|
|
Log in / Subscribe / Register

Fedora 12 updates PackageKit

[Posted November 24, 2009 by jake]

From:  updates-AT-fedoraproject.org
To:  fedora-package-announce-AT-redhat.com
Subject:  Fedora 12 Update: PackageKit-0.5.4-0.4.20091029git.fc12
Date:  Tue, 24 Nov 2009 07:32:52 +0000
Message-ID:  <20091124073252.B123410F874@bastion2.fedora.phx.redhat.com>
Archive‑link:  Article

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-11882
2009-11-20 22:10:57
--------------------------------------------------------------------------------

Name        : PackageKit
Product     : Fedora 12
Version     : 0.5.4
Release     : 0.4.20091029git.fc12
URL         : http://www.packagekit.org
Summary     : Package management service
Description :
PackageKit is a D-Bus abstraction layer that allows the session user
to manage packages in a secure way using a cross-distro,
cross-architecture API.

--------------------------------------------------------------------------------
Update Information:

- Switch the signed install permission to require the root password  - See
https://www.redhat.com/archives/fedora-devel-list/2009-No...
for the rationale.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 19 2009 Richard Hughes  <rhughes@redhat.com> - 0.5.4-0.4.20091029git
- Switch the signed install permission to require the root password
* Mon Nov 16 2009 Richard Hughes  <rhughes@redhat.com> - 0.5.4-0.3.20091029git
- When searching for available packages to install, use our preferred arch.
- Handle the error condition where the package name would be invalid.
- Fixes #534169 and #533014
* Mon Nov  9 2009 Richard Hughes  <rhughes@redhat.com> - 0.5.4-0.2.20091029git
- Fix a critical bug in the command-not-found code that triggers an infinite
  loop when a new package is installed.
- Fixes #533554
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #534047 - Active local console users get to install signed software on a machine they
do not have the root password to
        https://bugzilla.redhat.com/show_bug.cgi?id=534047
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update PackageKit' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...

to post comments

Fedora 12 updates PackageKit

Posted Nov 24, 2009 15:36 UTC (Tue) by kragil (guest, #34373) [Link] (12 responses)

I still don't really get why there was such a buzz around this.

At least allow installing updates without password entry.
Fedora users get bombarded with updates.

Fedora 12 updates PackageKit

Posted Nov 24, 2009 15:51 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] (11 responses)

If you want to set a local policy that allows you to update without a
password, you can do something like this:

create a file in /var/lib/polkit-1/localauthority/20-org.d (name it
anything you want as long as it ends with .pkla) and the content should be

---

[SignedUpdateWithoutPassword]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-update
ResultAny=no
ResultInactive=no
ResultActive=yes

---

Hope that helps

Fedora 12 updates PackageKit

Posted Nov 24, 2009 16:37 UTC (Tue) by nix (subscriber, #2304) [Link] (10 responses)

PolicyKit really does have good documentation (if you haven't managed to mess up the package installation so much that half the manpages were empty and the other half didn't exist, as I had when I complained about it).

Its biggest downsides, as far as I can tell, are that it's new and that it's not possible to determine statically which programs require which PK privileges.

Fedora 12 updates PackageKit

Posted Nov 24, 2009 17:29 UTC (Tue) by rfunk (subscriber, #4054) [Link] (9 responses)

Is it just me, or does it seem like PolicyKit/PackageKit came along without
enough notice that important things were changing?

Fedora 12 updates PackageKit

Posted Nov 24, 2009 19:44 UTC (Tue) by luya (subscriber, #50741) [Link] (8 responses)

Clearly a lack of notice at that case where the policy works with signed keys from trusted repositories. It is just too bad many people spent their time reacting without thinking first.

See https://www.redhat.com/archives/fedora-devel-list/2009-No...

