Format: 1.8 Date: Mon, 21 Aug 2023 05:23:43 -0400 Source: policykit-1 Architecture: source Version: 123-1~bpo23.04 Distribution: lunar Urgency: high Maintainer: Utopia Maintenance Team Changed-By: Unit 193 Closes: 580634 689473 698085 699447 723717 745983 748981 771281 772125 775158 776744 779756 779988 794723 817998 837846 855083 863207 863784 872615 902474 903563 915332 917309 918446 923240 946231 955204 961279 965210 980998 989429 1005784 1006203 1018897 1023393 1026425 1027420 1030154 Launchpad-Bugs-Fixed: 1417637 1447654 1626651 Changes: policykit-1 (123-1~bpo23.04) lunar; urgency=medium . * No-change backport to lunar. . policykit-1 (123-1) unstable; urgency=medium . * New upstream release * Update directory permissions to match upstream hardening - /etc/polkit-1/rules.d: was 0700 polkitd:root, now 0750 root:polkitd so polkitd cannot modify it - /var/lib/polkit-1: same as /etc/polkit-1/rules.d - /usr/share/polkit-1/rules.d: was 0700 polkitd:root, now 0755 root:root since everything in that directory comes from a package anyway * d/polkitd.postinst: Clean up /var/lib/polkit-1/.cache on upgrades, now that polkitd will not re-create it (Closes: #855083) * d/tests: Depend on polkitd instead of policykit-1 * d/tests: Rename cli test to polkitd * d/tests: Add a test for pkexec * d/p/debian/Don-t-use-PrivateNetwork-yes-for-the-systemd-unit.patch: Disable PrivateNetwork=yes for now. This would be good to have, but it causes autopkgtest failures under lxc. (Mitigates: #1042880) * d/control: Stop recommending polkitd-pkla in policykit-1. This is a step towards removing the policykit-1 transitional package entirely: it was included in Debian 12 and Ubuntu 22.04, so it has served its purpose and should be removed soon. . policykit-1 (122-4) unstable; urgency=medium . * d/control: Remove transitional polkitd-javascript package. This package was released in bookworm, and nothing in Debian depends on it. It was only relevant for users of certain polkit releases in experimental. * d/*.install: Move gettext extensions into libpolkit-gobject-1-dev. These are generally only needed when building other packages. (Closes: #955204) . policykit-1 (122-3) unstable; urgency=medium . * d/polkitd.postinst: Stop polkitd before changing home directory. usermod will refuse to change the home directory if a polkitd process is running as the polkitd uid, so stop polkitd if necessary, and also don't fail if usermod can't change the home directory in an existing installation (which is non-critical anyway). (Closes: #1030154) . policykit-1 (122-2) unstable; urgency=medium . [ Debian Janitor ] * d/changelog: Trim trailing whitespace * d/upstream/metadata: Update URLs for Bug-Database, Bug-Submit . [ Simon McVittie ] * Update how we assign root-equivalent groups - d/p/debian/50-default.rules-Replace-wheel-group-with-sudo-group.patch, d/rules: Set up Debian's default root-equivalent group 'sudo' in 50-default.rules rather than in 40-debian-sudo.rules. This ensures that users of polkitd-pkla can override it by configuring admin identities the old way. Previously, because 40-debian-sudo.rules was earlier in the sequence than 49-polkit-pkla-compat.rules, it would take precedence and the admin identities from polkitd-pkla were ignored. (Closes: #1023393) By default, polkitd-pkla does not provide any admin identities, which means we behave as though polkitd-pkla was not installed at all, and fall back to the sudo group defined in 50-default.rules. - d/p/debian/05_revert-admin-identities-unix-group-wheel.patch: Drop patch, superseded by the one described above - d/rules: When built for Ubuntu, also install an Ubuntu-specific file sequenced after 49-polkit-pkla-compat.rules but before 50-default.rules, which treats both the 'sudo' group and the legacy 'admin' group as root-equivalent. * Replace /etc/pam.d/polkit-1 with /usr/lib/pam.d/polkit-1. /usr/lib/pam.d has been supported since at least 1.4.0 (Debian 11), so we can make this an ordinary packaged file instead of a conffile. Local sysadmin overrides can still be done via /etc/pam.d/polkit-1 as