path: root/debian/changelog

policykit-1 (122-3) unstable; urgency=medium

  * d/polkitd.postinst: Stop polkitd before changing home directory.
    usermod will refuse to change the home directory if a polkitd process
    is running as the polkitd uid, so stop polkitd if necessary, and also
    don't fail if usermod can't change the home directory in an existing
    installation (which is non-critical anyway). (Closes: #1030154)

 -- Simon McVittie <smcv@debian.org>  Tue, 31 Jan 2023 22:05:24 +0000

policykit-1 (122-2) unstable; urgency=medium

  [ Debian Janitor ]
  * d/changelog: Trim trailing whitespace
  * d/upstream/metadata: Update URLs for Bug-Database, Bug-Submit

  [ Simon McVittie ]
  * Update how we assign root-equivalent groups
    - d/p/debian/50-default.rules-Replace-wheel-group-with-sudo-group.patch,
      d/rules:
      Set up Debian's default root-equivalent group 'sudo' in
      50-default.rules rather than in 40-debian-sudo.rules. This ensures
      that users of polkitd-pkla can override it by configuring admin
      identities the old way. Previously, because 40-debian-sudo.rules was
      earlier in the sequence than 49-polkit-pkla-compat.rules, it would
      take precedence and the admin identities from polkitd-pkla were
      ignored. (Closes: #1023393)
      By default, polkitd-pkla does not provide any admin identities,
      which means we behave as though polkitd-pkla was not installed at all,
      and fall back to the sudo group defined in 50-default.rules.
    - d/p/debian/05_revert-admin-identities-unix-group-wheel.patch:
      Drop patch, superseded by the one described above
    - d/rules: When built for Ubuntu, also install an Ubuntu-specific file
      sequenced after 49-polkit-pkla-compat.rules but before
      50-default.rules, which treats both the 'sudo' group and the legacy
      'admin' group as root-equivalent.
  * Replace /etc/pam.d/polkit-1 with /usr/lib/pam.d/polkit-1.
    /usr/lib/pam.d has been supported since at least 1.4.0 (Debian 11),
    so we can make this an ordinary packaged file instead of a conffile.
    Local sysadmin overrides can still be done via /etc/pam.d/polkit-1
    as before.
    This sidesteps dpkg's inability to keep track of a conffile when it is
    moved from one package to another (#399829, #645849, #163657, #595112).
    (Closes: #1006203)
  * postinst: Only clean up config directories if not owned.
    If we only have polkitd installed, then we want to clean up the obsolete
    directory /etc/polkit-1/localauthority.conf.d on upgrade, but if we
    have polkitd-pkla installed, then it owns that directory and we should
    not remove it. (Closes: #1026425)
  * d/policykit-1.dirs: Continue to own some legacy directory names.
    Having the transitional package continue to own these directories until
    it has had a chance to clean up obsolete conffiles will silence warnings
    from dpkg about inability to remove them. (Closes: #1027420)
  * d/polkitd.postrm: Clean up /var/lib/polkit-1 on purge.
    If /var/lib/polkit-1 was the polkitd user's home directory, then it
    might contain a .cache subdirectory; clean that up too.
  * Create polkitd user with home directory /nonexistent in new installations.
    This will prevent it from creating detritus in /var/lib/polkit-1.
  * polkitd.postinst: Change polkitd home directory to /nonexistent on upgrade
  * Remove version constraints unnecessary since buster (oldstable)
  * Update standards version to 4.6.2 (no changes needed)

 -- Simon McVittie <smcv@debian.org>  Fri, 20 Jan 2023 13:22:24 +0000

policykit-1 (122-1) unstable; urgency=medium

  * d/watch: Fix handling of polkit-pkla-compat
  * d/watch: Monitor Gitlab releases instead of fd.o web server
  * New upstream release
  * Drop patches that were included in the new upstream release

 -- Simon McVittie <smcv@debian.org>  Fri, 28 Oct 2022 18:36:30 +0100

policykit-1 (121+compat0.1-6) unstable; urgency=medium

  * d/polkitd.examples: Really install the example rules mentioned in NEWS
  * d/control: Explicitly build-depend on docbook-xsl.
    polkit-pkla-compat needs this for the man pages, which cannot currently
    be disabled, so it is not marked as <!nodoc> (and neither is xsltproc).
  * Only build API documentation if policykit-1-doc is built.
    It doesn't need to be built when we're doing an architecture-specific
    build, and we can also mark it with the <!nodoc> build-profile (although
    that's not particularly useful in this case because it's the only
    arch-indep binary package).

 -- Simon McVittie <smcv@debian.org>  Thu, 13 Oct 2022 21:05:11 +0100

policykit-1 (121+compat0.1-5) unstable; urgency=medium

  * Release to unstable (Closes: #946231, #1018897)

 -- Simon McVittie <smcv@debian.org>  Thu, 13 Oct 2022 10:46:03 +0100

policykit-1 (121+compat0.1-4) experimental; urgency=medium

  * d/polkitd.postinst: Consistently indent with spaces
  * d/polkitd.postinst: Quote defensively
  * d/polkitd.postinst: Don't explicitly restart the systemd service.
    dh_installsystemd does this for us anyway.
  * d/polkitd.postinst: Make sure message bus policy is reloaded if needed.
    If we created or modified the polkitd user, then we need to refresh
    dbus-daemon's cached policy to take that user into account, otherwise
    polkitd will fail to start. This fixes an autopkgtest failure.
  * d/polkitd.postinst: Stop polkitd when not using systemd.
    On non-systemd systems, polkitd is a traditional D-Bus service and is
    not managed by a service manager, so the way to ensure we are running
    the upgraded version is to stop it and let the D-Bus system bus activate
    a new copy next time it is used.
  * Install a sysusers.d(5) fragment to set up the system user.
    This allows use of polkit without adduser on systems that have either
    systemd or systemd-standalone-sysusers.
  * d/polkitd.tmpfiles: Provide a tmpfiles.d(5) fragment for our directories
  * Add another override for man pages not matching Lintian expectations
  * d/rules: Build with hardening=+bindnow
  * Add doc-base metadata for the reference manual

 -- Simon McVittie <smcv@debian.org>  Mon, 10 Oct 2022 15:00:55 +0100

policykit-1 (121+compat0.1-3) experimental; urgency=medium

  * Merge content of polkitd-javascript into polkitd.
    Keep the polkitd-javascript package as a transitional package.

 -- Simon McVittie <smcv@debian.org>  Wed, 28 Sep 2022 12:19:38 +0100

policykit-1 (121+compat0.1-2) experimental; urgency=medium

  * Add a NEWS file describing the change of security policy format
  * d/control: policykit-1 Recommends polkitd-pkla.
    This arranges for upgrades from Debian 11 to install polkitd-pkla by
    default, preserving previous functionality, while also allowing it to
    be removed for legacy-free systems.
  * d/pkla/: Remove, no longer installed or used
  * d/example-rules: Add some examples of the JavaScript rules format
  * d/changelog: Merge changelog entries from testing/unstable, in
    preparation for uploading this branch to unstable

 -- Simon McVittie <smcv@debian.org>  Wed, 14 Sep 2022 21:33:22 +0100

policykit-1 (121+compat0.1-1) experimental; urgency=medium

  * Restructure the package to use upstream project polkit-pkla-compat
    for compatibility with 0.105 and older versions.
    - polkitd-javascript is now the only implementation of polkitd.
      The packages will probably be merged in a future upload, but keep
      them separate for now as a contingency plan.
    - polkitd-pkla now Depends on polkitd-javascript instead of having
      Breaks/Replaces on it. It's now an addon for polkitd-javascript,
      which calls out to an external helper program to check authorization
      against the old pklocalauthority(8) configuration files.
    - polkitd-javascript: Ensure that the polkitd user has a primary group.
      The polkit-pkla-compat package wants its directories to be owned by
      root:polkitd, which will only work if the polkitd user has a
      corresponding polkitd group.
    - Add polkit-pkla-compat as a secondary upstream tarball
    - Build polkit-pkla-compat instead of a PKLA build of polkitd
    - Drop patches that reinstated the ability to do a PKLA build of polkitd
  * d/p/polkitbackendduktapeauthority.c-Print-the-error-string-we.patch:
    Add patch from upstream to display error string as intended
  * d/control: Explicitly build-depend on xml-core, for its dh addon
  * d/copyright: Update
  * Update Lintian overrides
  * Standards-Version: 4.6.1 (no changes required)
  * d/tests: Skip if dbus-daemon is not running and cannot be started
  * Try harder to clean up obsolete conffiles

 -- Simon McVittie <smcv@debian.org>  Thu, 01 Sep 2022 15:59:38 +0100

policykit-1 (121-2) experimental; urgency=medium

  [ Michael Biebl ]
  * Use dh-sequence-gir Build-Depends to enable the gir addon
  * Remove no longer needed dh option.
    Upstream has removed the autotools based build system so we no longer
    need to tell dh which build system to use.
  * Remove workaround for missing mocklibc

  [ Simon McVittie ]
  * d/copyright: Reinstate entry for test/mocklibc
  * d/polkitd.install: Really install the XML catalog entry
  * d/rules: Enable xml-core dh sequence
  * d/catalog.xml: Fix basename of DTD

 -- Simon McVittie <smcv@debian.org>  Sat, 23 Jul 2022 16:04:32 +0100

policykit-1 (121-1) experimental; urgency=medium

  * New upstream release
  * d/copyright: Update
  * Drop patches that were applied upstream
  * Refresh remaining patches
  * d/control: Build-depend on duktape instead of mozjs
  * Install policyconfig-1.dtd in polkitd package, with an XML catalog
    entry (Closes: #872615)
  * d/watch: Use Gitlab tags to watch for new releases for now.
    Subsequent releases will be done via the Gitlab releases feature, but
    it's not immediately obvious what form that will take.
  * Add patch from upstream to install rules.d defaults in /usr/share.
    This brings us one step closer to the "empty /etc is valid" model.
  * d/rules: Install sudo and Ubuntu admin rules into /usr/share, too.
    This avoids these files having to be conffiles that vary between
    distros.
  * d/upstream/metadata: Add
  * d/polkitd.docs: Update

