Comment 7 for bug 1897287

Yes, any package that did not get built with libpolkit-agent-1-dev does not have Polkit-1 support enabled. This is the case for all Debian packages. Unless Ubuntu rebuilt the packages in an environment that has libpolkit-agent-1-dev by sheer luck, they have it disabled as well. You can check the `POLKIT` constant in `usr/lib/python3/dist-packages/blueman/Constants.py` to verify that.

Apart from managing networks and launching DHCP clients, the otherwise authorized actions also include launching PPP daemons and setting rfkill states.

Unfortunately I've still failed to make contact to the Debian security team, so it's open what will happen with stretch and buster. A 2.1.4-1 is on mentors https://mentors.debian.net/package/blueman/ (so this is kinda public now if somebody analyses the changes and draws the right conclusions) and I'm waiting for my sponsor to upload it to unstable from where it should get migrated to testing 2 days later. Feel free to pick it for groovy as well, if that's an option.

If I don't hear anything back from the Debian security team, the plan is to release the upstream patches and version 2.1.4 once it reached Debian testing. I might hold back the security advisory a little longer as I think the state in the stable Debian and Ubuntu releases is pretty bad, but if I cannot reach Debian security or they aren't interested there's not much I can do.

The 2.0 patch is attached now (look like you only add one attachment per post).