What is happening:
We are switching Polkit from the polkit-noscript fork (based on Polkit 0.113) to upstream Polkit (v121 aka 0.121). Upstream Polkit needs a Javascript interpreter/runtime of which previously the only option was MozJS however v121 added the much lighter duktape as an option (which is what we will use). polkit-noscript was configured using keyrules files which are not supported by upstream Polkit thus we also need to ensure that every package that ships a keyrules file is updated to have equivalent .rules files.
Why:
- polkit-noscript is unmaintained and rebasing the noscript patches upon a newer version of Polkit is likely to be a fair amount of work
- Even once the patches are re-based polkit-noscript will continue to need maintenance in the future to keep it current with upstream polkit, or will need someone to attempt to upstream our patches
- polkit-noscript contains several known bugs which will be resolved by switching to upstream polkit
- polkit v0.113 is not tested against by software components. Typically they only test against upstream or 0.105 (Debian/Ubuntu). This is likely the cause of some of the known issues. Switching to upstream means we gain the benefit of our version of Polkit being tested against by those software components
- A big reason that polkit-noscript existed in the first place was that MozJS is a very large package (670MB installed according to eopkg info) and that it does not have a stable API which meant that polkit had to constantly be updated to support newer versions of mozjs. Because GNOME also depends on mozjs it was likely that systems might require two separate versions of mozjs at once doubling the storage needs. Duktape is 286KB and follows semver for API changes.
- Security issues in polkit can be resolved more quickly by just updating to the newly released upstream version of Polkit when CVEs are released. If need be we can also use patches more reliably because there's a greater chance they will apply cleanly.
- Keyrules have no ecosystem support. Packages that ship rules files typically ship JS rules which previously would need be converted to the keyrules format manually. With upstream polkit we can just use the shipped .rules files as-is.
Changes:
- Release notes for Polkit v121 are available at https://gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md
- All keyrules files were converted to equivalent .rules files.
- Wheel to Sudo:
- Many distributions use the wheel group for the admin group. Solus instead uses the sudo group for the same purpose. Many Solus packages however incorrectly still specified the wheel group in their rules file which meant that when a user in the sudo group attempted to perform the action allowed in the rules that said user would be prompted for their password (the intent behind the rules file would be that such an administrative user would be able to perform that action without further authenticating). All package-shipped rules files were checked for wheel/sudo and if the wheel group was specified the packages were modified so that sudo would be used instead.
- All packages were modified so that the shipped rules file was named consistently according to the name of the actions shipped with that package. For instance gnome-control-center.rules was renamed to org.gnome.controlcenter.rules. Some packages like gvfs already shipped their rules file in this format.
Individual package changes (beyond those listed above):
- corectrl
- Package updated to v1.2.4
- Previous keyrules file did not check for membership in the sudo group which meant that any user could start the corectrl helper. This however does not seem wise given what corectrl can do to a system so the check for the sudo group was added to the rules file.
- blueman
- Updated to v2.3.1
- bolt
- Updated to v0.9.2
- libvirt
- The old rule allowed any user in the libvirt group to connect to the libvirtd daemon (IE with virt-manager) without additional authentication. I added an additional check to allow users in the sudo group to connect as well which should make virt-manager a bit more useful out of the box
Testing:
Desktop Environments:
Each supported DE needs to be tested to ensure that the Polkit helper that that system uses still works appropriately
- GNOME
- Budgie (tested by @Staudey)
- MATE (tested by @kyrios123)
- Plasma (tested by @joebonrichie and @ReillyBrogan)
Individual Packages:
Each modified package additionally needs to be tested by someone familiar with that package to ensure that the package is still functional
- blueman (tested by @Staudey)
- bolt
- budgie-control-center (tested by @Staudey)
- corectrl (tested by @EbonJaeger)
- duktape (IE test other revdeps of duktape)
- flatpak (tested by @Staudey)
- gnome-control-center (tested by @Staudey)
- gvfs
- libvirt (tested by @ReillyBrogan)
- os-installer (??? might have to wait until we're testing new ISOs)
- udisks
If there's anything else that should be tested please mention it in the comments.
How to switch:
Helper Script
Make sure you download the re-install helper script below and keep it on the system you are installing this on. You may need it if you need to restore the system.