New PolicyKit 0.106 changes configuration file format

Status changed to 'Confirmed' because the bug affects multiple users.

version 0.110-3 is now in debian experimental and upstream is at 0.111. Should we wait for debian to call it "polkit" or merge it now?

Do not merge this for now. It is unlikely we will allow an insecure library such as mozjs185 to be included in main, especially for something as security-sensitive as policykit.

@mdeslaur

Hi any chance we can revisit this use case again and add mazjs185 through the MIR process for newer Ubuntu versions?

Thank you

mozjs hasn't gotten any security updates in _years_, so no, we're not going to be able to support that package in main.

Could policykit be updated if it was ported to mozjs45?
It would be good if we could see it updated eventually as the javascript rules are much more flexible (one use would be restricting users to specific domains with libvirt).

An update on the current state of this:
- polkit upstream currently depends on mozjs60
- mozjs60 is in main, but only for the use of GNOME Shell.
- The current polkit Debian/Ubuntu package has 61 patches in it, backporting lots of changes from version 106 to 116.
- There are upstream requests for running polkit without a JS interpreter.
- There is an open MR to switch from mozjs to duktape (https://gitlab.freedesktop.org/polkit/polkit/merge_requests/35).
- Debian experimental has polkit 116 packaged (i.e. with JS backend).
- I've made a proof of concept branch which reinstates the local backend (https://gitlab.freedesktop.org/rancell/polkit/tree/traditional-backend) which works.

It's desirable that we run the latest version in Debian/Ubuntu, which requires one of:
- We re-assess the use of mozjs and decide if it's acceptable in this case.
- We support the switch from mozjs to duktape if that's a safer option.
- We propose the old local backend upstream as an alternative to the JS backend.
- We carry the local backend as a patch on upstream.

I've made a forum post asking for feedback from users of polkit in Ubuntu (https://discourse.ubuntu.com/t/use-of-javascript-rules-in-polkit/13892). If you have comments please add them there instead of this bug.

@Robert, I would start by getting the security team's input on using mozjs or duktape, if it's a no go from their side then we know what are our options.

Removing the block tag since we agreed to move forward with updating now that there is a duketap backend

The newer versions added support for duktape and security team reviewed and acked the corresponding MIR bug #1997417 now, moving forward we need to address the MIR team feedback on duktape, migrate our rules to the new format and resolve the autopkgtest issues found in the lunar cycle