before. This sidesteps dpkg's inability to keep track of a conffile when it is moved from one package to another (#399829, #645849, #163657, #595112). (Closes: #1006203) * postinst: Only clean up config directories if not owned. If we only have polkitd installed, then we want to clean up the obsolete directory /etc/polkit-1/localauthority.conf.d on upgrade, but if we have polkitd-pkla installed, then it owns that directory and we should not remove it. (Closes: #1026425) * d/policykit-1.dirs: Continue to own some legacy directory names. Having the transitional package continue to own these directories until it has had a chance to clean up obsolete conffiles will silence warnings from dpkg about inability to remove them. (Closes: #1027420) * d/polkitd.postrm: Clean up /var/lib/polkit-1 on purge. If /var/lib/polkit-1 was the polkitd user's home directory, then it might contain a .cache subdirectory; clean that up too. * Create polkitd user with home directory /nonexistent in new installations. This will prevent it from creating detritus in /var/lib/polkit-1. * polkitd.postinst: Change polkitd home directory to /nonexistent on upgrade * Remove version constraints unnecessary since buster (oldstable) * Update standards version to 4.6.2 (no changes needed) . policykit-1 (122-1) unstable; urgency=medium . * d/watch: Fix handling of polkit-pkla-compat * d/watch: Monitor Gitlab releases instead of fd.o web server * New upstream release * Drop patches that were included in the new upstream release . policykit-1 (121+compat0.1-6) unstable; urgency=medium . * d/polkitd.examples: Really install the example rules mentioned in NEWS * d/control: Explicitly build-depend on docbook-xsl. polkit-pkla-compat needs this for the man pages, which cannot currently be disabled, so it is not marked as (and neither is xsltproc). * Only build API documentation if policykit-1-doc is built. It doesn't need to be built when we're doing an architecture-specific build, and we can also mark it with the build-profile (although that's not particularly useful in this case because it's the only arch-indep binary package). . policykit-1 (121+compat0.1-5) unstable; urgency=medium . * Release to unstable (Closes: #946231, #1018897) . policykit-1 (121+compat0.1-4) experimental; urgency=medium . * d/polkitd.postinst: Consistently indent with spaces * d/polkitd.postinst: Quote defensively * d/polkitd.postinst: Don't explicitly restart the systemd service. dh_installsystemd does this for us anyway. * d/polkitd.postinst: Make sure message bus policy is reloaded if needed. If we created or modified the polkitd user, then we need to refresh dbus-daemon's cached policy to take that user into account, otherwise polkitd will fail to start. This fixes an autopkgtest failure. * d/polkitd.postinst: Stop polkitd when not using systemd. On non-systemd systems, polkitd is a traditional D-Bus service and is not managed by a service manager, so the way to ensure we are running the upgraded version is to stop it and let the D-Bus system bus activate a new copy next time it is used. * Install a sysusers.d(5) fragment to set up the system user. This allows use of polkit without adduser on systems that have either systemd or systemd-standalone-sysusers. * d/polkitd.tmpfiles: Provide a tmpfiles.d(5) fragment for our directories * Add another override for man pages not matching Lintian expectations * d/rules: Build with hardening=+bindnow * Add doc-base metadata for the reference manual . policykit-1 (121+compat0.1-3) experimental; urgency=medium . * Merge content of polkitd-javascript into polkitd. Keep the polkitd-javascript package as a transitional package. . policykit-1 (121+compat0.1-2) experimental; urgency=medium . * Add a NEWS file describing the change of security policy format * d/control: policykit-1 Recommends polkitd-pkla. This arranges for upgrades from Debian 11 to install polkitd-pkla by default, preserving previous functionality, while also allowing it to be removed for legacy-free systems. * d/pkla/: Remove, no longer installed or used * d/example-rules: