A changed PolicyKit policy for package installation was agreed upon in https://fedorahosted.org/fesco/ticket/1115 , but apparently never implemented. It needs to be implemented for final release. I cannot nominate this as a release blocking bug per the blocker process as it doesn't violate any release criteria. FESCo is expected to have its own mechanism for tracking issues that must be resolved prior to release relating to FESCo decisions. However, I'm nominating it as a freeze exception bug as it will need a freeze exception to be taken after the impending final release freeze.
Patch from Notting was provided in #1115: https://fedorahosted.org/fesco/ticket/1115#comment:20 For the javascript, put the following in /usr/share/polkit-1/rules.d/packagekit.rules: polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.packagekit.package-install" || action.id == "org.freedesktop.packagekit.package-remove" || action.id == "org.freedesktop.packagekit.system-update" || action.id == "org.freedesktop.packagekit.trigger-offline-update") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES; } }); (Holler if I got the full list of methods wrong, but it definitely works for the package install case). Then the recent changes for allow_active for these methods would change back from 'yes' to 'auth_admin_keep'.
Can someone test the PackageKit package here please: http://people.freedesktop.org/~hughsient/fedora/ -- if that works I'll spin a new upstream release and push it into F19. Thanks.
PackageKit-0.8.9-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/PackageKit-0.8.9-5.fc19
Package PackageKit-0.8.9-5.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing PackageKit-0.8.9-5.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11181/PackageKit-0.8.9-5.fc19 then log in and leave karma (feedback).
I confirm at least the following: * Without the update, a non-admin user can 'pkcon install' any package from the repos * With the update, a non-admin user cannot 'pkcon install' anything without the root password * With the update, an admin user can 'pkcon remove' a package (but I was asked for the user's password) * With the update, an admin user can 'pkcon install' a package without authentication (though it may have been cached from the 'pkcon remove') Definitely looks like an 'improvement'.
Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue, FESCo is mandating this be fixed before Final so obviously it gets a freeze exception. (This is basically a 'blocker bug', but there's some boring process argumentation about whether it should be denoted a FinalBlocker or whether it's FESCo's job to track it, but it definitely needs FE status).
PackageKit-0.8.9-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.