On Wed, Mar 12, 2014 at 04:58:42PM +0100, Andreas Seeg wrote:
Dear list-subscribers,
my fellow IT administrators and I are considering the option of allowing our users to install additional software present in already added, official repositories or software that is signed with already trusted keys. We are in the process of updating all clients to openSUSE 13.1.
To get this functionality, we changed a file in /etc/polkit-1/localauthority and set
ResultActive to yes (instead of auth_admin) for org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about the filename as I have limited access to our test environment right now)
Interesting that this worked, as polkit has dropped the localauthority backend and only does javascript rules now.
We changed nothing for org.freedesktop.packagekit.package-install-untrusted, leaving it to ask for the root password before installing "untrusted" software (as far as I understood polkit).
I have a hard time finding how PackageKit internally decides that its "untrusted". I however think that the PackageKit zypp backend might not be reporting this correctly.
I'm not entirely sure what to do at this point to circle in on the problem. We don't want users (or exploits...) to be able to install unsigned packages. As we are using autoyast, we aren't ruling out that our current autoyast.xml-file might alter some opensuse settings permanently, but from our understanding, settings described there should only apply to the "live-system" used to install the system.
You will probably need to ask our zypp gurus :/
Any pointers are greatly appreciated, especially to official documentation for packagekit/polkit if they describe install-packages and install-packages-untrusted in detail.
The exact meaning seems lacking. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org