Add some examples of the JavaScript rules format * d/changelog: Merge changelog entries from testing/unstable, in preparation for uploading this branch to unstable . policykit-1 (121+compat0.1-1) experimental; urgency=medium . * Restructure the package to use upstream project polkit-pkla-compat for compatibility with 0.105 and older versions. - polkitd-javascript is now the only implementation of polkitd. The packages will probably be merged in a future upload, but keep them separate for now as a contingency plan. - polkitd-pkla now Depends on polkitd-javascript instead of having Breaks/Replaces on it. It's now an addon for polkitd-javascript, which calls out to an external helper program to check authorization against the old pklocalauthority(8) configuration files. - polkitd-javascript: Ensure that the polkitd user has a primary group. The polkit-pkla-compat package wants its directories to be owned by root:polkitd, which will only work if the polkitd user has a corresponding polkitd group. - Add polkit-pkla-compat as a secondary upstream tarball - Build polkit-pkla-compat instead of a PKLA build of polkitd - Drop patches that reinstated the ability to do a PKLA build of polkitd * d/p/polkitbackendduktapeauthority.c-Print-the-error-string-we.patch: Add patch from upstream to display error string as intended * d/control: Explicitly build-depend on xml-core, for its dh addon * d/copyright: Update * Update Lintian overrides * Standards-Version: 4.6.1 (no changes required) * d/tests: Skip if dbus-daemon is not running and cannot be started * Try harder to clean up obsolete conffiles . policykit-1 (121-2) experimental; urgency=medium . [ Michael Biebl ] * Use dh-sequence-gir Build-Depends to enable the gir addon * Remove no longer needed dh option. Upstream has removed the autotools based build system so we no longer need to tell dh which build system to use. * Remove workaround for missing mocklibc . [ Simon McVittie ] * d/copyright: Reinstate entry for test/mocklibc * d/polkitd.install: Really install the XML catalog entry * d/rules: Enable xml-core dh sequence * d/catalog.xml: Fix basename of DTD . policykit-1 (121-1) experimental; urgency=medium . * New upstream release * d/copyright: Update * Drop patches that were applied upstream * Refresh remaining patches * d/control: Build-depend on duktape instead of mozjs * Install policyconfig-1.dtd in polkitd package, with an XML catalog entry (Closes: #872615) * d/watch: Use Gitlab tags to watch for new releases for now. Subsequent releases will be done via the Gitlab releases feature, but it's not immediately obvious what form that will take. * Add patch from upstream to install rules.d defaults in /usr/share. This brings us one step closer to the "empty /etc is valid" model. * d/rules: Install sudo and Ubuntu admin rules into /usr/share, too. This avoids these files having to be conffiles that vary between distros. * d/upstream/metadata: Add * d/polkitd.docs: Update . policykit-1 (0.120-6) experimental; urgency=medium . * Add patch from Fedora to fix denial of service via fd exhaustion (CVE-2021-4115; Closes: #1005784) . policykit-1 (0.120-5) experimental; urgency=medium . * d/*.postinst: Correct package names in initial comments * d/policykit-1.bug-control: Correct name of Submit-As field . policykit-1 (0.120-4) experimental; urgency=medium . * d/control: Change descriptions to refer to polkit. According to NEWS, the official name of the project has been polkit since 2012, and perhaps earlier. * d/patches: Use upstream's finalized patch for CVE-2021-4034. The patch that was provided to distributors under embargo was not the final version: it used a different exit status, and made an attempt to show help. The version that was actually committed after the embargo period ended interprets argc == 0 as an attack rather than a mistake, and does not attempt to show the help message. * d/patches: Move Debian-specific patches to d/p/debian/. This makes it clearer that these are not intended to go upstream. * Split policykit-1 into polkitd and pkexec packages. pkexec is