Hello Dominique, sorry for the delayed reply. I was on vacation last week.
So far the argument was that calling any such thing is at the same risk level as running any random binary using sudo. Which means every binary.
I am not quite sure if I understand your point. Polkit rules cannot be directly compared to sudo usage. Running a D-Bus service that utilizes polkit as root can immediately open a security vulnerability without requiring any further action on the user's side. I do not think that the same is the case involving sudo (the user would need to actively change sudo configuration).
https://en.opensuse.org/openSUSE:Package_security_guidelines
We don't expect many packages to be affected by this. If you have any questions please reach out to us.
Sadly, this is a brp warning, not an rpmlint warning - otherwise we'd have at least some upfront information about it.
Are you sure about that? I do not know anything about brp. All changes I worked on are located in rpmlint packages.
At this time, it's a "let's get surprised how much will break" - not exactly my most favorite thing.
You are right. It seems we have underestimated the impact. We should have discussed this with you before changing it. My apologies. Thank you for checking up on the affected packages and opening bugs for them. I have discussed this in the team and we will whitelist these packages immediately to keep the impact low. The reviews will then follow in time afterwards. Regards Matthias