[Bug 1035207] Re: [FFe] passwordless install of webapps (based on repo whitelist)

Stéphane Graber stgraber at stgraber.org
Wed Sep 12 14:23:54 UTC 2012

Approved on the condition that the security team confirms the current
implementation matches their requirements and that this lands on the
17th at the latest (so we have room to revert before beta2 freeze if
something goes wrong).

** Changed in: aptdaemon (Ubuntu)
       Status: In Progress => Triaged

You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptdaemon in Ubuntu.

  [FFe] passwordless install of webapps (based on repo whitelist)

Status in “aptdaemon” package in Ubuntu:

Bug description:
  For the unity-webapps work the webapps team would like to install packages that only 
  contain unity-webapps passwordless for a better user experience. They are regular packages but of a very simple form, essentially just a javascript file and a icon and no 
  maintainer scripts.

  My proposal would be to add a new class of policykit action:
  "org.debian.apt.install-packages.high-trust-repo" that requires the same authentication by default as install-or-remove-packages (i.e. auth_admin).

  This can then be override by the webapps package via
  (policykit-desktop-privileges) similar to what we did in the
  policykit-desktop-priviledges with "org.debian.apt.upgrade-packages"
  to not require a password prompt.

  The whitelist of the repository would be based on "Origin,Components" and packagename regexp. So something like: (LP-PPA-app-review-board, main, ^unity-webapps-.*") for the webapps case and this would be shipped as part of the webapps-package into 

  This is all implemented now and I would like to ask for a feature freeze exception to add
  this into current quantal.

  Note that this feature is generic enough to be useful other use-cases
  like internal company repositories that are trusted.

To manage notifications about this bug go to:

More information about the foundations-bugs mailing list