a setuid program, which makes it a higher security risk than the more typical IPC-based uses of polkit. If we separate out pkexec into its own package, then only packages that rely on being able to run pkexec will have to depend on it, reducing attack surface for users who are able to remove the pkexec package. * Reinstate the .pkla backend as a separate binary package. Upstream polkit switched its authorization rule syntax from .ini-style .pkla files to JavaScript in version 0.106. Debian has historically used a fork of the last .pkla-based version, but this was becoming unsustainable: bug fixes from subsequent upstream versions were either applied as patches, or missing from the Debian package. The "local authority" code that implements .pkla files is not actually all that large, so patching it into a modern upstream version is a much smaller task than patching modern upstream bug fixes into an old upstream version. For this upload to experimental, keep both the JavaScript backend and the .pkla backend intact, by compiling polkitd twice with different options. This lets us preserve existing functionality of upstream and experimental polkit (with the more powerful JavaScript-based rules, which can base their authorization decisions on service-specific information like the name of a systemd unit), while also having the opportunity to evaluate polkitd-pkla as a more direct replacement for what's in bookworm. * Adjust Lintian override syntax * Add Debian-specific man pages for polkitd-pkla * d/copyright: Update * Always configure the sudo group as root-equivalent. This avoids Debian derivatives getting an unexpected change in behaviour when they switch from inheriting Debian's policykit-1 package to building their own policykit-1 package, perhaps as a result of wanting to apply an unrelated patch. The sudo group is defined to be root-equivalent in base-passwd, so this should be equally true for all Debian derivatives. (Closes: utopia-team/polkit!3; thanks to Arnaud Rebillout) . policykit-1 (0.120-3) experimental; urgency=high . * d/p/Avoid-local-privilege-escalation-in-polkit-s-pkexec.patch: Apply embargoed patch for local privilege escalation (CVE-2021-4034) . policykit-1 (0.120-2) experimental; urgency=medium . * d/rules: Extend timeout for unit tests. Meson's default 30 second timeout is uncomfortably short even on x86, and too short on e.g. mips. . policykit-1 (0.120-1) experimental; urgency=medium . * New upstream release * Drop patches that were applied upstream * Depend on default-dbus-system-bus | dbus-system-bus instead of dbus. We need the system bus: let's be specific about that. This will allow dbus-broker to be substituted for dbus, if desired. * Build-depend on dbus-daemon instead of dbus. We only need dbus-run-session at build time; we don't need a fully-working system bus. * debian/missing/docs: Remove extra copy of documentation. This is in the new upstream release. - d/source/include-binaries: Remove, no longer needed * d/p/Don-t-pass-positional-parameters-to-i18n.merge_file.patch: Add patch to fix FTBFS with Meson 0.60.0 * Standards-Version: 4.6.0 (no changes required) * Use d/watch format version 4 . policykit-1 (0.119-1) experimental; urgency=medium . * New upstream release - Fixes local privilege escalation involving polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) (Closes: #989429) * d/missing, d/rules: Work around missing docs/polkit/overview.xml etc. in 0.119 tarball * Build using Meson * d/p/build-Remove-redundant-computation-of-dbus-data-directory.patch, d/p/build-Don-t-require-dbus-development-files.patch, d/p/meson_post_install-Use-geteuid-instead-of-getpass.patch, d/p/meson_post_install-Don-t-fail-if-the-polkitd-user-doesn-t.patch, d/p/meson_post_install-If-installation-steps-are-skipped-say-.patch, d/p/meson_post_install-Don-t-install-pkexec-group-writable.patch, d/p/meson_post_install-Don-t-make-programs-setuid-if-we-are-n.patch, d/p/meson_post_install-Respect-DESTDIR-for-absolute-paths.patch, d/p/build-Make-the-directory-for-helper-executables-consisten.patch: Add some