[Oneiric] update-manager installs packages without authentication

Sam, post the output of:

apt-cache policy update-manager

Thanks.
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

$ apt-cache policy update-manager
update-manager:
  Installed: 1:0.152.6
  Candidate: 1:0.152.6
  Version table:
 *** 1:0.152.6 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
        100 /var/lib/dpkg/status

Thanks. I will test this out as soon as possible and report back.
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

I can confirm this too - also I don't think it's proper to assign a bug to yourself unless you're currently working on a fix. Unless we're all mistaken here it seems like quite a serious security issue to allow updates to be done with any authentication.

Confirmed in a fresh install of 11.10.
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

This was also the case in update-manager version 151.7 it seems.
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

In changelog I ran into Bug #626798, maybe it's related to policykit.

This is by design and only applies to admins:

policykit-desktop-privileges (0.6) oneiric; urgency=low

  * Allow local admins to update already installed software without password.

https://launchpad.net/ubuntu/oneiric/+source/policykit-desktop-privileges/0.6

Thanks for the clarification Brian.
When I did a partitial upgrade it requested a passwd, although it updated already installed packages, then the policy seems to be inconsistent when it says 'update already installed software'.

Actually it asks again for authentication. Bug #819328
Please clarify what is expected, authentication or not?

Can somebody clarify what should happen here? In 11.04 whenever I used update manager to install updates I was asked to authenticate. On 11.10 Beta (15th Sept 2011) I am not asked to authenticate. Comments above suggest that this is correct for administrator users. This appears not to be consistent with the fact that from the command line I have to use sudo apt-get upgrade, and authenticate.

This is worrying as I don't want my kids to be able to install without admin authorisation under their own logon.
Are security actions like removing all 3rd party PPAs necessary?

Ok, without sounding like I am whinging, and whining.
2nd time update manager has run on the new 11.10 upgrade, it again updated software after I pressed the 'install updates' button without asking for any password.

This was not a release update, it was the usual patch cycle.

This is a now a very insecure system for me to use - can someone please provide me with some reassurance?

That's why I've marked my follow-up Bug #863602 as invalid.
As I understood the policy says
< update *already installed* software without password >
which doesn't regard installations of new packages. Admitted it's still confusing the user.

I would like to add that one of the best things ubuntu has going for it is that in order to install anything you have to use adm. password to do it. I would much rather have to use it to install anything including updates no matter who is using my computer..