 -- Simon McVittie <smcv@debian.org>  Sat, 16 Jul 2022 20:17:46 +0100

policykit-1 (0.120-6) experimental; urgency=medium

  * Add patch from Fedora to fix denial of service via fd exhaustion
    (CVE-2021-4115; Closes: #1005784)

 -- Simon McVittie <smcv@debian.org>  Fri, 18 Feb 2022 10:04:56 +0000

policykit-1 (0.120-5) experimental; urgency=medium

  * d/*.postinst: Correct package names in initial comments
  * d/policykit-1.bug-control: Correct name of Submit-As field

 -- Simon McVittie <smcv@debian.org>  Wed, 09 Feb 2022 11:42:38 +0000

policykit-1 (0.120-4) experimental; urgency=medium

  * d/control: Change descriptions to refer to polkit.
    According to NEWS, the official name of the project has been polkit
    since 2012, and perhaps earlier.
  * d/patches: Use upstream's finalized patch for CVE-2021-4034.
    The patch that was provided to distributors under embargo was not the
    final version: it used a different exit status, and made an attempt to
    show help. The version that was actually committed after the embargo
    period ended interprets argc == 0 as an attack rather than a mistake,
    and does not attempt to show the help message.
  * d/patches: Move Debian-specific patches to d/p/debian/.
    This makes it clearer that these are not intended to go upstream.
  * Split policykit-1 into polkitd and pkexec packages.
    pkexec is a setuid program, which makes it a higher security risk than
    the more typical IPC-based uses of polkit. If we separate out pkexec
    into its own package, then only packages that rely on being able to run
    pkexec will have to depend on it, reducing attack surface for users
    who are able to remove the pkexec package.
  * Reinstate the .pkla backend as a separate binary package.
    Upstream polkit switched its authorization rule syntax from .ini-style
    .pkla files to JavaScript in version 0.106. Debian has historically used
    a fork of the last .pkla-based version, but this was becoming
    unsustainable: bug fixes from subsequent upstream versions were either
    applied as patches, or missing from the Debian package.
    The "local authority" code that implements .pkla files is not actually
    all that large, so patching it into a modern upstream version is a
    much smaller task than patching modern upstream bug fixes into an old
    upstream version.
    For this upload to experimental, keep both the JavaScript backend and the
    .pkla backend intact, by compiling polkitd twice with different options.
    This lets us preserve existing functionality of upstream and experimental
    polkit (with the more powerful JavaScript-based rules, which can base
    their authorization decisions on service-specific information like the
    name of a systemd unit), while also having the opportunity to evaluate
    polkitd-pkla as a more direct replacement for what's in bookworm.
  * Adjust Lintian override syntax
  * Add Debian-specific man pages for polkitd-pkla
  * d/copyright: Update
  * Always configure the sudo group as root-equivalent.
    This avoids Debian derivatives getting an unexpected change in behaviour
    when they switch from inheriting Debian's policykit-1 package to
    building their own policykit-1 package, perhaps as a result of wanting
    to apply an unrelated patch.
    The sudo group is defined to be root-equivalent in base-passwd, so this
    should be equally true for all Debian derivatives.
    (Closes: utopia-team/polkit!3; thanks to Arnaud Rebillout)

 -- Simon McVittie <smcv@debian.org>  Sat, 05 Feb 2022 10:49:54 +0000

policykit-1 (0.120-3) experimental; urgency=high

  * d/p/Avoid-local-privilege-escalation-in-polkit-s-pkexec.patch:
    Apply embargoed patch for local privilege escalation (CVE-2021-4034)

 -- Simon McVittie <smcv@debian.org>  Mon, 24 Jan 2022 14:09:42 +0000

policykit-1 (0.120-2) experimental; urgency=medium

  * d/rules: Extend timeout for unit tests.
    Meson's default 30 second timeout is uncomfortably short even on x86,
    and too short on e.g. mips.

 -- Simon McVittie <smcv@debian.org>  Thu, 28 Oct 2021 12:52:02 +0100

policykit-1 (0.120-1) experimental; urgency=medium

  * New upstream release
  * Drop patches that were applied upstream
  * Depend on default-dbus-system-bus | dbus-system-bus instead of dbus.
    We need the system bus: let's be specific about that. This will allow
    dbus-broker to be substituted for dbus, if desired.
  * Build-depend on dbus-daemon instead of dbus.
    We only need dbus-run-session at build time; we don't need a
    fully-working system bus.
  * debian/missing/docs: Remove extra copy of documentation.
    This is in the new upstream release.
    - d/source/include-binaries: Remove, no longer needed
  * d/p/Don-t-pass-positional-parameters-to-i18n.merge_file.patch:
    Add patch to fix FTBFS with Meson 0.60.0
  * Standards-Version: 4.6.0 (no changes required)
  * Use d/watch format version 4

 -- Simon McVittie <smcv@debian.org>  Tue, 26 Oct 2021 12:11:24 +0100

policykit-1 (0.119-1) experimental; urgency=medium

  * New upstream release
    - Fixes local privilege escalation involving
      polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
      (Closes: #989429)
  * d/missing, d/rules: Work around missing docs/polkit/overview.xml etc.
    in 0.119 tarball
  * Build using Meson
  * d/p/build-Remove-redundant-computation-of-dbus-data-directory.patch,
    d/p/build-Don-t-require-dbus-development-files.patch,
    d/p/meson_post_install-Use-geteuid-instead-of-getpass.patch,
    d/p/meson_post_install-Don-t-fail-if-the-polkitd-user-doesn-t.patch,
    d/p/meson_post_install-If-installation-steps-are-skipped-say-.patch,
    d/p/meson_post_install-Don-t-install-pkexec-group-writable.patch,
    d/p/meson_post_install-Don-t-make-programs-setuid-if-we-are-n.patch,
    d/p/meson_post_install-Respect-DESTDIR-for-absolute-paths.patch,
    d/p/build-Make-the-directory-for-helper-executables-consisten.patch:
    Add some patches to improve the Meson build system
  * d/missing, d/rules: Get mocklibc into the right layout for the build
  * Stop providing static libraries.
    The Meson build infrastructure only supports shared libraries, and the
    static libraries built by Autotools were already not particularly
    useful, because they indirectly depend on the libmount shared library.

 -- Simon McVittie <smcv@debian.org>  Fri, 04 Jun 2021 19:49:26 +0100

policykit-1 (0.118-2) experimental; urgency=medium

  [ Helmut Grohne ]
  * Annotate Build-Depends: dbus <!nocheck> (Closes: #980998)

  [ Michael Biebl ]
  * Remove old maintscript migration code from pre-oldstable
  * Use --restart-after-upgrade.
    With debhelper 13.1, --no-start will disable --restart-after-upgrade.
    Since we want the service to be restarted on upgrades, request that
    explicitly.
    See #959678

  [ Simon McVittie ]
  * d/rules: Remove --libexecdir override.
    This has no practical effect: the upstream build system no longer uses
    the libexec directory.
  * d/rules: Remove redundant dh_missing --fail-missing override.
    This is the default in dh compat level 13.

 -- Simon McVittie <smcv@debian.org>  Fri, 16 Apr 2021 11:34:06 +0100

policykit-1 (0.118-1) experimental; urgency=medium

  * New upstream release
    - Drop patch that was applied upstream
  * d/control: Update build-dependency to mozjs78

 -- Simon McVittie <smcv@debian.org>  Sun, 27 Sep 2020 21:06:09 +0100

policykit-1 (0.117-1) experimental; urgency=medium

  * New upstream release
  * Rebase patches
  * Bump Standards-Version to 4.5.0
  * Add polkitbackendjsauthoritytest-wrapper.py to release tarball
  * Add python3-dbusmock to Build-Depends and mark it <!nocheck>.
    Required by test/polkitbackend/polkitbackendjsauthoritytest-wrapper.py
  * Bump debhelper-compat to 13
  * Add symlink for polkit-agent-helper-1 after the move to /usr/libexec.
    Support upgrades from 0.105-27 (and later versions in unstable), which
    moved the private binaries from /usr/lib/policykit-1 to /usr/libexec.
    (Closes: #965210)

 -- Michael Biebl <biebl@debian.org>  Mon, 03 Aug 2020 15:42:56 +0200

policykit-1 (0.116-3) experimental; urgency=medium

  * Team upload.
  * Port to mozjs-68 (Closes: #961279)

 -- Laurent Bigonville <bigon@debian.org>  Wed, 22 Jul 2020 11:59:43 +0200

policykit-1 (0.116-2) experimental; urgency=medium

  [ Mark Hindley ]
  * Depend on new virtual packages default-logind and logind
    (Closes: #923240)

  [ Simon McVittie ]
  * d/*.symbols: Add Build-Depends-Package metadata
  * d/policykit-1.lintian-overrides: Override systemd unit false positives.
    The systemd unit is only for on-demand D-Bus activation, and is not
    intended to be started during boot, so an [Install] section and a
    parallel LSB init script are not necessary.
  * d/policykit-1.bug-control: Add systemd, elogind versions to bug reports.
    reportbug doesn't currently seem to interpret
    "Depends: default-logind | logind" as implying that it should include
    the version number of the package that Provides logind in bug reports.
    Workaround for #934472.
  * Standards-Version: 4.4.0 (no changes required)
  * Switch to debhelper-compat 12

 -- Simon McVittie <smcv@debian.org>  Sun, 11 Aug 2019 18:56:22 +0100

policykit-1 (0.116-1) experimental; urgency=medium

  * New upstream release
    - Document polkit_subject_equal() as unsuitable for security decisions
      (CVE-2019-6133)
    - Allow process uid to be unset again, fixing a regression in the
      solution for #915332
    - Port the JS authority to mozjs-60 (Closes: #917309)
    - Fix some resource leaks
    - Documentation and debug message fixes
  * Drop patch for #915332, applied upstream
  * Standards-Version: 4.3.0 (no changes required)
  * Set experimental branch in Vcs-Git
  * Change the policykit-1 package from Architecture: any to
    Architecture: linux-any, and remove the consolekit [!linux-any]
    dependency. polkit no longer has any backends for non-Linux.
    (Closes: #918446)

