Bug 975214 - Implement package installation policy agreed in FESCo #1115
Summary: Implement package installation policy agreed in FESCo #1115
Alias: None
Product: Fedora
Classification: Fedora
Component: PackageKit
Version: 19
Hardware: All
OS: All
Target Milestone: ---
Assignee: Richard Hughes
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F19-accepted, F19FinalFreezeException
TreeView+ depends on / blocked
Reported: 2013-06-17 20:14 UTC by Adam Williamson
Modified: 2013-06-23 06:25 UTC (History)
9 users (show)

Fixed In Version: PackageKit-0.8.9-5.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-06-23 06:25:15 UTC
Type: Bug

Attachments (Terms of Use)

Description Adam Williamson 2013-06-17 20:14:41 UTC
A changed PolicyKit policy for package installation was agreed upon in https://fedorahosted.org/fesco/ticket/1115 , but apparently never implemented. It needs to be implemented for final release.

I cannot nominate this as a release blocking bug per the blocker process as it doesn't violate any release criteria. FESCo is expected to have its own mechanism for tracking issues that must be resolved prior to release relating to FESCo decisions. However, I'm nominating it as a freeze exception bug as it will need a freeze exception to be taken after the impending final release freeze.

Comment 1 Adam Williamson 2013-06-17 20:18:03 UTC
Patch from Notting was provided in #1115:


For the javascript, put the following in /usr/share/polkit-1/rules.d/packagekit.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.package-install" ||
        action.id == "org.freedesktop.packagekit.package-remove" ||
        action.id == "org.freedesktop.packagekit.system-update" ||
        action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;

(Holler if I got the full list of methods wrong, but it definitely works for the package install case). Then the recent changes for allow_active for these methods would change back from 'yes' to 'auth_admin_keep'.

Comment 2 Richard Hughes 2013-06-18 08:11:19 UTC
Can someone test the PackageKit package here please: http://people.freedesktop.org/~hughsient/fedora/ -- if that works I'll spin a new upstream release and push it into F19. Thanks.

Comment 3 Fedora Update System 2013-06-18 11:20:48 UTC
PackageKit-0.8.9-5.fc19 has been submitted as an update for Fedora 19.

Comment 4 Fedora Update System 2013-06-18 19:42:24 UTC
Package PackageKit-0.8.9-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing PackageKit-0.8.9-5.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 5 Adam Williamson 2013-06-19 00:30:46 UTC
I confirm at least the following:

* Without the update, a non-admin user can 'pkcon install' any package from the repos
* With the update, a non-admin user cannot 'pkcon install' anything without the root password
* With the update, an admin user can 'pkcon remove' a package (but I was asked for the user's password)
* With the update, an admin user can 'pkcon install' a package without authentication (though it may have been cached from the 'pkcon remove')

Definitely looks like an 'improvement'.

Comment 6 Adam Williamson 2013-06-19 18:15:48 UTC
Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue, FESCo is mandating this be fixed before Final so obviously it gets a freeze exception. (This is basically a 'blocker bug', but there's some boring process argumentation about whether it should be denoted a FinalBlocker or whether it's FESCo's job to track it, but it definitely needs FE status).

Comment 7 Fedora Update System 2013-06-23 06:25:15 UTC
PackageKit-0.8.9-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.