patches to improve the Meson build system * d/missing, d/rules: Get mocklibc into the right layout for the build * Stop providing static libraries. The Meson build infrastructure only supports shared libraries, and the static libraries built by Autotools were already not particularly useful, because they indirectly depend on the libmount shared library. . policykit-1 (0.118-2) experimental; urgency=medium . [ Helmut Grohne ] * Annotate Build-Depends: dbus (Closes: #980998) . [ Michael Biebl ] * Remove old maintscript migration code from pre-oldstable * Use --restart-after-upgrade. With debhelper 13.1, --no-start will disable --restart-after-upgrade. Since we want the service to be restarted on upgrades, request that explicitly. See #959678 . [ Simon McVittie ] * d/rules: Remove --libexecdir override. This has no practical effect: the upstream build system no longer uses the libexec directory. * d/rules: Remove redundant dh_missing --fail-missing override. This is the default in dh compat level 13. . policykit-1 (0.118-1) experimental; urgency=medium . * New upstream release - Drop patch that was applied upstream * d/control: Update build-dependency to mozjs78 . policykit-1 (0.117-1) experimental; urgency=medium . * New upstream release * Rebase patches * Bump Standards-Version to 4.5.0 * Add polkitbackendjsauthoritytest-wrapper.py to release tarball * Add python3-dbusmock to Build-Depends and mark it . Required by test/polkitbackend/polkitbackendjsauthoritytest-wrapper.py * Bump debhelper-compat to 13 * Add symlink for polkit-agent-helper-1 after the move to /usr/libexec. Support upgrades from 0.105-27 (and later versions in unstable), which moved the private binaries from /usr/lib/policykit-1 to /usr/libexec. (Closes: #965210) . policykit-1 (0.116-3) experimental; urgency=medium . * Team upload. * Port to mozjs-68 (Closes: #961279) . policykit-1 (0.116-2) experimental; urgency=medium . [ Mark Hindley ] * Depend on new virtual packages default-logind and logind (Closes: #923240) . [ Simon McVittie ] * d/*.symbols: Add Build-Depends-Package metadata * d/policykit-1.lintian-overrides: Override systemd unit false positives. The systemd unit is only for on-demand D-Bus activation, and is not intended to be started during boot, so an [Install] section and a parallel LSB init script are not necessary. * d/policykit-1.bug-control: Add systemd, elogind versions to bug reports. reportbug doesn't currently seem to interpret "Depends: default-logind | logind" as implying that it should include the version number of the package that Provides logind in bug reports. Workaround for #934472. * Standards-Version: 4.4.0 (no changes required) * Switch to debhelper-compat 12 . policykit-1 (0.116-1) experimental; urgency=medium . * New upstream release - Document polkit_subject_equal() as unsuitable for security decisions (CVE-2019-6133) - Allow process uid to be unset again, fixing a regression in the solution for #915332 - Port the JS authority to mozjs-60 (Closes: #917309) - Fix some resource leaks - Documentation and debug message fixes * Drop patch for #915332, applied upstream * Standards-Version: 4.3.0 (no changes required) * Set experimental branch in Vcs-Git * Change the policykit-1 package from Architecture: any to Architecture: linux-any, and remove the consolekit [!linux-any] dependency. polkit no longer has any backends for non-Linux. (Closes: #918446) . policykit-1 (0.115-3) experimental; urgency=medium . * Allow negative uids/gids in PolkitUnixUser and Group objects. Fixes a vulnerability in PolicyKit that allows a user with a uid greater than INT_MAX to successfully execute arbitrary polkit actions. (CVE-2018-19788, Closes: #915332) . policykit-1 (0.115-2) experimental; urgency=medium . [ Simon McVittie ] * d/gbp.conf: Set patch-numbers to false to match current practice . [ Michael Biebl ] * Switch to dh_missing and abort on uninstalled files * Move D-Bus policy file to /usr/share/dbus-1/system.d/ To better support stateless systems with an empty /etc, the old location in /etc/dbus-1/system.d/ should only be