 -- Simon McVittie <smcv@debian.org>  Wed, 01 May 2019 08:24:29 +0100

policykit-1 (0.115-3) experimental; urgency=medium

  * Allow negative uids/gids in PolkitUnixUser and Group objects.
    Fixes a vulnerability in PolicyKit that allows a user with a uid greater
    than INT_MAX to successfully execute arbitrary polkit actions.
    (CVE-2018-19788, Closes: #915332)

 -- Michael Biebl <biebl@debian.org>  Fri, 07 Dec 2018 20:17:15 +0100

policykit-1 (0.115-2) experimental; urgency=medium

  [ Simon McVittie ]
  * d/gbp.conf: Set patch-numbers to false to match current practice

  [ Michael Biebl ]
  * Switch to dh_missing and abort on uninstalled files
  * Move D-Bus policy file to /usr/share/dbus-1/system.d/
    To better support stateless systems with an empty /etc, the old location
    in /etc/dbus-1/system.d/ should only be used for local admin changes.
    Package provided D-Bus policy files are supposed to be installed in
    /usr/share/dbus-1/system.d/.
    This is supported since dbus 1.9.18.
  * Remove obsolete conffile
    /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf on upgrades
  * Bump Standards-Version to 4.2.1
  * Remove Breaks for versions older than oldstable
  * Stop masking polkit.service during the upgrade process.
    This is no longer necessary with the D-Bus policy file being installed
    in /usr/share/dbus-1/system.d/. (Closes: #902474)
  * Use dh_installsystemd to restart polkit.service after an upgrade.
    This replaces a good deal of hand-written maintscript code.
  * Remove upgrade code which changes the home directory of the polkitd user

 -- Michael Biebl <biebl@debian.org>  Tue, 27 Nov 2018 21:53:12 +0100

policykit-1 (0.115-1) experimental; urgency=medium

  * New upstream version 0.115
    - Fixes CVE-2018-1116 (Closes: #903563)
    - d/p/jsauthority-pass-s-format-string-to-remaining-report.patch:
      Drop, applied upstream
  * d/watch: Use https
  * d/watch: Download upstream PGP signatures
  * debian/upstream/signing-key.asc: Add public keys for Ray Strode,
    Miloslav Trmac, David Zeuthen
  * d/gbp.conf: Merge upstream tags into the upstream branch
  * Add myself to Uploaders
  * d/libpolkit-gobject-1-0.symbols: Update for new semi-private ABI
  * d/rules: Skip build-time tests if DEB_BUILD_OPTIONS=nocheck
  * Standards-Version: 4.1.5 (no changes required)
  * Set Rules-Requires-Root to no

 -- Simon McVittie <smcv@debian.org>  Wed, 11 Jul 2018 12:24:20 +0100

policykit-1 (0.114-1) experimental; urgency=medium

  [ Michael Biebl ]
  * New upstream version 0.114
  * Rebase patches
  * Switch to mozjs 52 (Closes: #863784)
  * Drop -Wl,--no-as-needed, no longer necessary
  * jsauthority: pass "%s" format string to remaining report function
  * Add Provides to gir1.2-polkit-1.0 to reflect its contents

  [ Martin Pitt ]
  * debian/copyright: Use https URL for Format:
  * Update Vcs-* links for move to salsa.debian.org.
  * Move to debhelper compat level 10.
    Remove explicit dh-autoreconf, it's now done by default.
  * Bump Standards-Version to 4.1.3
  * Add autopkgtest.
    This covers the pkaction and pkcheck CLI tools.

 -- Michael Biebl <biebl@debian.org>  Mon, 09 Apr 2018 22:31:58 +0200

policykit-1 (0.113-6) experimental; urgency=medium

  * master/Add-gettext-support-for-.policy-files.patch: Backport from master:
    Add .loc and .its files so that gettext can be used to translate policy
    files. Some upstreams, particularly those that are switching to meson,
    expect these files to be present so that their PK policy files can be
    translated. (Closes: #863207)

 -- Iain Lane <laney@debian.org>  Wed, 24 May 2017 16:11:01 +0100

policykit-1 (0.113-5) experimental; urgency=medium

  [ Simon McVittie ]
  * Build-depend on intltool instead of relying on gtk-doc-tools'
    dependency (Closes: #837846)

  [ Michael Biebl ]
  * Use https:// for the upstream homepage.
  * Update Vcs-Browser to use cgit.
  * Drop the polkitd.service Alias. The version in unstable, based on 0.105,
    now also uses the name polkit.service for the systemd service unit.

  [ Martin Pitt ]
  * Use PAM's common-session-noninteractive modules for pkexec instead of
    common-session. The latter also runs pam_systemd (the only difference
    normally) which is a no-op under the classic session-centric
    D-BUS/graphical login model (as it won't start a new one if it is already
    running within a logind session), but very expensive when using
    dbus-user-session and being called from a service that runs outside the
    PAM session. This causes long delays in e. g. gnome-settings-daemon's
    backlight helpers. (LP: #1626651)

 -- Michael Biebl <biebl@debian.org>  Fri, 21 Oct 2016 16:28:30 +0200

policykit-1 (0.113-4) experimental; urgency=medium

  [ Simon McVittie ]
  * Run tests with a session bus pretending to be the system bus,
    so they can pass in a buildd environment

  [ Michael Biebl ]
  * Create our custom rules files in debian/tmp so we don't FTBFS for
    binary-indep builds and run dh_install after that.
  * Run wrap-and-sort -ast.
  * Bump Standards-Version to 3.9.8.

 -- Michael Biebl <biebl@debian.org>  Sat, 16 Apr 2016 14:46:18 +0200

policykit-1 (0.113-3) experimental; urgency=medium

  * Generate tight inter-package dependencies.
    This ensures that everything from the same source package is upgraded in
    lockstep. (Closes: #817998)
  * Drop obsolete Breaks from pre-wheezy.

 -- Michael Biebl <biebl@debian.org>  Thu, 14 Apr 2016 14:15:09 +0200

policykit-1 (0.113-2) experimental; urgency=medium

  [ Simon McVittie ]
  * policykit-1.links: statically alias polkit.service (upstream's name)
    as polkitd.service (Debian's historical name)

  [ Martin Pitt ]
  * debian/policykit-1.{pre,post}inst: Temporarily mask polkit.service while
    policykit-1 is unpackaged but not yet configured. During that time we
    don't yet have our D-Bus policy in /etc so that polkitd cannot work yet.
    This can be dropped once the D-Bus policy moves to /usr.
    (Closes: #794723, LP: #1447654)

 -- Martin Pitt <mpitt@debian.org>  Wed, 21 Oct 2015 08:28:11 +0200

policykit-1 (0.113-1) experimental; urgency=medium

  * Team upload.

  [ Martin Pitt ]
  * policykit-1.postinst: Don't kill polkitd under systemd, but properly
    restart it. This avoids killing it shortly after systemd tries to
    bus-activate it on installation. (LP: #1447654)

  [ Simon McVittie ]
  * Disable silent build rules. (Previously done in Ubuntu, although
    it seems to have been lost in a merge somewhere.)
  * New upstream release
    - drop most patches: they either came from upstream, or have been
      merged upstream
    - add new function to symbols file
    - fixes CVE-2015-4625, CVE-2015-3218, CVE-2015-3255, CVE-2015-3256
  * Annotate remaining patches with a bit more information. They are:
    - 01_pam_polkit.patch: use Debian's common-* infrastructure,
      plus pam_env to get the global environment and locale.
      Debian-specific.
    - 02_gettext.patch: Use gettext to translate .policy files at
      runtime, allowing for Ubuntu-style language packs.
      Debian-specific (mainly for Ubuntu's benefit, really).
    - 05_revert-admin-identities-unix-group-wheel.patch: Debian does
      not use the "wheel" group like Red Hat derivatives do;
      treat uid 0 as the administrative identity instead.
      Debian-specific.
    - 08_chdir_root.patch: Explicitly use chdir("/") instead of
      relying on user's home in `getent passwd` being set properly.
      Potentially upstreamable?
  * policykit-1.postinst: restart polkit.service, not polkitd.service
    (which doesn't exist)

 -- Simon McVittie <smcv@debian.org>  Fri, 03 Jul 2015 13:33:59 +0100

policykit-1 (0.112-5) experimental; urgency=medium

  * Team upload.
  * Go back to mozjs 1.8.5, like the version in unstable: mozjs 17 has
    been removed from Debian, and mozjs 24 requires significant upstream
    changes and no longer has a C API (Closes: #776744)
  * Add a symlink so the old library can run the new agent helper
    (Closes: #699447)
  * Add patch from upstream to work around older versions of libpam-systemd
    which would give root processes the real uid's XDG_RUNTIME_DIR
    under su; it shouldn't be necessary any more, but is harmless
    (Closes: #772125)
  * Replace 03_complete_session.patch with a change from upstream
    which seems like a more correct solution for LP#445303, LP#649939
  * Add patches from upstream to treat background processes as part of
    the same uid's active GUI session if any, fixing use of
    dbus-user-session (Closes: #779988)
  * Add patches from upstream to fix some memory leaks (Closes: #775158,
    LP: #1417637)
  * Add patch from upstream to fix redundant removal of an event source
  * Add patch to use libsystemd instead of the libsystemd-login compat
    library (Closes: #779756)

 -- Simon McVittie <smcv@debian.org>  Tue, 31 Mar 2015 18:13:28 +0100

policykit-1 (0.112-4) experimental; urgency=medium

  [ Andreas Henriksson ]
  * Install typelib files into MA libdir.

  [ Martin Pitt ]
  * Rebuild against libsystemd0. This drops the last remaining dependency to
    libsystemd-login0. (Closes: #771281)
  * Bump Standards-Version to 3.9.6 (no changes necessary).

