On Fri, 2018-02-23 at 16:31 +0100, Matthias Gerstner wrote:
the SUSE security team recently decided to turn the rpmlint check
"polkit-untracked-privilege" into an error. Currently this is only an
informational message. If you get messages like these in your package:
gvfs-backends.x86_64: I: polkit-untracked-privilege
then they will become an error with 10.000 extra
badness in the future,
as is the case with other polkit related errors. This affects all
packages in openSUSE:Factory.
Looking forward to the errors in Staging, which will all need to get
fixed before that check becomes an error in Factory.
The rationale behind that is that even though these
polkit rules seem
harmless (only locally logged in users with admin privileges can acquire
the polkit privilege), they can expose security issues. This is because
the correct enforcement of the polkit policy is depending on the
individual package's polkit adaption.
Therefore such packages must go through a review
process with the
security team. You can trigger this process by opening a bug against
security-team(a)suse.de and adding an AUDIT prefix to the bug summary.
For more about this please refer to this wiki page:
So far the argument was that calling any such thing is at the same risk
level as running any random binary using sudo. Which means every
We don't expect many packages to be affected by this. If you have any
questions please reach out to us.
Sadly, this is a brp warning, not an rpmlint warning - otherwise we'd
have at least some upfront information about it. At this time, it's a
"let's get surprised how much will break" - not exactly my most
I'll see to get some information extracted from the 12k build logs of
Factory - then we should have some better information about how many
packages will be affected by this.