used for local admin changes. Package provided D-Bus policy files are supposed to be installed in /usr/share/dbus-1/system.d/. This is supported since dbus 1.9.18. * Remove obsolete conffile /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf on upgrades * Bump Standards-Version to 4.2.1 * Remove Breaks for versions older than oldstable * Stop masking polkit.service during the upgrade process. This is no longer necessary with the D-Bus policy file being installed in /usr/share/dbus-1/system.d/. (Closes: #902474) * Use dh_installsystemd to restart polkit.service after an upgrade. This replaces a good deal of hand-written maintscript code. * Remove upgrade code which changes the home directory of the polkitd user . policykit-1 (0.115-1) experimental; urgency=medium . * New upstream version 0.115 - Fixes CVE-2018-1116 (Closes: #903563) - d/p/jsauthority-pass-s-format-string-to-remaining-report.patch: Drop, applied upstream * d/watch: Use https * d/watch: Download upstream PGP signatures * debian/upstream/signing-key.asc: Add public keys for Ray Strode, Miloslav Trmac, David Zeuthen * d/gbp.conf: Merge upstream tags into the upstream branch * Add myself to Uploaders * d/libpolkit-gobject-1-0.symbols: Update for new semi-private ABI * d/rules: Skip build-time tests if DEB_BUILD_OPTIONS=nocheck * Standards-Version: 4.1.5 (no changes required) * Set Rules-Requires-Root to no . policykit-1 (0.114-1) experimental; urgency=medium . [ Michael Biebl ] * New upstream version 0.114 * Rebase patches * Switch to mozjs 52 (Closes: #863784) * Drop -Wl,--no-as-needed, no longer necessary * jsauthority: pass "%s" format string to remaining report function * Add Provides to gir1.2-polkit-1.0 to reflect its contents . [ Martin Pitt ] * debian/copyright: Use https URL for Format: * Update Vcs-* links for move to salsa.debian.org. * Move to debhelper compat level 10. Remove explicit dh-autoreconf, it's now done by default. * Bump Standards-Version to 4.1.3 * Add autopkgtest. This covers the pkaction and pkcheck CLI tools. . policykit-1 (0.113-6) experimental; urgency=medium . * master/Add-gettext-support-for-.policy-files.patch: Backport from master: Add .loc and .its files so that gettext can be used to translate policy files. Some upstreams, particularly those that are switching to meson, expect these files to be present so that their PK policy files can be translated. (Closes: #863207) . policykit-1 (0.113-5) experimental; urgency=medium . [ Simon McVittie ] * Build-depend on intltool instead of relying on gtk-doc-tools' dependency (Closes: #837846) . [ Michael Biebl ] * Use https:// for the upstream homepage. * Update Vcs-Browser to use cgit. * Drop the polkitd.service Alias. The version in unstable, based on 0.105, now also uses the name polkit.service for the systemd service unit. . [ Martin Pitt ] * Use PAM's common-session-noninteractive modules for pkexec instead of common-session. The latter also runs pam_systemd (the only difference normally) which is a no-op under the classic session-centric D-BUS/graphical login model (as it won't start a new one if it is already running within a logind session), but very expensive when using dbus-user-session and being called from a service that runs outside the PAM session. This causes long delays in e. g. gnome-settings-daemon's backlight helpers. (LP: #1626651) . policykit-1 (0.113-4) experimental; urgency=medium . [ Simon McVittie ] * Run tests with a session bus pretending to be the system bus, so they can pass in a buildd environment . [ Michael Biebl ] * Create our custom rules files in debian/tmp so we don't FTBFS for binary-indep builds and run dh_install after that. * Run wrap-and-sort -ast. * Bump Standards-Version to 3.9.8. . policykit-1 (0.113-3) experimental; urgency=medium . * Generate tight inter-package dependencies. This ensures that everything from the same source package is upgraded in lockstep. (Closes: #817998) * Drop obsolete Breaks from pre-wheezy. . policykit-1 (0.113-2) experimental; urgency=medium . [ Simon McVittie ] * policykit-1.links: statically alias polkit.service (upstream's name) as polkitd.service (Debian's historical name) . [ Martin Pitt ] * debian/policykit-1.