 -- Martin Pitt <mpitt@debian.org>  Fri, 28 Nov 2014 10:15:06 +0100

policykit-1 (0.112-3) experimental; urgency=medium

  * Team upload.
  * debian/rules: Really enable logind support on linux architectures only
  * debian/control: Use canonical VCS-* URL's
  * debian/control: Bump Standards-Version to 3.9.5 (no further changes)
  * debian/control: Depends against libpam-systemd instead of just systemd
  * debian/control: Add a Breaks against gdm3 (<< 3.8.4-7~) to ensure it
    registers a logind session properly (Closes: #745983)
  * debian/policykit-1.postinst: Explicitly set a home directory for the
    polkitd user (Closes: #748981)

 -- Laurent Bigonville <bigon@debian.org>  Sun, 07 Sep 2014 14:22:54 +0200

policykit-1 (0.112-2) experimental; urgency=low

  * Use logind on linux and consolekit on non-linux
  * Update to mozjs17

 -- Sjoerd Simons <sjoerd@debian.org>  Fri, 01 Nov 2013 21:36:55 +0100

policykit-1 (0.112-1) experimental; urgency=low

  * New upstream release.
    - Fixes CVE-2013-4288, unix-process subject for authorization is racy.
      (Closes: #723717)
  * Remove 00git_pkexec_pam_env.patch and 09_link_libmozjs.patch, both merged
    upstream.
  * Drop explicit Build-Depends on gir1.2-glib-2.0.
  * Bump Standards-Version to 3.9.4. No further changes.

 -- Michael Biebl <biebl@debian.org>  Thu, 19 Sep 2013 17:39:54 +0200

policykit-1 (0.110-3) experimental; urgency=low

  [ Martin Pitt ]
  * Add 00git_pkexec_pam_env.patch: pkexec: Set process environment from
    pam_getenvlist(). Backported from upstream git head.
  * 01_pam_polkit.patch: Adjust patch to invoke pam_env, so
    our global settings from /etc/default/locale are applied correctly.
    Thanks Steve Langasek!

  [ Michael Biebl ]
  * Use gir addon instead of calling dh_girepository manually.

 -- Michael Biebl <biebl@debian.org>  Mon, 03 Jun 2013 05:54:32 +0200

policykit-1 (0.110-2) experimental; urgency=low

  * When cleaning up /etc/polkit-1/nullbackend.conf.d/ and
    /etc/polkit-1/localauthority.conf.d/ don't fail if those directories have
    already been removed. (Closes: #698085)

 -- Michael Biebl <biebl@debian.org>  Mon, 14 Jan 2013 06:01:36 +0100

policykit-1 (0.110-1) experimental; urgency=low

  * New upstream release.
  * Drop patches which have been merged upstream.
  * Drop debian/clean, no longer necessary.

 -- Michael Biebl <biebl@debian.org>  Wed, 09 Jan 2013 21:40:35 +0100

policykit-1 (0.109-1) experimental; urgency=low

  * New upstream release. (Closes: #689473)
  * Update Build-Depends:
    - Bump libglib2.0-dev to (>= 2.30.0).
    - Add libmozjs185-dev for the JS rules support.
  * Remove polkitbackend library.
  * Use systemd service file provided by upstream.
  * Reload systemd as the name of the .service file has changed.
  * Update policykit-1.install:
    - Private binaries have been moved to /usr/lib/polkit-1.
    - The extension system has been removed.
    - The .pkla files are gone and so is /var/lib/polkit-1.
  * Remove obsolete conffiles and the corresponding (empty) directories on
    upgrades.
  * Convert the old localauthority conf files to the new JavaScript based
    rules file format and make sure it is executed before 50-default.rules.
  * Refresh patches to apply without fuzz.
  * The polkitd daemon now runs as unprivileged polkitd user instead of root.
    Create this system user in postinst and change the directory permissions
    accordingly so the daemon has access to the rules files.
  * debian/patches/08_chdir_root.patch: Explicitly use chdir("/") instead of
    relying on $HOME being set properly.
  * Since /etc/polkit-1/rules.d/50-default.rules is a proper conffile, remove
    the comment from upstream that changes to that file are not preserved on
    upgrades. (Closes: #580634)
  * debian/patches/09_link_libmozjs.patch: Explicitly link against libmozjs,
    even if that library is dlopenend as we want to have a proper shlibs
    dependency.
  * Use --no-as-needed flag to ensure the linker doesn't remove the libmozjs
    dependency.
  * Use dh-autoreconf to update the build system.
  * Update the Homepage: field.

 -- Michael Biebl <biebl@debian.org>  Mon, 07 Jan 2013 23:59:52 +0100

policykit-1 (0.105-33) unstable; urgency=medium

  * d/p/0.121/CVE-2021-4115-GHSL-2021-077-fix.patch:
    Attribute CVE-2021-4115 patch to its author.
    Move it into debian/patches/0.121 to indicate that it is a backport from
    upstream git, expected to be included in 0.121.
  * d/p/Fix-a-crash-when-authorization-is-implied.patch:
    Add patch to fix a crash when one authorization implies another

 -- Simon McVittie <smcv@debian.org>  Sat, 26 Feb 2022 11:11:57 +0000

policykit-1 (0.105-32) unstable; urgency=medium

  * Use upstream patch for CVE-2021-3560.
    This patch was included in 0.119, so move it into the 0.119/ directory
    in the patch series.
  * d/patches: Use upstream's finalized patch for CVE-2021-4034.
    The patch that was provided to distributors under embargo was not the
    final version: it used a different exit status, and made an attempt to
    show help. The version that was actually committed after the embargo
    period ended interprets argc == 0 as an attack rather than a mistake,
    and does not attempt to show the help message.
  * Move some Debian-specific patches into d/p/debian/.
    This makes it more obvious that they are not intended to go upstream.
  * d/control: Split the package.
    pkexec is a setuid program, which makes it a higher security risk than
    the more typical IPC-based uses of polkit. If we separate out pkexec
    into its own package, then only packages that rely on being able to run
    pkexec will have to depend on it, reducing attack surface for users
    who are able to remove the pkexec package.
  * d/control: policykit-1 Provides polkitd-pkla.
    This will give us a migration path to the separate per-backend packages
    currently available in experimental.
  * Add patch from Fedora to fix denial of service via fd exhaustion.
    CVE-2021-4115 (Closes: #1005784)
  * Standards-Version: 4.6.0 (no changes required)
  * Build-depend on dbus-daemon instead of dbus.
    We only need dbus-run-session at build time; we don't need a
    fully-working system bus.
  * Use d/watch format version 4
  * d/rules: Create localauthority configuration with install(1), not
    echo(1). This aligns the packaging a bit more closely with experimental.
  * Always configure the sudo group as root-equivalent.
    This avoids Debian derivatives getting an unexpected change in behaviour
    when they switch from inheriting Debian's policykit-1 package to
    building their own policykit-1 package, perhaps as a result of wanting
    to apply an unrelated patch.
    The sudo group is defined to be root-equivalent in base-passwd, so this
    should be equally true for all Debian derivatives.
    Thanks to Arnaud Rebillout.
  * d/polkitd.links: Create more polkit-agent-helper-1 symlinks.
    This executable has moved several times, and its path gets compiled
    into the libpolkit-agent-1-0 shared library. Making the executable
    available in all the locations it has previously had is helpful when
    swapping between versions during testing.
  * Acknowledge CVE-2021-4034 NMU. Thanks to Salvatore Bonaccorso.

 -- Simon McVittie <smcv@debian.org>  Fri, 18 Feb 2022 12:45:14 +0000

policykit-1 (0.105-31.1) unstable; urgency=high

  * Non-maintainer upload.
  * Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 13 Jan 2022 06:34:44 +0100

policykit-1 (0.105-31) unstable; urgency=medium

  [ Salvatore Bonaccorso ]
  * d/p/CVE-2021-3560.patch:
    Fix local privilege escalation involving
    polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
    (Closes: #989429)

 -- Simon McVittie <smcv@debian.org>  Thu, 03 Jun 2021 17:06:34 +0100

policykit-1 (0.105-30) unstable; urgency=medium

  [ Helmut Grohne ]
  * Annotate Build-Depends: dbus <!nocheck> (Closes: #980998)

 -- Simon McVittie <smcv@debian.org>  Thu, 04 Feb 2021 13:56:09 +0000

policykit-1 (0.105-29) unstable; urgency=medium

  * Add symlink for polkit-agent-helper-1 after the move to /usr/libexec.
    If a process still has an old copy of libpolkit-agent-1.so.0 loaded, it
    will fail to find the binary at the new location. So create a symlink to
    prevent authentication failures on upgrades. (Closes: #965210)

 -- Michael Biebl <biebl@debian.org>  Mon, 03 Aug 2020 11:05:29 +0200

policykit-1 (0.105-28) unstable; urgency=medium

  [ TANIGUCHI Takaki ]
  * postinst: Fix polkit-agent-helper-1 path

  [ Michael Biebl ]
  * Fix polkitd path in polkit.service (Closes: #965164)
  * Use --restart-after-upgrade.
    With debhelper 13.1, --no-start will disable --restart-after-upgrade.
    Since we want the service to be restarted on upgrades, request that
    explicitly.
  * Remove old maintscript migration code from pre-oldstable

 -- Michael Biebl <biebl@debian.org>  Fri, 17 Jul 2020 10:49:51 +0200

policykit-1 (0.105-27) unstable; urgency=medium

  * Switch to /usr/libexec now that it is allowed by debian policy
  * Bump debhelper-compat to 13
  * Bump Standards-Version to 4.5.0
  * Try harder to look up the right localization.
    Fixes out-of-bounds read in _localize. (Closes: #956223)

 -- Michael Biebl <biebl@debian.org>  Fri, 17 Jul 2020 00:50:43 +0200

policykit-1 (0.105-26) unstable; urgency=medium

  [ Mark Hindley ]
  * Depend on new virtual packages default-logind and logind
    (Closes: #923240)

