There are some OK points in your rant, but explicit su - is more secure than the other options.
run packaging commands
Or really, what i do:
I open a terminal for root activities, color it red, and creat a completely new login as root. I use that terminal for packaging, or editing config files, and not much more.
The programs that get exposed via my methods:
- the shell
- the editor
- the packaging tools
PolicyKit might be able to cut out the editor, but it still has to use those programs and several additional ones. The system is more complex and harder to inspect. My environment is not polluted from the user's.
Really this is the most simple, and the most secure, and the most easily inspected method. My reaction to PolicyKit is "I hope i can prevent it from being used on my distribution."