{pre,post}inst: Temporarily mask polkit.service while policykit-1 is unpackaged but not yet configured. During that time we don't yet have our D-Bus policy in /etc so that polkitd cannot work yet. This can be dropped once the D-Bus policy moves to /usr. (Closes: #794723, LP: #1447654) . policykit-1 (0.113-1) experimental; urgency=medium . * Team upload. . [ Martin Pitt ] * policykit-1.postinst: Don't kill polkitd under systemd, but properly restart it. This avoids killing it shortly after systemd tries to bus-activate it on installation. (LP: #1447654) . [ Simon McVittie ] * Disable silent build rules. (Previously done in Ubuntu, although it seems to have been lost in a merge somewhere.) * New upstream release - drop most patches: they either came from upstream, or have been merged upstream - add new function to symbols file - fixes CVE-2015-4625, CVE-2015-3218, CVE-2015-3255, CVE-2015-3256 * Annotate remaining patches with a bit more information. They are: - 01_pam_polkit.patch: use Debian's common-* infrastructure, plus pam_env to get the global environment and locale. Debian-specific. - 02_gettext.patch: Use gettext to translate .policy files at runtime, allowing for Ubuntu-style language packs. Debian-specific (mainly for Ubuntu's benefit, really). - 05_revert-admin-identities-unix-group-wheel.patch: Debian does not use the "wheel" group like Red Hat derivatives do; treat uid 0 as the administrative identity instead. Debian-specific. - 08_chdir_root.patch: Explicitly use chdir("/") instead of relying on user's home in `getent passwd` being set properly. Potentially upstreamable? * policykit-1.postinst: restart polkit.service, not polkitd.service (which doesn't exist) . policykit-1 (0.112-5) experimental; urgency=medium . * Team upload. * Go back to mozjs 1.8.5, like the version in unstable: mozjs 17 has been removed from Debian, and mozjs 24 requires significant upstream changes and no longer has a C API (Closes: #776744) * Add a symlink so the old library can run the new agent helper (Closes: #699447) * Add patch from upstream to work around older versions of libpam-systemd which would give root processes the real uid's XDG_RUNTIME_DIR under su; it shouldn't be necessary any more, but is harmless (Closes: #772125) * Replace 03_complete_session.patch with a change from upstream which seems like a more correct solution for LP#445303, LP#649939 * Add patches from upstream to treat background processes as part of the same uid's active GUI session if any, fixing use of dbus-user-session (Closes: #779988) * Add patches from upstream to fix some memory leaks (Closes: #775158, LP: #1417637) * Add patch from upstream to fix redundant removal of an event source * Add patch to use libsystemd instead of the libsystemd-login compat library (Closes: #779756) . policykit-1 (0.112-4) experimental; urgency=medium . [ Andreas Henriksson ] * Install typelib files into MA libdir. . [ Martin Pitt ] * Rebuild against libsystemd0. This drops the last remaining dependency to libsystemd-login0. (Closes: #771281) * Bump Standards-Version to 3.9.6 (no changes necessary). . policykit-1 (0.112-3) experimental; urgency=medium . * Team upload. * debian/rules: Really enable logind support on linux architectures only * debian/control: Use canonical VCS-* URL's * debian/control: Bump Standards-Version to 3.9.5 (no further changes) * debian/control: Depends against libpam-systemd instead of just systemd * debian/control: Add a Breaks against gdm3 (<< 3.8.4-7~) to ensure it registers a logind session properly (Closes: #745983) * debian/policykit-1.postinst: Explicitly set a home directory for the polkitd user (Closes: #748981) . policykit-1 (0.112-2) experimental; urgency=low . * Use logind on linux and consolekit on non-linux * Update to mozjs17 . policykit-1 (0.112-1) experimental; urgency=low . * New upstream release. - Fixes CVE-2013-4288, unix-process subject for authorization is racy. (Closes: #723717) * Remove 