  [ Simon McVittie ]
  * Apply most changes from upstream release 0.116
    - d/p/0.116/Elaborate-message-printed-by-polkit-when-disconnecting-fr.patch,
      d/p/0.116/Error-message-raised-on-every-systemctl-start-in-emergenc.patch:
      Reduce messages to stderr from polkit agents, in particular when using
      "systemctl reboot" on a ssh connection or when using "systemctl start"
      in systemd emergency mode
    - d/p/0.116/Fix-a-critical-warning-on-calling-polkit_permission_new_s.patch:
      Fix critical warnings when calling polkit_permission_new_sync() with
      no D-Bus system bus
    - d/p/0.116/Possible-resource-leak-found-by-static-analyzer.patch:
      Fix a potential use-after-free in polkit agents
    - d/p/0.116/pkttyagent-PolkitAgentTextListener-leaves-echo-tty-disabl.patch:
      Re-enable echo if the tty agent is killed by SIGINT or SIGTERM
      or suspended with SIGTSTP
  * Add more bug fixes backported from earlier upstream releases
    - d/p/0.108/PolkitAgent-Avoid-crashing-if-initializing-the-server-obj.patch:
      Fix a segfault when a library user like flatpak attempts to register
      a polkit agent with no system bus available (Closes: #923046)
    - d/p/0.111/Add-a-FIXME-to-polkitprivate.h.patch:
      Make it more obvious that polkitprivate.h was never intended to be API
    - d/p/0.114/polkitpermission-Fix-a-memory-leak-on-authority-changes.patch:
      Fix a memory leak
    - d/p/0.113/PolkitSystemBusName-Retrieve-both-pid-and-uid.patch:
      Avoid a use of the deprecated polkit_unix_process_new()
  * d/*.symbols: Add Build-Depends-Package metadata
  * d/policykit-1.lintian-overrides: Override systemd unit false positives.
    The systemd unit is only for on-demand D-Bus activation, and is not
    intended to be started during boot, so an [Install] section and a
    parallel LSB init script are not necessary.
  * Stop building libpolkit-backend as a shared library.
    Its API was never declared stable before upstream removed it in
    0.106. Nothing in Debian depended on it, except for polkitd itself,
    which now links the same code statically.
    This is a step towards being able to use the current upstream release of
    polkit and patch in the old localauthority backend as an alternative to
    the JavaScript backend, instead of using the old 0.105 codebase and
    patching in essentially every change except the JavaScript backend,
    which is becoming unmanageable.
    - Remove the example null backend, which is pointless now that we've
      removed the ability to extend polkit.
    - Remove obsolete conffile 50-nullbackend.conf on upgrade
    - Remove the directory that previously contained 50-nullbackend.conf
      after upgrading or removing policykit-1
    - Remove obsolete dh_makeshlibs override for the null backend
  * d/policykit-1.bug-control: Add systemd, elogind versions to bug reports.
    reportbug doesn't currently seem to interpret
    "Depends: default-logind | logind" as implying that it should include
    the version number of the package that Provides logind in bug reports.
    Workaround for #934472.
  * Change the policykit-1 package from Architecture: any to
    Architecture: linux-any, and remove the consolekit [!linux-any]
    dependency. consolekit is no longer available in any Debian or
    debian-ports architecture, even those for non-Linux kernels.
    (Closes: #918446)
  * Standards-Version: 4.4.0 (no changes required)
  * Switch to debhelper-compat 12
    - d/control: Add ${misc:Pre-Depends}
  * Switch to dh_missing and abort on uninstalled files
    (patch taken from experimental, thanks to Michael Biebl)

 -- Simon McVittie <smcv@debian.org>  Sun, 11 Aug 2019 19:09:35 +0100

policykit-1 (0.105-25) unstable; urgency=medium

  * Team upload
  * Add tests-add-tests-for-high-uids.patch
    - Patch from upstream modified by Ubuntu to test high UID fix
  * Compare PolkitUnixProcess uids for temporary authorizations.
    - Fix temporary auth hijacking via PID reuse and non-atomic fork
      (CVE-2019-6133) (Closes: #918985)

 -- Jeremy Bicha <jbicha@debian.org>  Tue, 15 Jan 2019 11:11:58 -0500

policykit-1 (0.105-24) unstable; urgency=medium

  * Allow uid of -1 for a PolkitUnixProcess.
    Revert an overzealous change from the previous security fix that caused
    a critical to be logged when trying to set the uid property to -1 (the
    default value).

 -- Martin Pitt <mpitt@debian.org>  Tue, 15 Jan 2019 08:05:52 +0000

policykit-1 (0.105-23) unstable; urgency=high

  * Allow negative uids/gids in PolkitUnixUser and Group objects.
    Fixes a vulnerability in PolicyKit that allows a user with a uid greater
    than INT_MAX to successfully execute arbitrary polkit actions.
    (CVE-2018-19788, Closes: #915332)

 -- Michael Biebl <biebl@debian.org>  Fri, 07 Dec 2018 19:55:58 +0100

policykit-1 (0.105-22) unstable; urgency=medium

  * Move D-Bus policy file to /usr/share/dbus-1/system.d/
    To better support stateless systems with an empty /etc, the old location
    in /etc/dbus-1/system.d/ should only be used for local admin changes.
    Package provided D-Bus policy files are supposed to be installed in
    /usr/share/dbus-1/system.d/.
    This is supported since dbus 1.9.18.
  * Remove obsolete conffile
    /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf on upgrades
  * Bump Standards-Version to 4.2.1
  * Remove Breaks for versions older than oldstable
  * Stop masking polkit.service during the upgrade process.
    This is no longer necessary with the D-Bus policy file being installed
    in /usr/share/dbus-1/system.d/. (Closes: #902474)
  * Use dh_installsystemd to restart polkit.service after an upgrade.
    This replaces a good deal of hand-written maintscript code.

 -- Michael Biebl <biebl@debian.org>  Tue, 27 Nov 2018 20:17:44 +0100

policykit-1 (0.105-21) unstable; urgency=medium

  * Remove --no-parallel now that parallel builds (hopefully) work.
    Thanks to Adrian Bunk for spotting this.
  * Refresh patches via gbp pq
  * Use one patch per upstream commit for easier metadata round-trips
  * Sync up src/polkitagent/polkitagenthelper-pam.c with 0.114
    - d/p/0.111/Fix-a-memory-leak.patch:
      Fix a memory leak when PAM authentication fails
    - d/p/0.113/Remove-a-redundant-assignment.patch:
      Fix a potential compiler warning
    - d/p/master/Fix-multi-line-pam-text-info.patch:
      Split into d/p/0.106/agenthelper-pam-Fix-newline-trimming-code.patch,
      d/p/0.114/Fix-multi-line-pam-text-info.patch,
      d/p/0.114/Refactor-send_to_helper-usage.patch
  * d/p/03_polkitunixsession_sessionid_from_display.patch:
    Replace with functionally identical
    d/p/0.114/Support-polkit-session-agent-running-outside-user-session.patch
    as applied upstream
  * d/watch: Use https
  * d/watch: Download upstream PGP signatures
  * debian/upstream/signing-key.asc: Add public keys for Ray Strode,
    Miloslav Trmac, David Zeuthen
  * d/gbp.conf: Merge upstream tags into the upstream branch
  * Add myself to Uploaders
  * d/gbp.conf: Set patch-numbers to false to match current practice
  * d/p/0.115/Fix-CVE-2018-1116-Trusting-client-supplied-UID.patch:
    Backport the security-significant part of 0.115 (CVE-2018-1116)
    (Closes: #903563)
  * d/libpolkit-gobject-1-0.symbols: Update for new semi-private ABI
  * d/rules: Skip build-time tests if DEB_BUILD_OPTIONS=nocheck
  * Standards-Version: 4.1.5 (no changes required)
  * Set Rules-Requires-Root to no

 -- Simon McVittie <smcv@debian.org>  Wed, 11 Jul 2018 09:29:32 +0100

policykit-1 (0.105-20) unstable; urgency=medium

  * Team upload
  * d/p/0.108/build-Fix-.gir-generation-for-parallel-make.patch:
    Add patch from upstream to fix parallel builds (Closes: #894205)

 -- Simon McVittie <smcv@debian.org>  Tue, 27 Mar 2018 13:50:28 +0100

policykit-1 (0.105-19) unstable; urgency=medium

  * debian/copyright: Use https URL for Format:
  * Update Vcs-* links for move to salsa.debian.org.
  * Fix typos in patch descriptions.
    Fixes lintian's spelling-error-in-patch-description complaints.
  * Move to debhelper compat level 10.
    Remove explicit dh-autoreconf, it's now done by default.
  * Bump Standards-Version to 4.1.3
  * Add autopkgtest.
    This covers the pkaction and pkcheck CLI tools.

 -- Martin Pitt <mpitt@debian.org>  Mon, 26 Mar 2018 21:42:28 +0200

policykit-1 (0.105-18) unstable; urgency=medium

  * Team upload.
  * master/Add-gettext-support-for-.policy-files.patch: Backport from master:
    Add .loc and .its files so that gettext can be used to translate policy
    files. Some upstreams, particularly those that are switching to meson,
    expect these files to be present so that their PK policy files can be
    translated. (Closes: #863207)

 -- Iain Lane <laney@debian.org>  Wed, 24 May 2017 11:21:35 +0100

policykit-1 (0.105-17) unstable; urgency=medium

  [ Michael Biebl ]
  * Use https:// for the upstream homepage.
  * Update Vcs-Browser to use cgit.
  * Rename the systemd service unit to polkit.service. It is now based on what
    was added upstream in 0.106.

