update manager no longer asking for password in 11.10

Fri Oct 21 00:04:26 UTC 2011

On Thu, 20 Oct 2011 20:14:04 +0000 (UTC), sktsee <sktseer at gmail.com> wrote:
> On Thu, 20 Oct 2011 20:17:26 +0100, Colin Law wrote:
> 

> 
> Naw, you don't have to authenticate using the command-line...
> 
> For example, On oneiric - i386
> 
> $ sudo apt-get remove alsa-utils
> (removes alsa-utils and ubuntu-desktop)
> 
> $ wget http://archive.ubuntu.com/pub/ubuntu/pool/main/a/alsa-utils/alsa-
> utils_1.0.24.2-0ubuntu8_i386.deb
> (get previous package version)
> 
> $ sudo dpkg -i alsa-utils_1.0.24.2-0ubuntu8_i386.deb
> (install it)
^^^^^^^^^^^^^^^^^

And that is where I see that a problem lies.

Without any prompting of the user, something has been replaced.

One could have a script written to remove a default package, download a
copy of a package from *somewhere* (i.e. not a ubuntu repository) and
"install" it... with anything someone wanted to have as part of the
"replacement" package.

All without authentication - and potentially without any user interaction.

Not what I would want.

> Now comes the magic...
> 
> $ aptdcon -c
> [+] 100% Successful 
> (refreshed package list cache, no auth)
> 
> $ aptdcon --safe-upgrade
> The following package will be upgraded 
> (1):                                     
>   alsa-utils
> After this operation, 4096 B of additional disk space will be used.
> Do you want to continue [Y/n]? y
> (Reading database ... 136398 files and directories currently 
> installed.)        
> Preparing to replace alsa-utils 1.0.24.2-0ubuntu8 (using .../alsa-
> utils_1.0.24.2-0ubuntu8.1_i386.deb) ...
> Unpacking replacement alsa-utils ...
> Processing triggers for man-db ...
> Processing triggers for ureadahead ...
> Setting up alsa-utils (1.0.24.2-0ubuntu8.1) ...
> [+] 100% Successful
> 
> No authentication required for refreshing package cache and
> upgrading already installed packages!
> 
> See also:
> 
> No authentication needed:
> 
> for mount/unmount filesystems, fsck filesystems labeling filesystems,
etc.
> through udisks and palimpsest (Disk utility)
> 
> and
> 
> for adding/changing network connections in Network Manager
> 
> and 
> 
> for setting the clock
> 
> and
> 
> for everything else listed in
> 
> /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
> 
> If you really dislike being able to install updates without
authentication
> then edit the file mentioned above and change the line "ResultActive=yes"

> in the stanza "[Update already installed software]" to 
> "ResultActive=auth_admin".

Er yeah - dislike that feature is an understatement.

To me - this smacks of some laziness of the dev not wanting to have to type
in their password every time they are doing some testing.

Sorry - struggling to see how this change is "good' progress.

As for the dev stating "Won't fix", for me and my systems, I think I am
going to start looking at policy kit in a somewhat more depth to see what
else I may like to see to change.

--
AM