A while ago I split the policykit-1 package into two binary packages:

- polkitd: the authorization daemon and associated utilities
- pkexec: the sudo-like tool to run arbitrary commands as root

policykit-1 is a transitional package to pull in both. Since upgrading
to upstream version 121 which uses JavaScript as the primary format
for authorization rules, it also pulls in polkitd-pkla (also known as polkit-pkla-compat upstream), which provides backwards compatibility
with sysadmins' existing .pkla authorization policies if any.

I'd like to reduce the number of dependencies on the transitional
policykit-1 package for bookworm, ideally to zero. This gives us two
desirable properties:

- The setuid /usr/bin/pkexec will be present on fewer systems, reducing
attack surface: for example CVE-2021-4034 only affected pkexec, and
polkitd was not vulnerable. After we get the dependencies fixed, I would
expect to see pkexec installed on typical laptop/desktop systems, but
not on typical servers.

- New installations won't get polkitd-pkla, so it's easier to see what
policies are applied and in what order (all backwards-compatibility
.pkla files get applied in the middle of the new sequence of .rules
files, which can be quite confusing).

A template bug mail:

-------------------------------- 8< -----------------------------------

This package has a Depends, Recommends, Suggests or Build-Depends on the transitional package policykit-1, which has been separated into polkitd
and pkexec packages.

If this package communicates with polkitd via D-Bus, please represent that
as a Depends, Recommends or Suggests on polkitd, whichever is appropriate.

If this package runs /usr/bin/pkexec, please represent that as a Depends, Recommends or Suggests on pkexec, whichever is appropriate.

If this package requires polkit at build-time (usually for the gettext extensions polkit.its and polkit.loc), please build-depend on both libpolkit-gobject-1-dev and polkitd, even if the package does not
actually depend on libpolkit-gobject-1 at runtime. This is because
the gettext extensions are currently in polkitd, but might be moved to libpolkit-gobject-1-dev in future (see #955204). pkexec is usually not
required at build-time.

For packages that are expected to be backported to bullseye, it's OK to
use an alternative dependency: polkitd | policykit-1 and/or
pkexec | policykit-1.

-------------------------------- 8< -----------------------------------

dd-list attached. I've tried to filter out false positives for packages
that already use polkitd | policykit-1, such as flatpak.

The next Lintian release will emit a depends-on-obsolete-package error
for dependencies on policykit-1 (and several other transitional packages)
which will help to make progress in this direction.

Thanks,
smcv

Alessio Treglia <[email protected]>
rtkit (U)

Andrea Bolognani <[email protected]>
libvirt (U)
libvirt-dbus (U)

Andreas Messer <[email protected]>
elogind (U)

Andrew Lee (李健秋) <[email protected]>
lxde-metapackages (U)
lxsession (U)

Andrew Pollock <[email protected]>
isc-dhcp (U)

Andriy Grytsenko <[email protected]>
lxde-metapackages (U)
lxsession (U)

Anibal Monsalve Salazar <[email protected]>
gparted (U)

Anthony Fok <[email protected]>
timekpr-next (U)

Antonio Cardoso Martins <[email protected]>
guidedog

Arnaud Ferraris <[email protected]>
modemmanager (U)

Aron Xu <[email protected]>
network-manager (U)

Axel Beckert <[email protected]>
wicd (U)

Barak A. Pearlmutter <[email protected]>
ettercap
ettercap (U)

Bertrand Marc <[email protected]>
gnunet-gtk

Boyuan Yang <[email protected]>
galternatives (U)
mintstick

Carl Fürstenberg <[email protected]>
obs-studio (U)

Chris Lamb <[email protected]>
zoneminder (U)

Christopher James Halse Rogers <[email protected]>
colord

Christopher Schramm <[email protected]>
blueman

Clément Hermann <[email protected]>
libgsecuredelete (U)

Daniel Baumann <[email protected]>
bfh-metapackages
gnunet-gtk
progress-linux-metapackages

Daniel Jared Dominguez <[email protected]>
fwupd (U)

David Mohammed <[email protected]>
budgie-control-center

Debian Accessibility Team <[email protected]>
brltty

Debian Accessibility Team <[email protected]>
brltty

Debian Chinese Team <[email protected]>
galternatives

Debian Ecosystem Init Diversity Team <[email protected]>
elogind

Debian Edu Packaging Team <[email protected]>
veyon

Debian EFI <[email protected]>
fwupd

Debian Electronics Team <[email protected]>
arduino

Debian freedesktop.org maintainers <[email protected]>
accountsservice
malcontent

