FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-09-2010, 04:54 PM
David Zeuthen
 
Default PolicyKit-authentication-agents in Fedora

On Thu, 2010-04-08 at 18:05 +0200, Christoph Wickert wrote:
> I just imported lxpolkit into CVS, but it's not yet build because I
> don't want to break anything.
>
> We now have 3 PolicyKit-authentication-agents in Fedora:
> * polkit-gnome
> * polkit-kde
> * lxpolkit
>
> As you can see lxpolkit has the shortest name and will therefore be
> chosen by yum if anything requires PolicyKit-authentication-agent (ATM
> system-config-samba and system-config-services). There is no problem
> having several agents installed but we need to make sure that only one
> gets started at a time.

First, PolicyKit-authentication-agent is a holdover from the old days
when the package was called PolicyKit, not polkit, and things worked in
different ways.

Second, we should just get rid of the PolicyKit-authentication-agent
virtual package - mechanisms/policy agents like system-config-samba
(which I believe is both a mechanism and a policy agent) etc. should not
be concerned with whether the administrator has configured the system
correctly.

As the polkit docs clearly spells out, it is the responsibility of each
environment to provide authentication agents that register with the
polkit authority - see

http://hal.freedesktop.org/docs/polkit/polkit-agents.html

The way it should work is this

- polkit-gnome, lxpolkit, polkit-kde etc. should NOT provide an
autostart desktop file. These packages really just provide code; in
particular they MUST NOT encode policy e.g. make assumptions that
people would want to run their code.

- Packages containing environments like GNOME, KDE, LXDE should
- Require a suitable polkit authentication agent, e.g. polkit-gnome
- Ensure itself the authentication agent is started
- this can be done via hard-coding stuff in gnome-session.c or
using an autostart file or whatever

David


--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 04-09-2010, 06:00 PM
Matthias Clasen
 
Default PolicyKit-authentication-agents in Fedora

On Fri, 2010-04-09 at 12:54 -0400, David Zeuthen wrote:

>
> http://hal.freedesktop.org/docs/polkit/polkit-agents.html
>
> The way it should work is this
>
> - polkit-gnome, lxpolkit, polkit-kde etc. should NOT provide an
> autostart desktop file. These packages really just provide code; in
> particular they MUST NOT encode policy e.g. make assumptions that
> people would want to run their code.
>
> - Packages containing environments like GNOME, KDE, LXDE should
> - Require a suitable polkit authentication agent, e.g. polkit-gnome
> - Ensure itself the authentication agent is started
> - this can be done via hard-coding stuff in gnome-session.c or
> using an autostart file or whatever

We should probably bring polkit-gnome in compliance with this, then. It
still ships an autostart file.

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 04-09-2010, 06:30 PM
David Zeuthen
 
Default PolicyKit-authentication-agents in Fedora

On Fri, 2010-04-09 at 14:00 -0400, Matthias Clasen wrote:
> We should probably bring polkit-gnome in compliance with this, then. It
> still ships an autostart file.

Well, the whole mess needs sorting distro-wide - probably want a F14
feature + driver for this.

David


--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 04-10-2010, 12:29 AM
Matthias Clasen
 
Default PolicyKit-authentication-agents in Fedora

On Fri, 2010-04-09 at 14:30 -0400, David Zeuthen wrote:
> On Fri, 2010-04-09 at 14:00 -0400, Matthias Clasen wrote:
> > We should probably bring polkit-gnome in compliance with this, then. It
> > still ships an autostart file.
>
> Well, the whole mess needs sorting distro-wide - probably want a F14
> feature + driver for this.
>

Ok, I'll bite. We can start getting this sorted out in rawhide now. Here
is a feature page describing what needs to happen:

https://fedoraproject.org/wiki/Features/PolkitAgentReorg

I took the freedom to coopt Christoph and Jaroslav as co-owners, since
they are reponsible (I think ?) for the other agent implementations.


