Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]

[David Zeuthen <david fubar dk>]

On Thu, 2006-01-12 at 17:09 +0100, Martin Pitt wrote:
> > More importantly, I'd say, you miss the connection with the hardware,
> > e.g. the hal device object. Today we have an extremely nice interface by
> > which you can say "this piece of hardware has this functionality; you
> > can invoke these methods" and any relatively newcomer can go ahead and
> > send a patch to the HAL list to do this, see e.g.
> > 
> >  http://bugzilla.gnome.org/show_bug.cgi?id=309067#c3
> 
> I see. But this kind of circumventing user privileges (that is
> traditionally defined in terms of group memberships and such)

Pft this is not Debian - distributions like e.g. Fedora always defined
this in terms of whether the user was at the console or not. In my view
it's a lot more sane. No, you don't have to agree.

>  is
> exactly the thing that makes an all-powerful hal so dangerous. Changes
> to hal's architecture should not only be judged after how easy it is
> to throw new stuff into it.

We are careful about reviewing things.

> > > AFAICS this mechanism provides everything that is required for proper
> > > privilege separation, without the need of splitting hald into a root
> > > and non-root part. David, are there things that would be possible with
> > > that daemon split, but not with dbus services? Do you still want to
> > > get that split into hal?
> > 
> > You know, I don't mind getting the split into HAL if it means that you
> > guys can start shipping a non-crippled HAL. 
> 
> We ship a non-dangerous hal, not a crippled one.

Comments like this really pisses me off you know. See my other mail
about your so-called "attack vector". Sheesh.

Cheers,
David