FS#77799 - [pcsclite] split the package, so that only the daemon would depend on polkit?
Attached to Project:
Community Packages
Opened by Neven Sajko (Neven) - Thursday, 09 March 2023, 21:55 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:09 GMT
Opened by Neven Sajko (Neven) - Thursday, 09 March 2023, 21:55 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:09 GMT
|
Details
A few days ago Polkit support was enabled in the pcsc-lite
package, which also required adding polkit to package
dependencies. However, checking the files in /usr/bin and
/usr/lib owned by pcsc-lite with ldd seems to indicate that
the pcscd daemon is the only thing that actually depends on
polkit.
My situation is that I use KeePassXC, but don't use smartcards (who does, anyway?). Would it be possible to split the pcsclite package, so that the daemon wouldn't taint the other parts by depending on Polkit? |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:09 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/pcsclite/issues/1
Saturday, 25 November 2023, 20:09 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/pcsclite/issues/1
"Smartcards" also covers the modern USB keys like YubiKeys.
FTR, Polkit support was added because it seemed to help the Yubico Authenticator from Flathub connect reliably.
If you don't want normal users to shutdown the system, you can tweak polkit rules to achieve this.
pcscd depends only on a library (libpolkit-gobject-1.so.0), so I think we shouldn't split the pcsclite package just for that. It might be possible to split the polkit package into polkit and polkit-libs, since the polkit daemon is probably not a requirement for the libs, but I would prefer to don't do that, and leave everything as is.
On servers and server-ish systems, I'd also prefer not having polkit installed.
I use NitroKey Pro 2 with a physical smartcard inside and RuToken which emulates a smartcard to be driver-less. Both are modern devices.
For me the main problem that now I have to add PolKit + DBus to my initrd to unlock a LUKS2-encrypted root partition with a PKCS#11 token. There is no much sense to use PolKit in initrd IMHO. So I think the right solution would be to add a runtime option to start `pcscd` with PolKit checks disabled, so it can be used without PolKit in initrd and with PolKit in the main system. And such an option would make PolKit an optional dependency and help with this issue.
EDIT: it's already there: https://github.com/LudovicRousseau/PCSC/commit/a9c7c0886acfb6ca4cae1426a623a8cff2e9846c