PackageKit policy: background and plans
Seth Vidal
skvidal at fedoraproject.org
Tue Nov 24 15:27:43 UTC 2009
On Tue, 24 Nov 2009, James Antill wrote:
> On Mon, 2009-11-23 at 22:32 +0000, Colin Walters wrote:
>> On Mon, Nov 23, 2009 at 10:02 PM, James Morris <jmorris at namei.org> wrote:
>>>
>>>
>>> Possibly (it could simply be that an updated policy is weaker for some
>>> reason) -- but it doesn't matter, there should be no way to change MAC
>>> policy without MAC privilege.
>>
>> It'd be nice here if we had the ability to only grant the ability to
>> install applications, not packages.
>
> "applications" is still way too broad, IMO. Even if you limit it to
> what I assume you meant, "Desktop applications", it's not obvious that
> is good enough.
>
> A useful end goal seems more likely to be something like "allow 'local'
> users to update/install signed/trusted versions of: fonts, codecs,
> themes, games, editors". For bonus points you could make it possible for
> them to remove packages they have installed.
> If done well this should even allow things like the "webadmin" role
> being allowed to update/install apache related packages.
>
See, this is the problem, with all the exceptions you'd need to
codify it would make much more sense to document how to set them up and
make it relatively easy to do so that the local admin can do so. Think of
it like documentation for sudo but with docs that don't make everyone cry.
-sv
More information about the fedora-devel-list
mailing list