00git_pkexec_pam_env.patch and 09_link_libmozjs.patch, both merged upstream. * Drop explicit Build-Depends on gir1.2-glib-2.0. * Bump Standards-Version to 3.9.4. No further changes. . policykit-1 (0.110-3) experimental; urgency=low . [ Martin Pitt ] * Add 00git_pkexec_pam_env.patch: pkexec: Set process environment from pam_getenvlist(). Backported from upstream git head. * 01_pam_polkit.patch: Adjust patch to invoke pam_env, so our global settings from /etc/default/locale are applied correctly. Thanks Steve Langasek! . [ Michael Biebl ] * Use gir addon instead of calling dh_girepository manually. . policykit-1 (0.110-2) experimental; urgency=low . * When cleaning up /etc/polkit-1/nullbackend.conf.d/ and /etc/polkit-1/localauthority.conf.d/ don't fail if those directories have already been removed. (Closes: #698085) . policykit-1 (0.110-1) experimental; urgency=low . * New upstream release. * Drop patches which have been merged upstream. * Drop debian/clean, no longer necessary. . policykit-1 (0.109-1) experimental; urgency=low . * New upstream release. (Closes: #689473) * Update Build-Depends: - Bump libglib2.0-dev to (>= 2.30.0). - Add libmozjs185-dev for the JS rules support. * Remove polkitbackend library. * Use systemd service file provided by upstream. * Reload systemd as the name of the .service file has changed. * Update policykit-1.install: - Private binaries have been moved to /usr/lib/polkit-1. - The extension system has been removed. - The .pkla files are gone and so is /var/lib/polkit-1. * Remove obsolete conffiles and the corresponding (empty) directories on upgrades. * Convert the old localauthority conf files to the new JavaScript based rules file format and make sure it is executed before 50-default.rules. * Refresh patches to apply without fuzz. * The polkitd daemon now runs as unprivileged polkitd user instead of root. Create this system user in postinst and change the directory permissions accordingly so the daemon has access to the rules files. * debian/patches/08_chdir_root.patch: Explicitly use chdir("/") instead of relying on $HOME being set properly. * Since /etc/polkit-1/rules.d/50-default.rules is a proper conffile, remove the comment from upstream that changes to that file are not preserved on upgrades. (Closes: #580634) * debian/patches/09_link_libmozjs.patch: Explicitly link against libmozjs, even if that library is dlopenend as we want to have a proper shlibs dependency. * Use --no-as-needed flag to ensure the linker doesn't remove the libmozjs dependency. * Use dh-autoreconf to update the build system. * Update the Homepage: field. Checksums-Sha1: a55a0b5be746c7acaba0b7efe4ff24e53ce4a238 3402 policykit-1_123-1~bpo23.04.dsc ed3e979be6e5224a470e12b28d0a0b67127d39fd 377045 policykit-1_123.orig-polkit-pkla-compat.tar.bz2 5d74e2bad4ae18ad75a3eb7246e73d3d0bb777db 707480 policykit-1_123.orig.tar.bz2 914a3ace056881eec3dc334d584d652092ef7410 46300 policykit-1_123-1~bpo23.04.debian.tar.xz ba485fbcbb9874f6d1ae9536341b3f58082c1371 6764 policykit-1_123-1~bpo23.04_source.buildinfo Checksums-Sha256: b396288bbf40512d2bd8c42225b0fb60d5cd946941a29f911c3248e037876b5d 3402 policykit-1_123-1~bpo23.04.dsc 28ec66928327031c9a4155a1c901fdf223d2fb7030c58fc584a96e43af9d2783 377045 policykit-1_123.orig-polkit-pkla-compat.tar.bz2 72d9119b0aa35da871fd0660601d812c7a3d6af7e4e53e237840b71bb43d0c63 707480 policykit-1_123.orig.tar.bz2 c35fdb5c9b3496adca71f0c6a67559fdd920a896687c20563823accd78a2c6ea 46300 policykit-1_123-1~bpo23.04.debian.tar.xz c91aa50aa2c95e2e36d9b3a5006b23ae23e5919d3fb0b76c08ebfbb0475c431c 6764 policykit-1_123-1~bpo23.04_source.buildinfo Files: ec956985cbf7fea556df6b5e27a0ef73 3402 admin optional policykit-1_123-1~bpo23.04.dsc 12a19cbed789ab8fbf60441b369e9cca 377045 admin optional policykit-1_123.orig-polkit-pkla-compat.tar.bz2 5e8c9fe7464776c73aa7116335d701a2 707480 admin optional policykit-1_123.orig.tar.bz2 63f25be8f1e0823f1acf2ee2fda0eabe 46300 admin optional policykit-1_123-1~bpo23.04.debian.tar.xz 807264a50069b6f89919772f14e35aaa 6764 admin optional policykit-1_123-1~bpo23.04_source.buildinfo