Bug#1090384: xfce4: should provide a polkit agent
With polkit co-maintainer and GNOME team member hats on:
On Fri, 18 Jul 2025 at 16:50:19 +0200, Yves-Alexis Perez wrote:
polkit-gnome is what I currently use (I have policykit-1-gnome installed) but
I understand that it's going away so it's not a good candidate.
It isn't so much that it's going away as that it has already gone away:
it was removed from trixie and unstable back in January. It has been
dead upstream for 10+ years: it was a core component in GNOME 2, but in
GNOME 3 it was obsoleted by the integrated polkit agent in gnome-shell.
If xfce-polkit was actually maintained upstream and integrated under the Xfce
project umbrella it would make a lot of sense (even though it's a bit of a
duplicate with mate-polkit).
This is a question for XFCE (upstream and in Debian), I have no horse in
this race; for forky I'd be equally happy with XFCE pulling in
xfce-polkit or mate-polkit or some maintained third thing.
From my point of view as a polkit co-maintainer, what I want is that
each high-quality desktop environment pulls in a polkit agent, with
appropriate OnlyShowIn/NotShowIn to get started by that DE, so that
polkit-using services like flatpak and systemd can work as expected.
Meanwhile, from my point of view as a GNOME team member, what I want is
to be able to (continue to) remove unmaintained ex-GNOME components,
so that our users aren't misled into thinking they have the quality and
maintenance status of current GNOME (or current XFCE for that matter).
Any dependency would solve the issue of users ending up with no
authentication agent.
At that point I'm likely to use:
Recommends: mate-polkit | polkit-1-auth-agent
For trixie, this would be better than nothing, but a concern that I have
about this is that tasksel offers our users the opportunity to install
multiple desktop environments (and this is a scenario that #debian-cd
actively tests, when we do stable releases: "install all desktop
environments" is part of at least one of the scenarios on our
checklist). If a user installs XFCE and some other desktop (let's say
GNOME), will this result in mate-polkit getting installed, or will apt
see that gnome-shell Provides polkit-1-auth-agent and think "oh that's
fine, I don't need mate-polkit" (leaving XFCE with only partial
functionality), or will it be non-deterministic?
So to avoid that failure mode, I would prefer something more like
Recommends: mate-polkit | xfce-polkit
or for trixie, maybe even just
Recommends: mate-polkit
so that, whatever other desktop environments are co-installed, by
default XFCE will have the expected functionality.
Of course because this is a Recommends and not a Depends, advanced users
can still uninstall this, at their own risk (but "they get to keep both
pieces").
For forky this can be swapped to xfce-polkit | mate-polkit if the XFCE
team decides that would be better.
The polkit-1-auth-agent virtual package is not actually very useful -
perhaps it was a better fit 20 years ago, when "most" desktop
environments would be using policykit-1-gnome because it was the only
auth agent that existed, but that just isn't the shape of the ecosystem
any more. After trixie is released, one of the items on my increasingly
long "beginning of forky cycle" todo list is to start a conversation
about how to represent "needs a suitable $foo for the current desktop
environment" in dependencies, for values of $foo that include polkit
auth agents, o.fd.Notifications implementations, xdg-desktop-portal
backends and probably more. This might take the form of new virtual
packages that look less like Depends: polkit-1-auth-agent (implemented
by xfce-polkit and others), and more like Recommends:
desktop-with-polkit-1-auth-agent (implemented by xfce4 and others).
smcv
Reply to: