any case, whether the answer is determined in C or JS).
FWIW, some numbers (average of 5 measurements, real time):
* (pkcheck --action-id org.freedesktop.locale1.set-keyboard --process $$)
without polkit-pkla-compat: 27 ms
* The same with polkit-pkla-compat: 61.8 ms
(OK, a non-trivial increase.)
* (pkla-check-authorization mitr true true org.freedesktop.locale1.set-keyboard)
One possible way to speed this up is to deviate polkit-pkla-compat further from the original code and to rip out all of the gio/gmonitor calls, with the goal of no longer linking with libgio (at least for pkla-admin-identities, 98% of the runtime is spent loading and initializing various libraries).
Another would be to add enough functionality to JS to actually allow implementing polkit-pkla-* in JS.
And the third is to call polkitbackendlocalauthority from inside the JS backend, which is architecturally really ugly.