Matthias

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 04-10-2010, 02:59 PM
Kevin Kofler
 
Default PolicyKit-authentication-agents in Fedora

Christoph Wickert wrote:
> Then polkit-kde would win and it has even more deps.

And it wouldn't even work outside of KDE as it has OnlyShowIn=KDE;.

All this is why I suggested on #fedora-kde that we should ban all usage of
PolicyKit-authentication-agent entirely (possibly even just remove the
virtual Provides in F14) and have it be the desktop's responsibility to
explicitly Require the auth agent it wants. But Christoph's objection to
that plan was that it forces even things like simple WMs to require a polkit
auth agent, which their users will not necessarily want. He'd much rather
the programs which use polkit carry a dependency rather than just assuming
it'll magically be there.

I think that given the practical restrictions, having lxpolkit be the
default for non-GNOME, non-KDE desktops as Christoph is suggesting is a
quite reasonable default. If it's not GNOME nor KDE, it's some kind of
lightweight solution, so a lightweight auth agent should be the best fit.

Kevin Kofler

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-10-2010, 03:02 PM
Kevin Kofler
 
Default PolicyKit-authentication-agents in Fedora

Jaroslav Reznik wrote:
> We explicitly require polkit-kde from F-12 in combination with polkit-1
> (in kdebase-workspace). F-11 still require PolicyKit-authentication-agent.

That would be F-13 resp. F-12.

I think that for F-12, we should really do that grouped update to introduce
polkit-kde and disable polkit-gnome in KDE. (It needs a grouped update of
polkit-kde (new package), polkit-gnome (add NotShowIn=KDE; as in F-13) and
kdebase-workspace (explicitly require polkit-kde rather than PolicyKit-
authentication-agent). All these changes need to happen at the same time,
i.e. in one update set.)

Kevin Kofler

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-11-2010, 03:30 PM
Jaroslav Reznik
 
Default PolicyKit-authentication-agents in Fedora

On Saturday 10 April 2010 05:02:52 pm Kevin Kofler wrote:
> Jaroslav Reznik wrote:
> > We explicitly require polkit-kde from F-12 in combination with polkit-1
> > (in kdebase-workspace). F-11 still require
> > PolicyKit-authentication-agent.
>
> That would be F-13 resp. F-12.

Yes, F-13.

>
> I think that for F-12, we should really do that grouped update to introduce
> polkit-kde and disable polkit-gnome in KDE. (It needs a grouped update of
> polkit-kde (new package), polkit-gnome (add NotShowIn=KDE; as in F-13) and
> kdebase-workspace (explicitly require polkit-kde rather than PolicyKit-
> authentication-agent). All these changes need to happen at the same time,
> i.e. in one update set.)

Looks like polkit-kde is working quite well, question is if it is really what
we need so much to introduce it to F-12.

Jaroslav

> Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-14-2010, 08:47 AM
Christoph Wickert
 
Default PolicyKit-authentication-agents in Fedora

Am Mittwoch, den 14.04.2010, 10:25 +0200 schrieb Jaroslav Reznik:

> Hi Matthias.
> We were discussing polkit agent reorganization @ our kde sig meeting -
> cwickert joined us too [1].
> Could you clarify autostart of the agent? I agree it should be task for
> desktop as it's now core component and I don't see need for users to change
> this configuration.

I do. Xfce for example has no agent ATM, so users should be free to
choose ether polkit-gnome or lxpolkit. This could be easily done it we
allowed installing them individually. The choice which one is started
could be easily done graphically in the session properties.

If I understood Matthias correctly he wants the desktop to autostart the
agent and have it hardcoded somewhere. IMHO this is a step in the wrong
direction as it takes the user the freedom to decide what he wants to
use.

> But other question is - what about desktops without own
> polkit or even standalone wms? Another point is autostart desktop file - if the
> agent is going to be started by autostart desktop file, this autostart belongs
> to agent and should be distributed together in the agent package.