  [ Simon McVittie ]
  * Build-depend on intltool instead of relying on gtk-doc-tools'
    dependency (Closes: #837846)

  [ Martin Pitt ]
  * Use PAM's common-session-noninteractive modules for pkexec instead of
    common-session. The latter also runs pam_systemd (the only difference
    normally) which is a no-op under the classic session-centric
    D-BUS/graphical login model (as it won't start a new one if it is already
    running within a logind session), but very expensive when using
    dbus-user-session and being called from a service that runs outside the
    PAM session. This causes long delays in e. g. gnome-settings-daemon's
    backlight helpers. (LP: #1626651)

 -- Michael Biebl <biebl@debian.org>  Fri, 21 Oct 2016 15:44:57 +0200

policykit-1 (0.105-16) unstable; urgency=medium

  [ Michael Biebl ]
  * Drop obsolete Breaks from pre-wheezy.
  * Use gir addon instead of calling dh_girepository manually.
  * Run wrap-and-sort -ast.
  * Drop explicit Build-Depends on gir1.2-glib-2.0. This dependency is already
    pulled in via libgirepository1.0-dev.

  [ Martin Pitt ]
  * Add fallback if agent is not running in a logind session. This fixes
    polkit with dbus-user-session. Thanks Sebastien Bacher for the patch!
  * Bump Standards-Version to 3.9.8 (no changes necessary).

 -- Martin Pitt <mpitt@debian.org>  Mon, 25 Jul 2016 14:32:23 +0200

policykit-1 (0.105-15) unstable; urgency=medium

  * Generate tight inter-package dependencies.
    This ensures that everything from the same source package is upgraded in
    lockstep. (Closes: #817998)

 -- Michael Biebl <biebl@debian.org>  Thu, 14 Apr 2016 13:57:13 +0200

policykit-1 (0.105-14.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix FTBFS on non-linux/non-systemd. (Closes: #798769)

 -- Adam Borowski <kilobyte@angband.pl>  Thu, 14 Jan 2016 06:28:38 +0100

policykit-1 (0.105-14) unstable; urgency=medium

  * debian/policykit-1.preinst: Use systemctl unmask instead of direct symlink
    removal for consistency.
  * Fix handling of multi-line helper output. Thanks Dariusz Gadomski! Patch
    backported from upstream master. (LP: #1510824)

 -- Martin Pitt <mpitt@debian.org>  Mon, 23 Nov 2015 11:38:00 +0100

policykit-1 (0.105-13) unstable; urgency=medium

  * debian/policykit-1.{pre,pos}inst: Temporarily mask polkitd.service while
    policykit-1 is unpackaged but not yet configured. During that time we
    don't yet have our D-Bus policy in /etc so that polkitd cannot work yet.
    This can be dropped once the D-Bus policy moves to /usr.
    (Closes: #794723, LP: #1447654)

 -- Martin Pitt <mpitt@debian.org>  Wed, 21 Oct 2015 08:11:22 +0200

policykit-1 (0.105-12) unstable; urgency=medium

  * Team upload
  * Replace 03_complete_session.patch with a change from upstream
    which seems like a more correct solution for LP#445303, LP#649939
  * 05_revert-admin-identities-unix-group-wheel.patch: remove confusing
    staff -> desktop_admin_r change in a man page (desktop_admin_r looks
    vaguely like a SELinux role but is actually being used as a group);
    keep only the actual functional change. This matches the syntactically
    different but functionally similar change in experimental.
  * 09_pam_environment.patch: replace with the version that went upstream.
  * Annotate remaining patches with a bit more information.
    They are:
    - 00git_fix_memleak.patch, 00git_invalid_object_paths.patch,
      00git_type_registration.patch, 04_get_cwd.patch,
      07_set-XAUTHORITY-environment-variable-if-unset.patch,
      08_deprecate_racy_APIs.patch, 09_pam_environment.patch,
      cve-2013-4288.patch: either backports from upstream, or already
      applied upstream, and not discussed further here.
    - 01_pam_polkit.patch: use Debian's common-* infrastructure,
      plus pam_env to get the global environment and locale.
      Debian-specific.
    - 02_gettext.patch: Use gettext to translate .policy files at
      runtime, allowing for Ubuntu-style language packs.
      Debian-specific (mainly for Ubuntu's benefit, really).
    - 05_revert-admin-identities-unix-group-wheel.patch: Debian does
      not use the "wheel" group like Red Hat derivatives do;
      treat uid 0 as the administrative identity instead.
      Debian-specific.
    - 06_systemd-service.patch: hook up the systemd service in
      debian/polkitd.service.
      Not forwarded: obsoleted by an upstream change in 0.106,
      commit 2995085.
  * Re-order patch series to put upstream changes first, sorted by version
    in which they went upstream, and put them in subdirectories by version
  * Add patches from 0.113 to fix heap corruption CVE-2015-3255
    (Closes: #766860) and local authenticated denial of service
    CVE-2015-4625 (Closes: #796134)
  * Add numerous other bug-fix patches from 0.113
    - work around bugs in older versions of libpam-systemd when using
      su or similar (Closes: #772125)
    - treat background processes as part of the same uid's active GUI
      session if they have one (Closes: #779988)
    - fix some memory leaks (Closes: #775158, LP: #1417637)
  * Add backported public API polkit_system_bus_name_get_user_sync() to
    symbols file
  * Fix FTBFS with dpkg-buildpackage -A by only installing files into
    policykit-1 in per-arch builds
  * Run tests with a session bus pretending to be the system bus,
    so they can pass in a buildd environment

 -- Simon McVittie <smcv@debian.org>  Fri, 11 Sep 2015 09:48:00 +0100

policykit-1 (0.105-11) unstable; urgency=medium

  * Add 00git_invalid_object_paths.patch: backend: Handle invalid object paths
    in RegisterAuthenticationAgent (CVE-2015-3218, Closes: #787932)
  * policykit-1.postinst: Reload systemd before restarting polkitd.service, to
    avoid "Warning: polkitd.service changed on disk". (Closes: #791397)

 -- Martin Pitt <mpitt@debian.org>  Fri, 10 Jul 2015 13:03:33 +0200

policykit-1 (0.105-10) unstable; urgency=medium

  * Add 00git_type_registration.patch: Use GOnce for interface type
    registration. Fixes frequent udisks segfault (LP: #1236510).
  * Add 00git_fix_memleak.patch: Fix memory leak in EnumerateActions call
    results handler. (LP: #1417637)

 -- Martin Pitt <mpitt@debian.org>  Wed, 08 Jul 2015 12:15:41 +0200

policykit-1 (0.105-9) unstable; urgency=medium

  [ Martin Pitt ]
  * policykit-1.postinst: Don't kill polkitd under systemd, but properly
    restart it. This avoids killing it shortly after systemd tries to
    bus-activate it on installation. (LP: #1447654)

  [ Michael Biebl ]
  * Build against libsystemd instead of the old libsystemd-login compat
    library. (Closes: #779756)

 -- Michael Biebl <biebl@debian.org>  Wed, 08 Jul 2015 02:10:58 +0200

policykit-1 (0.105-8) unstable; urgency=medium

  * Rebuild against libsystemd0. This drops the last remaining dependency to
    libsystemd-login0. (Closes: #771281)
  * Bump Standards-Version to 3.9.6 (no changes necessary).

 -- Martin Pitt <mpitt@debian.org>  Fri, 28 Nov 2014 10:07:46 +0100

policykit-1 (0.105-7) unstable; urgency=medium

  * Team upload.
  * Install typelib files into MA libdir.

 -- Andreas Henriksson <andreas@fatal.se>  Thu, 25 Sep 2014 13:56:15 +0200

policykit-1 (0.105-6.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Use dh-autoreconf in build to support new architectures

 -- Wookey <wookey@debian.org>  Thu, 10 Jul 2014 00:15:28 +0100

policykit-1 (0.105-6) unstable; urgency=medium

  * Team upload.
  * debian/control: Update Homepage URL
  * debian/control: Add a Breaks against gdm3 (<< 3.8.4-7~) to ensure it
    registers a logind session properly (Closes: #745983)

 -- Laurent Bigonville <bigon@debian.org>  Thu, 22 May 2014 19:31:58 +0200

policykit-1 (0.105-5) unstable; urgency=medium

  * Team upload.
  * Enable systemd support on linux architectures
  * debian/control: Bump Standards-Version to 3.9.5 (no further changes)
  * debian/control: Use canonical VCS-* URL's

 -- Laurent Bigonville <bigon@debian.org>  Sun, 04 May 2014 12:40:59 +0200

policykit-1 (0.105-4) unstable; urgency=low

  * Acknowledge non-maintainer upload for CVE-2013-4288.
  * Also cherry-pick the upstream commit which deprecates the racy APIs.
  * debian/patches/09_pam_environment.patch: set process environment from
    pam_getenvlist().
  * debian/patches/01_pam_polkit.patch: adjust patch to invoke pam_env, so our
    global settings from /etc/environment are applied correctly.
  * The two changes above fix pkexec to properly export the pam environment.
    Thanks Steve Langasek for the patch. (Closes: #692340)

 -- Michael Biebl <biebl@debian.org>  Tue, 15 Oct 2013 18:34:24 +0200

policykit-1 (0.105-3+nmu1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix cve-2013-4288: race condition in pkcheck.c (closes: #723717).

 -- Michael Gilbert <mgilbert@debian.org>  Mon, 14 Oct 2013 00:08:43 +0000

policykit-1 (0.105-3) unstable; urgency=low

  * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY
    environment variable to its default value $HOME/.Xauthority if unset.
    Some display managers, like KDM, do not set the XAUTHORITY variable, so
    starting graphical applications via pkexec was broken in those
    environments. (Closes: #671497)

 -- Michael Biebl <biebl@debian.org>  Thu, 20 Dec 2012 18:55:14 +0100

policykit-1 (0.105-2) unstable; urgency=low

  * Change the permissions of /etc/polkit-1/localauthority to 700, this
    directory is not supposed to be readable by everyone.

 -- Michael Biebl <biebl@debian.org>  Mon, 17 Dec 2012 17:02:06 +0100

policykit-1 (0.105-1) unstable; urgency=low

  * New upstream release.
  * debian/watch: Update URL, the tarballs are hosted on freedesktop.org now.
  * Update symbols file for libpolkit-gobject-1-0 and libpolkit-agent-1-0.
  * Update debian/copyright using the machine-readable copyright format 1.0.
  * Bump Standards-Version to 3.9.3.
  * Bump Build-Depends on debhelper to (>= 9).

