PackageKit policy: background and plans
James Antill
james at fedoraproject.org
Tue Nov 24 17:37:39 UTC 2009
On Tue, 2009-11-24 at 10:27 -0500, Seth Vidal wrote:
>
> On Tue, 24 Nov 2009, James Antill wrote:
>
> > On Mon, 2009-11-23 at 22:32 +0000, Colin Walters wrote:
> >> On Mon, Nov 23, 2009 at 10:02 PM, James Morris <jmorris at namei.org> wrote:
> >>>
> >>>
> >>> Possibly (it could simply be that an updated policy is weaker for some
> >>> reason) -- but it doesn't matter, there should be no way to change MAC
> >>> policy without MAC privilege.
> >>
> >> It'd be nice here if we had the ability to only grant the ability to
> >> install applications, not packages.
> >
> > "applications" is still way too broad, IMO. Even if you limit it to
> > what I assume you meant, "Desktop applications", it's not obvious that
> > is good enough.
> >
> > A useful end goal seems more likely to be something like "allow 'local'
> > users to update/install signed/trusted versions of: fonts, codecs,
> > themes, games, editors". For bonus points you could make it possible for
> > them to remove packages they have installed.
> > If done well this should even allow things like the "webadmin" role
> > being allowed to update/install apache related packages.
>
> See, this is the problem, with all the exceptions you'd need to
> codify it would make much more sense to document how to set them up and
> make it relatively easy to do so that the local admin can do so. Think of
> it like documentation for sudo but with docs that don't make everyone cry.
Oh, I agree 100%. My bad for not explaining what I meant. I'm not
saying the GUI pkg installer should come with the above as defaults,
just that it should work towards being able to "easily" provide the
above functionality.
--
James Antill - james at fedoraproject.org
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.25
http://yum.baseurl.org/wiki/YumMultipleMachineCaching
More information about the fedora-devel-list
mailing list