Comment 1 Daniel Gryniewicz (RETIRED) 2010-10-10 13:34:50 UTC

I do not believe this is a good idea.  Hal cannot use polkit, only policykit, and therefore would lose functionality.  Users can turn it off if they want, and the dep will, of course, go away with hal.

Comment 2 Samuli Suominen (RETIRED) 2010-10-10 13:48:44 UTC

the old policykit to function properly needs <consolekit-0.4, right now it's doing more harm than good...

Comment 3 Samuli Suominen (RETIRED) 2010-10-10 13:52:42 UTC

see e.g. http://bugs.gentoo.org/show_bug.cgi?id=296153#c25 
and seriously, other distribs are still shipping hal but with old policykit disabled. there's no interaction between them...

Comment 4 Samuli Suominen (RETIRED) 2010-10-10 14:11:42 UTC

Created attachment 250119 [details]
ChangeLog from Debian HAL

Debian's HAL package disabling both obsolete ConsoleKit and PolicyKit.

 * debian/rules
    - Pass --disable-policy-kit and --disable-console-kit to
      DEB_CONFIGURE_EXTRA_FLAGS.

They apply 2 patch's to retain at-console support,

 * debian/patches/10_nonpolkit-mount-policy.patch
    - Only allow root to mount fixed (internal) storage devices.

 * debian/patches/01_at_console.patch
   - Restrict access to the HAL D-Bus service using "at_console" and
     alternatively group powerdev/plugdev.

Comment 5 Samuli Suominen (RETIRED) 2010-10-10 14:13:17 UTC

Browsed other distribs (including Fedora) and they do the same. No deprecated Policykit, or Consolekit.    Just these 2 patches, or slightly differenting ones accomplishing same.

Comment 6 Daniel Gryniewicz (RETIRED) 2010-10-11 00:31:14 UTC

I'll look into the patches to retain at-console.  If it's possible, I'll do it.

Comment 7 Daniel Gryniewicz (RETIRED) 2010-10-11 00:37:21 UTC

Debian, at least, loses all at_console functionality.  They only retain plugdev/powerdev groups, which is not an acceptable solution, IMO.  What they *do* allow for any non-root UID to mount removable drives, which is an interesting compromise.  I'll look at other distros.

Comment 8 Daniel Gryniewicz (RETIRED) 2010-10-11 01:00:28 UTC

Okay, it looks like all the other distros depend on dbus at_console checks, which depends on something setting /var/lib/console/<userid>.  ConsoleKit sets this on my system.  Does something set that on a CK free system?  If so, that's probably sufficient (assuming upgrade from a current system isn't too much of a pain).

Comment 9 Rémi Cardona (RETIRED) 2010-10-11 06:38:25 UTC

(In reply to comment #8)
> Okay, it looks like all the other distros depend on dbus at_console checks,
> which depends on something setting /var/lib/console/<userid>.

pam_console (does it even still work?) used to be able do this IIRC. But it was a big hack. A crashing X would sometimes block you from getting the at_console back, or someone else remotely logging on your machine using ssh would do that too. Properly configuring it required ample PAM knowledge.

ConsoleKit is the "least bad" of all the *Kits out there. It only does a couple things, and usually does the job well.

Cheers :)

Comment 10 Samuli Suominen (RETIRED) 2010-12-18 22:52:50 UTC

*** Bug 295152 has been marked as a duplicate of this bug. ***

Comment 11 Samuli Suominen (RETIRED) 2010-12-18 23:22:44 UTC

What's the status of this? 
sys-apps/hal is now the only package in tree depending on sys-auth/policykit
it's not required, doesn't work anymore and is just causing "IsCallerPrivileged" errors with HAL
For the remaining purposes of HAL, it should be fine to simply kill the USE flag...

Comment 12 Daniel Gryniewicz (RETIRED) 2010-12-21 16:34:10 UTC

Okay, I bit the bullet and did this in -r4.  Let the bug floodgates open...