On 08/15/15 10:02 AM, Jasper St. Pierre wrote:
So, where did we get with this?
* JavaScript rules are (somewhat) a failure, but it's not something
we can back out of easily, because doing that could break people who
rely on JS rules, causing a gap where rules aren't being applied. Not
a good situation to be in. Going back to PKLA rules might also mean
that someone who can't express complex ACL logic in those rules means
that they reinvent polkit in their app.
* Even though mozjs isn't getting new stable standalone releases, the
fact that it's been more "battle-tested" than Duktape means that it's
still a better pick. Even though it's much slower for our use-case and
much more complex than it needs to be.
Is that a good summary?
Is it really better than mozjs considering how ancient of a version
polkit builds with currently?
Quite frankly, from a distribution maintainer's perspective, it would be
far preferable to use duktape or something far smaller and more bounded.
polkit's dependency on mozjs is a royal pain, especially for
distributions that build on more "niche" platforms where mozjs is only
recently gaining support for some hardware and operating systems.
As a result, currently, distribution maintainers not only end up
responsible for porting mozjs themselves, but they end up having to port
or patch polkit to work with later versions.
I'd also think from a security perspective that having a much smaller
attack surface would be preferable.
-Shawn
_______________________________________________
polkit-devel mailing list
polkit-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/polkit-devel