+1

> Could be
> ShowOnlyIn option considered as the correct way to achieve no autostarting in
> other desktops?

IMO yes. And IMO we still need packages that use polkit require
PolicyKit-authentication-agent because otherwise a user of say openbox
or icewm wont get a working package.

Regards,
Christoph

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 04-14-2010, 09:13 AM
Christoph Wickert
 
Default PolicyKit-authentication-agents in Fedora

Am Mittwoch, den 14.04.2010, 11:01 +0200 schrieb Jaroslav Reznik:
> On Wednesday 14 April 2010 10:47:12 Christoph Wickert wrote:
> > Xfce for example has no agent ATM, so users should be free to
> > choose ether polkit-gnome or lxpolkit. This could be easily done it we
> > allowed installing them individually. The choice which one is started
> > could be easily done graphically in the session properties.
>
> For desktops that ships own polkit agent you don't need this freedom. Actually
> it's quite bad - own polkit agent is usually designed to be an integral part
> of it. For now - polkit-kde is standalone package but it's for now before
> transition from the old one to new one is done. Then we'd like to have it as
> part of kdebase-workspace again and shipped together. Of course - situation
> for other desktops could be different (Xfce etc.) and this has to be solved.

I agree with you for KDE: KDE is a big all-in-one desktop environment
and polkit-kde is the only Qt based agent It doesn't make sense to use
another agent but the KDE one, so it makes sense to add it to
kdebase-workspace.

For the GTK based desktops the situation is a little different, at least
for Xfce and LXDE. People should be free do decide if they prefer the
lightweight version of LXDE of the more powerful agent of GNOME. Let's
not make the same mistakes than Xubuntu and Lubuntu. I'm pretty sure our
spins wouldn't be as successful if we followed there approach and make
Xfce or LXDE just another GNOME.

> Jaroslav

Regards,
Christoph

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
Old 04-18-2010, 02:17 AM
Matthias Clasen
 
Default PolicyKit-authentication-agents in Fedora

On Wed, 2010-04-14 at 10:47 +0200, Christoph Wickert wrote:
> Am Mittwoch, den 14.04.2010, 10:25 +0200 schrieb Jaroslav Reznik:
>
> > Hi Matthias.
> > We were discussing polkit agent reorganization @ our kde sig meeting -
> > cwickert joined us too [1].
> > Could you clarify autostart of the agent? I agree it should be task for
> > desktop as it's now core component and I don't see need for users to change
> > this configuration.
>
> I do. Xfce for example has no agent ATM, so users should be free to
> choose ether polkit-gnome or lxpolkit. This could be easily done it we
> allowed installing them individually. The choice which one is started
> could be easily done graphically in the session properties.
>
> If I understood Matthias correctly he wants the desktop to autostart the
> agent and have it hardcoded somewhere. IMHO this is a step in the wrong
> direction as it takes the user the freedom to decide what he wants to
> use.

Sorry for the late response, I was away from mail for a few days.

So, I don't think I said 'hardcoded'. I don't care how hard or soft you
code it. The point is that it should be the responsibility of the
desktop environment to ensure that a polkit agent is available, not the
responsibility of individual apps or of polkit itself.

For GNOME, I'll simply move the polkit-gnome-authentication-agent
autostart file from polkit-gnome to gnome-session. (gdm already ships
its own autostart file for the login session).

> > But other question is - what about desktops without own
> > polkit or even standalone wms? Another point is autostart desktop file - if the
> > agent is going to be started by autostart desktop file, this autostart belongs
> > to agent and should be distributed together in the agent package.
>
> +1

No. Again, the responsibility for starting the agent lies with the
desktop, not with polkit. I frankly don't care if you 'build your own
desktop'. In that case, your favourite polkit agent is just one more
thing to throw in your .Xclients file.

--
desktop mailing list
desktop@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
 

Thread Tools




All times are GMT. The time now is 10:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org