Debian GNOME Maintainers <[email protected]>
deja-dup
gnome-applets
gnome-initial-setup
gnome-multi-writer
gnome-system-log
sysprof

Debian ISC DHCP Maintainers <[email protected]>
isc-dhcp

Debian ISC DHCP maintainers <[email protected]>
isc-dhcp

Debian Libvirt Maintainers <[email protected]>
libvirt
libvirt-dbus

Debian LXDE Maintainers <[email protected]>
lxde-metapackages
lxsession

Debian Multimedia Maintainers <[email protected]>
obs-studio
rtkit

Debian Printing Team <[email protected]>
hannah-foo2zjs
hplip

Debian Privacy Tools Maintainers <[email protected]>
libgsecuredelete

Debian Python Team <[email protected]>
bleachbit (U)
gui-ufw
timekpr-next

Debian Remote Maintainers <[email protected]>
x2gothinclient

Debian Security Tools <[email protected]>
ettercap
guymager

Debian SELinux maintainers <[email protected]>
selinux-dbus
selinux-python

Debian Sugar Team <[email protected]>
sugar

Debian systemd Maintainers <[email protected]>
systemd

Debian WICD Packaging Team <[email protected]>
wicd

Debian Wine Team <[email protected]>
winetricks

Debian Xfce Maintainers <[email protected]>
lightdm-gtk-greeter

Debian+Ubuntu MATE Packaging Team <[email protected]>
caja-admin
caja-dropbox
mate-applets
mate-polkit
mate-power-manager
mate-settings-daemon
mate-system-monitor

DebianOnMobile Maintainers <[email protected]>
modemmanager

Devid Antonio Filoni <[email protected]>
gui-ufw (U)

Didier Raboud <[email protected]>
fprintd (U)
hplip (U)

Dmitry Shachnev <[email protected]>
gnome-applets (U)

Dmitry Smirnov <[email protected]>
zoneminder

Emilio Pozuelo Monfort <[email protected]>
accountsservice (U)

Evangelos Rigas <[email protected]>
cpupower-gui

Evgeni Golov <[email protected]>
tuned

Fabian Wolff <[email protected]>
backintime (U)

Felipe Sateler <[email protected]>
rtkit (U)
systemd (U)

FingerForce Team <[email protected]>
fprintd

gdebi developers <[email protected]>
gdebi

Gianfranco Costamagna <[email protected]>
ettercap (U)
guidedog (U)

Giap Tran <[email protected]>
wicd (U)

Graham Inggs <[email protected]>
modem-manager-gui
modem-manager-gui (U)

Guido Günther <[email protected]>
libvirt (U)
modemmanager (U)

gustavo panizzo <[email protected]>
tuned (U)

handsome_feng <[email protected]>
ukui-biometric-auth (U)

Henry-Nicolas Tourneur <[email protected]>
modemmanager (U)

Hugo Lefeuvre <[email protected]>
bleachbit

Iain Lane <[email protected]>
deja-dup (U)
gnome-applets (U)
gnome-system-log (U)

Ian Jackson <[email protected]>
elogind (U)

intrigeri <[email protected]>
libgsecuredelete (U)

James Lu <[email protected]>
lightdm-gtk-greeter-settings

Jens Reyer <[email protected]>
winetricks (U)

Jeremy Bicha <[email protected]>
deja-dup (U)
gnome-applets (U)
gnome-initial-setup (U)
gnome-multi-writer (U)
gnome-system-log (U)
sysprof (U)

Jeremy Bicha <[email protected]>
deja-dup (U)
gnome-initial-setup (U)
sysprof (U)

Joao Eriberto Mota Filho <[email protected]>
grub-customizer
linssid

John Paul Adrian Glaubitz <[email protected]>
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)

Jonas Smedegaard <[email protected]>
sugar (U)

Jonathan Carter <[email protected]>
calamares

Jonathan Wiltshire <[email protected]>
backintime

Joseph Bisch <[email protected]>
winetricks (U)

Josselin Mouette <[email protected]>
gnome-system-log (U)

Julian Andres Klode <[email protected]>
hplip (U)
packagekit (U)

Kamal Mostafa <[email protected]>
trace-cmd (U)

Kartik Mistry <[email protected]>
scanmem (U)