Fedora 12 updates PackageKit

Posted Nov 24, 2009 19:48 UTC (Tue) by luya (subscriber, #50741) [Link]

Note that policy itself will play crucial role for http://www.fedoraproject.org/wiki/Features/UserAccountDialog

Fedora 12 updates PackageKit

Posted Nov 24, 2009 23:20 UTC (Tue) by gdt (subscriber, #6284) [Link] (6 responses)

It is just too bad many people spent their time reacting without thinking first.

Au contraire, it is just too bad that a package maintainer can change the long-standing security model of a popular operating system with no review, no notice, and little oversight. What you saw was the outrage of system administrators. And if there was a lot of it, well there's a lesson there.

The outrage was fair enough too. If a system administrator removes, say, cron, only a borked default security model would allow a non-administrator user to put that package back. Yet that was exactly what was shipped.

Fedora 12 updates PackageKit

Posted Nov 25, 2009 0:15 UTC (Wed) by mmcgrath (guest, #44906) [Link] (5 responses)

> Au contraire, it is just too bad that a package maintainer can change the long-standing security model of a popular operating system with no review, no notice, and little oversight.

Where can I read this policy? I'm not in favour of the change they made either but everyone makes it sound like they did something that was clearly written in stone. Where is it?

Fedora 12 updates PackageKit

Posted Nov 25, 2009 2:18 UTC (Wed) by Ed_L. (guest, #24287) [Link] (3 responses)

The stone tablet reads "Unix: secure by default." Its been carved there so deeply for so long that all Unix/Linux/*BSD admins -- and most users -- take it as a Gospel that must be religiously protected and maintained.

Hence the near-religious fervor when this one seemed threatened. It appears the "let unprivileged users install signed packages" was a meritous idea that was released half-baked. Frields discovered his Fedora customers take these things way too seriously, issued a prompt fix, and promised a better implementation and documentation next time. Kudos all around. Welcome to the perpetual beta-ness that is Fedora.

Funny though, how for an allegedly bleeding-edge perpetual beta, Fedora sure does see its share of serious server and workstation use....

Fedora 12 updates PackageKit

Posted Nov 25, 2009 3:57 UTC (Wed) by mmcgrath (guest, #44906) [Link] (2 responses)

> The stone tablet reads "Unix: secure by default." Its been carved there so deeply for so long that all Unix/Linux/*BSD admins -- and most users -- take it as a Gospel that must be religiously protected and maintained.

I'm sorry, where does it say that?

> Funny though, how for an allegedly bleeding-edge perpetual beta, Fedora sure does see its share of serious server and workstation use....

I'm sorry, where does it say that?

Fedora 12 updates PackageKit

Posted Nov 25, 2009 4:21 UTC (Wed) by foom (subscriber, #14868) [Link] (1 responses)

>> The stone tablet reads [...]
> I'm sorry, where does it say that?

On the aforementioned stone tablet, of course. It's on display in the Museum of Unix History.

Fedora 12 updates PackageKit

Posted Nov 25, 2009 18:38 UTC (Wed) by jspaleta (subscriber, #50639) [Link]

Wait.. shouldn't that be a stone punchcard?

-jef

Fedora 12 updates PackageKit

Posted Nov 27, 2009 22:19 UTC (Fri) by gdt (subscriber, #6284) [Link]

If you really need a reference, then see Section 3.5 of The UNIX timesharing system (Richie & Thompson, 1974). That is, the primacy of root is such a basic idea it is mentioned in the first summary paper describing the operating system. Following on from this brief mention, there are endless papers spelling out the model in detail, including papers with rigorous formal analysis.

Saying the UNIX security model isn't documented is ignoring the decades of academic interest in that topic. That's without considering the less rigorous treatment found in a few decades of UNIX system administration guides.

Nothing says that Linux can't diverge from the UNIX tradition. Changes are needed. But being an operating system in the UNIX tradition, when changes are made to take the OS out of that tradition then you'd at least expect a mention in the release notes. That as much applies to the constant alterations in the discovery of devices (udev, etc) as it does to this episode.


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds