colord ebuild depends on polkit although this dependency is optional and could be moved under the use flag Reproducible: Always Steps to Reproduce: 1. mask polkit 2. Add -policykit to USE 3. try to emerge colord Actual Results: Would complain about unmet dependencies Expected Results: Compiles and installs correctly
Created attachment 332892 [details, diff] Patch to fix dependencies There is an option to enable/disable polkit dependency, so here is the patch that fixes it. Tested and it's working.
+1 That would reduce some workload from me (maitaining this package in my private overlay)...
Not every option needs a USE-flag switch to control it. "Compiles and installs" is not a sufficient argument for adding something to portage. So please explain: Why do you want colord without polkit? Is this an experiment in minimizing the number of dependencies, or is there a specific reason why you cannot use polkit on a machine, but do need colord on that machine? How did you verify that colord without polkit was working? (compiles != works) What are the security implications of disabling polkit support? (You should probably start by looking at cd_main_sender_authenticated() in src/cd-common.c, and at the code paths which use that function. I suspect that additional patching of colord would be required to avoid potential attacks.)
(In reply to comment #3) > Not every option needs a USE-flag switch to control it. "Compiles and > installs" is not a sufficient argument for adding something to portage. So > please explain: > > Why do you want colord without polkit? Is this an experiment in minimizing > the number of dependencies, or is there a specific reason why you cannot use > polkit on a machine, but do need colord on that machine? Well, with polkit, I would need also consolekit and I don't believe/trust any of them. Frankly, I stumbled upon this when I tried colorhug-client and gnome-color-manager which has it as dependency and I remembered that when I was talking to Richard he told me that I don't need polkit to run colord with usual implications - possibility to mess up with colors remotely. Which I don't care. And these utils have only dependency on polkit through colord and after compiling everything without polkit, I was able to play with my colorhug through them. Ok, better approach might be to verify these dependencies, but at least for gnome, I suspect it will be hard dependency. > How did you verify that colord without polkit was working? (compiles != > works) Well, it runs, and utilities depending on it works. So far didn't get much deeper. > What are the security implications of disabling polkit support? (You should > probably start by looking at cd_main_sender_authenticated() in > src/cd-common.c, and at the code paths which use that function. I suspect > that additional patching of colord would be required to avoid potential > attacks.) Hmmm, security implications, what about big fat warning about them? I'll take a look at what are they...
(In reply to comment #4) OK, I will think about this when I get back from break; it will probably be enough to patch /etc/dbus-1/system.d/org.freedesktop.ColorManager.conf when USE=-polkit to limit who can call into colord.
Any news here?
Please make polkit optional!
(In reply to Alexandre Rostovtsev from comment #5) > (In reply to comment #4) > > OK, I will think about this when I get back from break; it will probably be > enough to patch /etc/dbus-1/system.d/org.freedesktop.ColorManager.conf when > USE=-polkit to limit who can call into colord. What patch is needed?
I can confirm this functions fine, I also don't see what is offending on /etc/dbus-1/system.d/org.freedesktop.ColorManager.conf in regards to permissions.. what do you propose, that only members of some group colord may use colord?? The dbus interface is only accessible from logged in users. colord runs as its own user and functions fine, been utilizing this for several months.. If the developers wanted polkit hard-coded they wouldn't have built their own packages for it to be optional.. think it over.. Just because polkit is popular does not presuppose it is essential, or relevant to all gentoo builds.
Created attachment 378034 [details] proposed ebuild I'm currently using this ebuild to use a (working) colord. polkit is optional, as you can see. I've changed the memory limit since my PC as a total 4G RAM shared between CPU and GPU, and, as a result, less than 4G. Besides that, everything seems to work fine.
+*colord-1.2.1 (17 Jun 2014) + + 17 Jun 2014; Pacho Ramos <pacho@gentoo.org> +colord-1.2.1.ebuild: + Version bump, make polkit optional (#448058) +