Kylin Team <[email protected]>
ukui-biometric-auth

Laurent Bigonville <[email protected]>
deja-dup (U)
gnome-initial-setup (U)
gnome-system-log (U)
malcontent (U)
realmd (U)
selinux-dbus (U)
selinux-python (U)
sysprof (U)

Laurent Léonard <[email protected]>
libvirt (U)

Luca Boccassi <[email protected]>
systemd (U)

Luke Yelavich <[email protected]>
rtkit (U)

Marcio de Souza Oliveira <[email protected]>
zulucrypt

Marco d'Itri <[email protected]>
systemd (U)

Marco Trevisan <[email protected]>
fprintd (U)

Mario Limonciello <[email protected]>
fwupd (U)

Mario Limonciello <[email protected]>
fwupd (U)

Mark Hindley <[email protected]>
elogind (U)

Mark Purcell <[email protected]>
hplip (U)

Martin <[email protected]>
modemmanager (U)

Martin Pitt <[email protected]>
cockpit (U)
policykit-1-gnome (U)
systemd (U)
udisks2 (U)
upower (U)

Martin Wimpress <[email protected]>
caja-dropbox (U)
mate-applets (U)
mate-system-monitor (U)

Mathieu Trudel-Lapierre <[email protected]>
modemmanager

Matteo F. Vescovi <[email protected]>
modem-manager-gui

Matthias Klumpp <[email protected]>
fwupd (U)
packagekit

Michael Biebl <[email protected]>
cockpit (U)
gnome-multi-writer (U)
gnome-system-log (U)
network-manager (U)
policykit-1-gnome (U)
sysprof (U)
systemd (U)
udisks2 (U)
upower (U)

Michael Gilbert <[email protected]>
isc-dhcp (U)

Michael Prokop <[email protected]>
guymager (U)

Michael Vogt <[email protected]>
gdebi (U)
synaptic

Mihai Moldovan <[email protected]>
x2gothinclient (U)

Mike Gabriel <[email protected]>
caja-admin (U)
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)
veyon (U)
x2gothinclient (U)

Miriam Ruiz <[email protected]>
gui-ufw (U)

Murat Demirten <[email protected]>
ettercap (U)

Patrick Matthäi <[email protected]>
needrestart-session

Petr Baudis <[email protected]>
mate-power-manager (U)

Philip Hands <[email protected]>
arduino (U)

Phillip Susi <[email protected]>
gparted

Phillip Susi <[email protected]>
gparted

Python Applications Packaging Team <[email protected]>
bleachbit (U)
gui-ufw

Ritesh Raj Sarraf <[email protected]>
sysprof (U)

Russell Coker <[email protected]>
selinux-dbus (U)
selinux-python (U)

Samuel Thibault <[email protected]>
brltty (U)

Santiago Ruano Rincón <[email protected]>
isc-dhcp (U)
sugar (U)

Scott Howard <[email protected]>
arduino
arduino (U)

Sebastian Parschauer <[email protected]>
scanmem

Sebastian Ramacher <[email protected]>
obs-studio (U)

Sebastien Bacher <[email protected]>
deja-dup (U)
gnome-initial-setup (U)

Seth Forshee <[email protected]>
trace-cmd (U)

Sjoerd Simons <[email protected]>
network-manager (U)
systemd (U)

Stefano Karapetsas <[email protected]>
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)

Steve McIntyre <[email protected]>
fwupd (U)

Sudip Mukherjee <[email protected]>
kernelshark
trace-cmd

Thorsten Alteholz <[email protected]>
hplip (U)

Till Kamppeter <[email protected]>
hplip (U)

Ubuntu Developers <[email protected]>
gdebi

Ubuntu Kernel Team <[email protected]>
trace-cmd

Utopia Maintenance Team <[email protected]>
cockpit
network-manager
policykit-1-gnome
realmd
udisks2
upower

Vangelis Mouhtsis <[email protected]>
caja-admin (U)
caja-dropbox (U)
mate-applets (U)
mate-polkit (U)
mate-power-manager (U)
mate-settings-daemon (U)
mate-system-monitor (U)

xiao sheng wen <[email protected]>
grub-customizer

Yangfl <[email protected]>
galternatives (U)

Yanhao Mo <[email protected]>
hotspot

Yann Amar <[email protected]>
bilibop

Yves-Alexis Perez <[email protected]>
lightdm-gtk-greeter (U)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)