 -- Michael Biebl <biebl@debian.org>  Tue, 24 Apr 2012 21:06:04 +0200

policykit-1 (0.104-2) unstable; urgency=low

  * debian/control: Add Build-Depends on libglib2.0-doc and libgtk-3-doc for
    proper cross-references in the gtk-doc API documentation.
  * Install systemd service file for polkitd.

 -- Michael Biebl <biebl@debian.org>  Sat, 11 Feb 2012 23:48:29 +0100

policykit-1 (0.104-1) unstable; urgency=low

  * New upstream release.
    - Add support for netgroups. (LP: #724052)
  * debian/rules: Disable systemd support, continue to work with ConsokeKit.
  * 05_revert-admin-identities-unix-group-wheel.patch: Refresh to apply
    cleanly.
  * debian/libpolkit-gobject-1-0.symbols: Add new symbols from this new
    release.
  * debian/rules: Do not let test failures fail the build. The new test suite
    also runs a test against the system D-BUS/ConsoleKit, which can't work on
    buildds.

 -- Martin Pitt <mpitt@debian.org>  Fri, 06 Jan 2012 12:28:54 +0100

policykit-1 (0.103-1) unstable; urgency=low

  * New upstream release.
  * debian/control: Change section of gir1.2-polkit-1.0 to introspection.
  * 05_revert-admin-identities-unix-group-wheel.patch: Revert upstream change
    to make group wheel the default admin identity since we already use group
    sudo resp. group admin for that.

 -- Michael Biebl <biebl@debian.org>  Fri, 09 Dec 2011 00:48:17 +0100

policykit-1 (0.102-2) unstable; urgency=low

  * 02_gettext.patch: Explicitly #include <locale.h> to fix non-optimized
    build. Thanks Ivan Krasilnikov for pointing this out.
  * debian/rules: When building on Ubuntu, also consider the "sudo" group as
    administrator, for compatibility with Debian and sudo itself. Keep "admin"
    for existing systems. (LP: #893842)
  * Convert to Multi-Arch and dh compat 9. Thanks Daniel Schaal for the
    patch! (Closes: #636196)

 -- Martin Pitt <mpitt@debian.org>  Fri, 25 Nov 2011 07:44:09 +0100

policykit-1 (0.102-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/00git_fix_proc_race.patch: Removed, merged upstream.
  * debian/patches/04_ignore_quilt_po.patch: Removed, merged upstream.
  * debian/patches/03_complete_session.patch: Refreshed.
  * debian/patches/04_get_cwd.patch: Use g_get_current_dir() to determine the
    current working directory. This fixes another PATH_MAX related FTBFS on
    hurd. Thanks Emilio Pozuelo Monfort for the patch. (Closes: #623017)

 -- Michael Biebl <biebl@debian.org>  Tue, 02 Aug 2011 03:17:20 +0200

policykit-1 (0.101-4) unstable; urgency=high

  Urgency high due to security fix.

  * Add 00git_fix_proc_race.patch: Avoid /proc race conditions when checking
    privileges for pkexec. Patch taken from
    https://bugzilla.redhat.com/show_bug.cgi?id=692922, now also landed in
    upstream git. [CVE-2011-1485]
  * debian/libpolkit-gobject-1-0.symbols: Update for new symbols.
  * Add 04_ignore_quilt_po.patch: Ignore .po/ for intltool. This avoids build
    failures if quilt patches change files with translatable strings. Thanks
    to Kees Cook for the patch!

 -- Martin Pitt <mpitt@debian.org>  Wed, 20 Apr 2011 12:11:38 +0200

policykit-1 (0.101-3) unstable; urgency=low

  * debian/control
    - Add Depends on gir1.2-polkit-1.0 (= ${binary:Version}) to
      libpolkit-gobject-1-dev and libpolkit-agent-1-dev to comply with the
      updated GObject introspection policy.
    - Bump Standards-Version to 3.9.2. No further changes.

 -- Michael Biebl <biebl@debian.org>  Sun, 10 Apr 2011 20:34:03 +0200

policykit-1 (0.101-2) unstable; urgency=low

  * Upload to unstable.

 -- Michael Biebl <biebl@debian.org>  Fri, 25 Mar 2011 02:19:51 +0100

policykit-1 (0.101-1) experimental; urgency=low

  * New upstream release.
  * Update patches
    - Drop debian/patches/04_test_signalfd.patch, merged upstream.
    - Refresh other patches to apply cleanly.
  * debian/libpolkit-gobject-1-0.symbols
    - Add polkit_authorization_result_get_dismissed.
  * debian/control
    - Bump Build-Depends on libglib2.0-dev to (>= 2.28.0).
  * debian/rules
    - Don't build example programs.

 -- Michael Biebl <biebl@debian.org>  Thu, 03 Mar 2011 23:50:17 +0100

policykit-1 (0.100-1) experimental; urgency=low

  * New upstream release.
  * Refresh debian/patches/03_complete_session.patch.
  * Replace debian/patches/04_test_signalfd.patch with a patch that was merged
    upstream. This also allows to drop debian/patches/99_autoreconf.patch.
  * Switch from cdbs to dh.
  * Bump debhelper compatibility level to 8.
  * Install documentation using debian/policykit-1.docs.
  * Enable gobject introspection support.
    - Add Build-Depends on libgirepository1.0-dev (>= 0.9.12),
      gobject-introspection (>= 0.9.12-4~) and gir1.2-glib-2.0.
    - Add package gir1.2-polkit-1.0 containing the typelib files.
    - Install gir files in libpolkit-agent-1-dev.install and
      libpolkit-gobject-1-dev.install.
    - Call dh_girepository in debian/rules.

 -- Michael Biebl <biebl@debian.org>  Wed, 23 Feb 2011 19:51:17 +0100

policykit-1 (0.99-3) unstable; urgency=low

  * Upload to unstable.

 -- Michael Biebl <biebl@debian.org>  Thu, 10 Feb 2011 19:21:36 +0100

policykit-1 (0.99-2) experimental; urgency=low

  [ Michael Biebl ]
  * Merge sudo group changes from unstable branch.

  [ Martin Pitt ]
  * debian/rules: Use dpkg-vendor instead of lsb_release. Drop lsb-release
    build dependency.
  * Add 04_test_signalfd.patch: Allow building on Non-Linux platforms without
    signalfd(). (Closes: #602476)
  * Add 99_autoreconf.patch: Pick up autoreconf changes from previous patch.

 -- Martin Pitt <mpitt@debian.org>  Mon, 06 Dec 2010 16:28:11 +0100

policykit-1 (0.99-1) experimental; urgency=low

  [ Michael Biebl ]
  * New upstream release.
  * debian/patches/00git-fix-error-freeing.patch
    - Remove, fixed upstream.
  * debian/patches/00git-pkexec-information-disclosure.patch
    - Remove, merged upstream.
  * debian/control
    - Drop Build-Depends on libeggdbus-1-dev.
    - Bump Build-Depends on libglib2.0-dev to (>= 2.25.12) for GDBus.
  * Switch to source format 3.0 (quilt).
    - Add debian/source/format.
    - Drop Build-Depends on quilt.
    - Remove /usr/share/cdbs/1/rules/patchsys-quilt.mk from debian/rules.
    - Remove debian/README.source.

  [ Robert Ancell ]
  * Add debian/patches/02_gettext.patch: Use gettext for translations in
    .policy files if they specify a gettext domain.

  [ James Westby ]
  * Add debian/patches/03_complete_session.patch: Fix the race that leads to
    the password box disappearing, but the dialog remaining.

  [ Martin Pitt ]
  * debian/rules: Set DPKG_GENSYMBOLS_CHECK_LEVEL to 4 to point out outdated
    .symbols files more strongly.

 -- Michael Biebl <biebl@debian.org>  Thu, 04 Nov 2010 17:27:09 -0400

policykit-1 (0.96-4) unstable; urgency=low

  * debian/rules
    - When building for Debian, install a localauthority.conf.d configuration
      file which considers "sudo" group users as administrators.
      (Closes: #532499)

 -- Michael Biebl <biebl@debian.org>  Tue, 16 Nov 2010 23:21:50 +0100

policykit-1 (0.96-3) unstable; urgency=low

  * debian/control
    - Use architecture wildcard linux-any for libselinux1-dev.
    - Bump Standards-Version to 3.9.1.
  * debian/policykit-1.postinst
    - Query D-Bus to find out the correct pid of the process claiming
      org.freedesktop.PolicyKit1. This way we do not accidentally kill the
      wrong process when being installed in a chroot. (Closes: #595030)
  * debian/policykit-1.prerm
    - Stop polkitd on remove. (Closes: #595031)

 -- Michael Biebl <biebl@debian.org>  Thu, 16 Sep 2010 23:27:56 +0200

policykit-1 (0.96-2) unstable; urgency=medium

  * Urgency medium, just two small, but important bug fixes.
  * Add 00git-pkexec-information-disclosure.patch: Fix information disclosure
    vulnerability that allows an attacker to verify whether or not arbitrary
    files exist, violating directory permissions.
  * 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization()
    with an invalid PID. (LP: #540464)

 -- Martin Pitt <mpitt@debian.org>  Fri, 09 Apr 2010 12:09:53 +0200

policykit-1 (0.96-1) unstable; urgency=low

  * New upstream release.
  * debian/libpolkit-backend-1-0.symbols
    - Update for new API addition.

 -- Michael Biebl <biebl@debian.org>  Sat, 16 Jan 2010 00:05:48 +0100

policykit-1 (0.95-1) unstable; urgency=low

  * New upstream release.
  * Remove patches
    - debian/patches/02_dont_export_private_symbols.patch (merged upstream)
    - debian/patches/03_path_max.patch (merged upstream)
    - debian/patches/04-ref-authority.patch (merged upstream)
    - debian/patches/05-pkexec-env.patch (merged upstream)
    - debian/patches/99_autoreconf.patch (obsolete)
  * debian/control
    - Bump Build-Depends on libeggbus-1-dev to (>= 0.6).
  * debian/rules
    - The example application is no longer built by default so we don't need
      to manually remove it anymore.
  * debian/libpolkit-{backend,gobject}-1-0.symbols
    - Update for new API additions.

