One: "The responses from Hughes and David Zeuthen ("I'm not interested in this bike-shed or what color it is") in the thread angered quite a few."
It's perfectly sensible for David to say that, because this issue had absolutely nothing to do with David. David is the maintainer of PolicyKit. PolicyKit is a framework for defining policies. It does not, in itself, define any policies. Deciding what the authentication policies should be is not PolicyKit's job, and PolicyKit doesn't do it. So why should David care? His code doesn't set the policy, he was not involved in deciding the policy, and it's not his job to decide the policy.
Two: "Williamson stepped in quickly to stop that:"
Ah, you flatter me. ;) I don't have the power to stop anything. All I can do is express an opinion, based on the declared Fedora policies. I don't have any authority over anyone who posted a private comment in the bug. (I just barely outrank the laboratory mice around here...)
Three: comment from JoeBuck - "It seems clear that there isn't anyone on the PolicyKit team who does what Bruce Schneier (among others) regularly urges: you need someone on your team who can think like a black hat."
Joe, read point one above. PolicyKit is simply a framework. It doesn't define any policies. PolicyKit does absolutely nothing unless applications choose to use it for privilege escalation, rather than using su or sudo or consolehelper or whatever. And it's the _apps_ that define the policies. This policy was defined in PackageKit, not PolicyKit.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds