[Bug 1035207] Re: [FFe] passwordless install of webapps (based on repo whitelist)

[Michael Vogt]

** Description changed:

- For the unity-webapps work the webapps team would like to install packages that only contain unity-webapps
- passwordless for a better user experience. They are regular packages but of a very simple form, essentially
- just a javascript file and a icon and no maintainer scripts.
+ For the unity-webapps work the webapps team would like to install packages that only 
+ contain unity-webapps passwordless for a better user experience. They are regular packages but of a very simple form, essentially just a javascript file and a icon and no 
+ maintainer scripts.
  
- My proposal would be to add a new class of policykit action "org.debian.apt.install-package-whitelisted" that
- we can override the permissons via /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla (policykit-desktop-privileges) similar to what we did with "org.debian.apt.upgrade-packages".
+ My proposal would be to add a new class of policykit action:
+ "org.debian.apt.install-packages.high-trust-repo" that requires the same authentication by default as install-or-remove-packages (i.e. auth_admin).
  
- The whitelist of the repository would be based on "Origin,Components" and packagename regexp. So something like:
- (LP-PPA-app-review-board, main, ^unity-webapps-.*") for the webapps case.
+ This can then be override by the webapps package via
+ /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
+ (policykit-desktop-privileges) similar to what we did in the policykit-
+ desktop-priviledges with "org.debian.apt.upgrade-packages" to not
+ require a password prompt.
  
- Does that looks like a good approach to you?
+ The whitelist of the repository would be based on "Origin,Components" and packagename regexp. So something like: (LP-PPA-app-review-board, main, ^unity-webapps-.*") for the webapps case and this would be shipped as part of the webapps-package into 
+ /etc/aptdaemon/high-trust-repository-whitelist.d/
+ 
+ This is all implemented now and I would like to ask for a feature freeze exception to add
+ this into current quantal.
+ 
+ Note that this feature is generic enough to be useful other use-cases
+ like internal company repositories that are trusted.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptdaemon in Ubuntu.
https://bugs.launchpad.net/bugs/1035207

Title:
  [FFe] passwordless install of webapps (based on repo whitelist)

Status in “aptdaemon” package in Ubuntu:
  In Progress

Bug description:
  For the unity-webapps work the webapps team would like to install packages that only 
  contain unity-webapps passwordless for a better user experience. They are regular packages but of a very simple form, essentially just a javascript file and a icon and no 
  maintainer scripts.

  My proposal would be to add a new class of policykit action:
  "org.debian.apt.install-packages.high-trust-repo" that requires the same authentication by default as install-or-remove-packages (i.e. auth_admin).

  This can then be override by the webapps package via
  /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
  (policykit-desktop-privileges) similar to what we did in the
  policykit-desktop-priviledges with "org.debian.apt.upgrade-packages"
  to not require a password prompt.

  The whitelist of the repository would be based on "Origin,Components" and packagename regexp. So something like: (LP-PPA-app-review-board, main, ^unity-webapps-.*") for the webapps case and this would be shipped as part of the webapps-package into 
  /etc/aptdaemon/high-trust-repository-whitelist.d/

  This is all implemented now and I would like to ask for a feature freeze exception to add
  this into current quantal.

  Note that this feature is generic enough to be useful other use-cases
  like internal company repositories that are trusted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1035207/+subscriptions