[security review] Sync policykit-1 121+compat0.1-5 (main) from Debian unstable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
policykit-1 (Ubuntu) |
Fix Released
|
High
|
Sebastien Bacher |
Bug Description
Please sync policykit-1 121+compat0.1-5 (main) from Debian unstable for Ubuntu 23.04
Changelog entries since current kinetic version 0.105-33:
https:/
In particular, see the 0.120-4 changelog entry.
I am filing a bug for Security Team review.
Previously, Debian and Ubuntu developers agreed to keep using
the last version of policykit before it switched to using JavaScript rules.
But that was years ago. I believe Debian & Ubuntu are the only distros
to have opted out of the new policykit. It is harder to maintain
the old style rules when upstream rules use the new format. And it is
a challenge to backport security and other bugfixes from the new
series, without making mistakes or missing important details.
There was a proposal to use duktape instead of mozjs for the JavaScript
interpreter but I don't think that's been merged yet.
Changed in policykit-1 (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
summary: |
- Sync policykit-1 0.120-6 (main) from Debian experimental + [security review] Sync policykit-1 0.120-6 (main) from Debian + experimental |
Changed in policykit-1 (Ubuntu): | |
importance: | Wishlist → Medium |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
tags: | added: kinetic |
information type: | Public → Public Security |
description: | updated |
description: | updated |
tags: |
added: mantic update-excuse removed: block-proposed kinetic |
Changed in policykit-1 (Ubuntu): | |
importance: | Medium → High |
assignee: | Ubuntu Security Team (ubuntu-security) → Sebastien Bacher (seb128) |
status: | Confirmed → Fix Committed |
We do not want policykit to use the unmaintainable mozjs backend. That would be a hard NACK from the Security Team.
The duktape backend has been merged upstream. So in order to sync this to Ubuntu, the following must be done:
1- Get Debian to switch to the duktape backend
2- Get Debian to transition all packages in the archive from PKLA policy files to JS policy files
3- Transition Ubuntu packages not in Debian from PKLA policy files to JS policy files
4- Investigate Snap policykit support, and if required, transition Snaps from PKLA policy files to JS policy files.
Once the transition has been done for all software, policykit can be switched to the duktape policykit backend by syncing the package from Debian. Hopefully at that point it will be in Unstable, and not in experimental.