 -- Michael Biebl <biebl@debian.org>  Sat, 14 Nov 2009 05:33:34 +0100

policykit-1 (0.94-6) unstable; urgency=low

  * debian/policykit-1.postinst
    - Use start-stop-daemon instead of kill+pidof to stop the running polkitd
      daemon on upgrades.
  * Remove our workaround for kfreebsd again now that eglibc 2.10 has entered
    unstable. (Closes: #552605)

 -- Michael Biebl <biebl@debian.org>  Mon, 09 Nov 2009 01:09:07 +0100

policykit-1 (0.94-5) unstable; urgency=low

  * Add debian/patches/04-ref-authority.patch: Ref the instance returned by
    polkit_authority_get(), since the documentation says that it needs to be
    unref'ed after usage. This fixes crashes in NetworkManager and probably
    other programs, too. (LP: #438574, #432452, fd.o #24566)
  * Add debian/patches/05-pkexec-env.patch: Add missing comma so that pkexec
    saves both LANG and LANGUAGE, not LANGLANGUAGE. (Cherrypicked from trunk)
  * Add myself to Uploaders: with Michael's consent.

 -- Martin Pitt <mpitt@debian.org>  Tue, 03 Nov 2009 12:28:09 +0100

policykit-1 (0.94-4) unstable; urgency=low

  * debian/patches/03_path_max.patch
    - Update patch to fix implicit pointer conversion for
      get_current_dir_name. (Closes: #550901)

 -- Michael Biebl <biebl@debian.org>  Wed, 14 Oct 2009 14:00:40 +0200

policykit-1 (0.94-3) unstable; urgency=low

  * debian/patches/03_path_max.patch
    - Fix FTBFS on hurd-i386 where PATH_MAX is not defined. (Closes:#550800)
      Thanks to Samuel Thibault for the patch.
  * debian/policykit-1.postinst:
    - Kill the old polkitd daemon on upgrade, to ensure that the new version
      will be used at the next occasion.

 -- Michael Biebl <biebl@debian.org>  Tue, 13 Oct 2009 14:32:25 +0200

policykit-1 (0.94-2) unstable; urgency=low

  * Fix build failures on kfreebsd. Add Build-Depends on libfreebsd-dev and
    link against -lfreebsd for sysctlnametomib.
    When glibc 2.10 enters unstable this workaround can be removed again.

 -- Michael Biebl <biebl@debian.org>  Tue, 13 Oct 2009 00:29:47 +0200

policykit-1 (0.94-1) unstable; urgency=low

  * Rename package to policykit-1. Upstream (at least temporarily) forked
    the project to make it installable in parallel with policykit 0.9, until
    all programs are ported to the new API.
  * Drop all patches except 01_pam_polkit.patch.
  * Refresh debian/patches/01_pam_polkit.patch.
  * debian/control
    - Update Build-Depends
      + Drop libdbus-1-dev, libdbus-glib-1-dev.
      + Add libeggdbus-1-dev (>= 0.5) and lsb-release.
      + Bump libglib2-dev dependency to (>= 2.21.4).
    - Update list of binary packages and their package descriptions.
    - Drop dependency on adduser.
    - Bump Standards-Version to 3.8.3.
      + Add README.source which refers to the quilt documentation.
    - Update Vcs-* fields. Package is now managed using Git and hosted on
      git.debian.org.
  * Update shared library structure: libpolkit-{dbus,grant} →
    libpolkit-{agent,backend,gobject}-1.
  * Rename policykit, policykit-doc → policykit-1, policykit-1-doc.
  * Update and revise all *.install files.
  * debian/rules, debian/policykit.init: Drop init script, package doesn't use
    /var/run any more.
  * debian/policykit-1.postinst: Don't create "polkituser" system user, it's
    not used any more.
  * Update watch file.
  * debian/patches/02_dont_export_private_symbols.patch
    - Don't export private symbols in the libraries.
  * debian/patches/99_autoreconf.patch
    - Update the autotools files as the previous patch also touches the build
      system.
  * Add symbols files for libpolkit-{agent,backend,gobject}-1 for improved
    shlibs dependencies.
  * debian/rules
    - Disable introspection support.
    - When building for Ubuntu, install a localauthority.conf.d configuration
      file which considers "admin" group users as administrators.
    - Don't install example application.
  * debian/copyright
    - Update copyright holder.
    - License was changed to LGPL 2.1+.

 -- Michael Biebl <biebl@debian.org>  Sun, 27 Sep 2009 21:35:18 +0200

policykit (0.9-4) unstable; urgency=low

  * Add support for /var/run being a tmpfs. (Closes: #532101)
    - Create /var/run/PolicyKit dynamically on boot by using an init script.
      Original patch by Martin Pitt, thanks. Updated patch to only run the
      init script in runlevel S at priority 75.
    - Do no longer ship /var/run/PolicyKit in the package itself.
  * debian/control
    - Bump Standards-Version to 3.8.1.
  * debian/patches/04_entry_leak.patch
    - Plug a memory leak. Patch pulled from Fedora.
  * debian/patches/05_manpage_typo_fix.patch
    - Fix a small typo in the polkit-auth man page. (Closes: #523565)
  * debian/patches/06_no_inotify_or_path_max.patch
    - Add support for systems which don't support inotify (like hurd) and
      don't use PATH_MAX unconditionally, instead use dynamically growing
      buffers. (Closes: #521756)
      Patch by Samuel Thibault, thanks.

 -- Michael Biebl <biebl@debian.org>  Thu, 18 Jun 2009 09:55:34 +0200

policykit (0.9-3) unstable; urgency=low

  * Switch patch management system to quilt.
  * debian/control
    - Wrap Build-Depends.
    - Demote Recommends: policykit-gnome to Suggests. (Closes: #513758)
    - Bump Build-Depends on debhelper to (>= 7).
  * debian/compat
    - Bump debhelper compat level to 7.
  * debian/rules
    - Include debhelper.mk before any other files as recommended by the cdbs
      documentation.
  * debian/patches/03_consolekit0.3-api.patch
    - Try both the ConsoleKit 0.3 and the older 0.2 API, to work with either.
      Patch pulled from Ubuntu.

 -- Michael Biebl <biebl@debian.org>  Wed, 18 Feb 2009 17:25:52 +0100

policykit (0.9-2) unstable; urgency=high

  [ Simon McVittie ]
  * Add patch committed in Fedora (although not upstream) by the upstream
    maintainer, to allow PolicyKit to be used when CVE-2008-4311 has
    been fixed in dbus-daemon. (Closes: #510646)

  [ Michael Biebl ]
  * debian/control
    - Add ${misc:Depends} to all binary packages.

 -- Michael Biebl <biebl@debian.org>  Wed, 07 Jan 2009 18:18:56 +0100

policykit (0.9-1) unstable; urgency=low

  * New upstream release.
  * debian/control
    - Bump Standards-Version to 3.8.0. No further changes.

 -- Michael Biebl <biebl@debian.org>  Sun, 03 Aug 2008 10:53:11 +0200

policykit (0.8-2) unstable; urgency=low

  * Add symbols files for libpolkit2, libpolkit-grant2 and libpolkit-dbus2.
  * debian/policykit.postinst
    - Set correct permissions for all files. (Closes: #482064)
    - Define a small helper function to apply the permissions. This makes it
      more concise and readable.

 -- Michael Biebl <biebl@debian.org>  Fri, 23 May 2008 04:33:48 +0200

policykit (0.8-1) unstable; urgency=medium

  * New upstream release.
    - SECURITY - CVE-2008-1658:
      Fixes format string vulnerability in the grant helper. (Closes: #476615)
  * debian/control
    - Add Build-Depends on pkg-config.

 -- Michael Biebl <biebl@debian.org>  Fri, 18 Apr 2008 01:39:08 +0200

policykit (0.7-2) unstable; urgency=low

  * Upload to unstable.

 -- Michael Biebl <biebl@debian.org>  Fri, 11 Jan 2008 01:02:59 +0100

policykit (0.7-1) experimental; urgency=low

  * New upstream release. (Closes: #455874)
  * debian/control
    - Bump Standards-Version to 3.7.3. No further changes required.
    - Add Build-Depends on libdbus-glib-1-dev (>= 0.73).
    - Change Homepage URL to http://hal.freedesktop.org/docs/PolicyKit/.
      (Closes: #446504)
    - Improve package description. (Closes: #446554)
  * debian/copyright
    - All code is now licensed under the MIT/X11 license. Update the copyright
      notice accordingly.
  * debian/policykit.dirs
    - Add the directory /var/lib/PolicyKit-public.
  * debian/policykit.install
    - Install the D-Bus config and service files for the PolicyKit system
      service.
    - Install /var/lib/misc/PolicyKit.reload.
  * debian/rules
    - Fix the permissions of /var/lib/misc/PolicyKit.reload.
  * debian/policykit.postinst
    - Use dpkg-statoverride to check for local modifications before setting
      the SUID/SGID bits.

 -- Michael Biebl <biebl@debian.org>  Thu, 20 Dec 2007 18:01:38 +0100

policykit (0.6-1) experimental; urgency=low

  * New upstream release.
  * debian/control
    - Use new "Homepage:" field to specify the upstream URL.
    - The Vcs-* fields are now officially supported, so remove the XS- prefix.
    - Add a Recommends: policykit-gnome to the policykit package.
    - Enable SELinux support by adding a Build-Depends on libselinux1-dev for
      all supported platforms.
  * debian/policykit.postinst
    - Install polkit-grant-helper-pam with the correct permissions.

 -- Michael Biebl <biebl@debian.org>  Sat, 03 Nov 2007 00:02:33 +0100

policykit (0.5-1) experimental; urgency=low

  * Initial release. (Closes: #397087)

 -- Michael Biebl <biebl@debian.org>  Tue, 02 Oct 2007 22:38:04 +0200