sorry for the delayed reply. I was on vacation last week.
So far the argument was that calling any such thing is
at the same risk
level as running any random binary using sudo. Which means every
I am not quite sure if I understand your point. Polkit rules cannot be
directly compared to sudo usage.
Running a D-Bus service that utilizes polkit as root can immediately
open a security vulnerability without requiring any further action on
the user's side.
I do not think that the same is the case involving sudo (the user would
need to actively change sudo configuration).
We don't expect many packages to be affected by this. If you have any
questions please reach out to us.
Sadly, this is a brp warning, not an rpmlint warning - otherwise we'd
have at least some upfront information about it.
Are you sure about that? I do not know anything about brp. All changes I
worked on are located in rpmlint packages.
At this time, it's a "let's get
surprised how much will break" - not
exactly my most favorite thing.
You are right. It seems we have underestimated the impact. We should
have discussed this with you before changing it. My apologies.
Thank you for checking up on the affected packages and opening bugs for
them. I have discussed this in the team and we will whitelist these
packages immediately to keep the impact low.
The reviews will then follow in time afterwards.