Wow this is a lot of changes. A single bug won't do. We can use this bug
merely as a tracker bug.

When will these packages actually hit Factory? Public release is scheduled for
the end of February, so for Factory this will likely be relevant around March.

We should be reviewing somewhat earlier than that for the case that anything
problematic is found that upstream needs to be working on.

But otherwise it looks not urgent. We can have a look as time permits until
the end of January or so.

(In reply to Matthias Gerstner from comment #1)
> 
> When will these packages actually hit Factory? Public release is scheduled
> for
> the end of February, so for Factory this will likely be relevant around
> March.

The packages won't reach factory users before the release. Ideally, we should try test submissions around RC1 to check which changes are needed for staging projects.

Do you have any insight about the volatility of the upstream codebase for
KDE6?

It wouldn't make much sense for us to review these alpha packages now if the
codebase will change a lot until the actual release happens.

All sub-bugs have been taken care of - except for bug 1217179 (kinfocenter),
where Paolo will soon provide us more info.

There are only two hard blockers currently from my point of view:

- bug 1217186 plasma6-workspace fontinst service: this is pretty old code that
  was never reviewed properly by us in the past. And the code is way too open
  such that the actions can be misused for completely different things than
  what it says on the label.

- bug 1217188 sddm-kcm6: this service is just barely secure by requiring
  `auth_admin` for everything and even then it's shaky given that is writes to
  the `sddm` user's home directory as root.

For these two I would really like to see some upstream efforts for KDE6.

For all the other bugs there are a couple of comments for improvement here and
there but nothing that stands in the way of a whitelisting.

(In reply to matthias.gerstner@suse.com from comment #4)
> For these two I would really like to see some upstream efforts for KDE6.
> 
> For all the other bugs there are a couple of comments for improvement here and
> there but nothing that stands in the way of a whitelisting.

So are there any news regarding the release schedule of KDE upstream?

I see no movement in the couple of issues that have been created upstream. It
feels like this chance to perform breaking changes in the context of a major
release is being dropped.

(In reply to Matthias Gerstner from comment #5)
> (In reply to matthias.gerstner@suse.com from comment #4)
> > For these two I would really like to see some upstream efforts for KDE6.
> > 
> > For all the other bugs there are a couple of comments for improvement here and
> > there but nothing that stands in the way of a whitelisting.
> 
> So are there any news regarding the release schedule of KDE upstream?

RC2 was released recently, the SRs to TW are being prepared.

> I see no movement in the couple of issues that have been created upstream.

Indeed.

The sddm handler needs rework anyway to handle theme installation outside of /usr anyway. IMO this functionality isn't that important yet as there won't be many Qt 6 compatible themes, so for now we can skip it.

For kfontinst I'll try to have a look myself, until that's done it can probably be skipped as well.

> It
> feels like this chance to perform breaking changes in the context of a major
> release is being dropped.

Not really, big changes to those interfaces can be done at any point in time and are actually easier to do once the dust has settled a bit... It's all just implementation details, there aren't any external interfaces to outside of Plasma or probably not even user visible effects.

(In reply to fabian@ritter-vogt.de from comment #6)
> > It
> > feels like this chance to perform breaking changes in the context of a major
> > release is being dropped.
> 
> Not really, big changes to those interfaces can be done at any point in time and are actually easier to do once the dust has settled a bit... It's all just implementation details, there aren't any external interfaces to outside of Plasma or probably not even user visible effects.

I don't see it that way at least not for the change I suggested to the Kauth
interface. If there is a breaking change in there then all consumers of Kauth
need to be adapted.

The next frameworks and plasma packages were submitted yesterday. the RC2 packages live in the KDE:Frameworks repository.

I will soon submit whitelistings for most of the changed packages. A couple of
problematic items remain:

- kde.fontinst.service bug 1217186: much too broad D-Bus interface, no
  activity upstream. I will whitelist this for legacy reasons only.
- sddm-kcm6 bug 1217188: likely local attack vectors from sddm to root or
  interactive user to root. This is only kept halfway safe as it requires
  `auth_admin`. No movement visible from upstream. Asked how to continue here.
- kwalletmanager bug 1217190: this contains a useless kauth helper that is
  used for fake security purposes and I advice to drop this in any form
  possible.

mmm... seems I forgot drkonqi6

[   93s] drkonqi6.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system.d/org.kde.drkonqi.conf (sha256 file digest default filter:233b3b98de2fc6b780c1eb9c3ab9b9f99b1949dfab951cababd7c5a717b8ee16 shell filter:233b3b98de2fc6b780c1eb9c3ab9b9f99b1949dfab951cababd7c5a717b8ee16 xml filter:3326c5271c6321c5b3a703d187443eef260d54aa7347bc8f05d9090a153a04bd)

[   93s] drkonqi6.x86_64: E: dbus-file-unauthorized (Badness: 10000) /usr/share/dbus-1/system-services/org.kde.drkonqi.service (sha256 file digest default filter:b99a6dc5943df0e641616dc4be3122fdd1d1b1c418df298c56008b50c5fb2b08 shell filter:b6f2a505903e2d8874d7da96a197944ab4a11f351f3db80ffeeec86d9eefd79a xml filter:<failed-to-calculate>)

https://build.opensuse.org/package/show/KDE:Frameworks/drkonqi6

(In reply to christophe@krop.fr from comment #10)
> mmm... seems I forgot drkonqi6

can you please create a separate sub-bug for that and add it as a blocker for
this tracker bug? Thanks.

Due to the issue identified in bug 1220215 we need to readjust all KDE6
whitelistings and the remaining whitelisting tasks are blocked until the new
kauth package is in place.

Please ping me once all affected packages build against the new kauth that
contains the bugfix.

The staging project (https://build.opensuse.org/project/monitor/openSUSE:Factory:Staging:adi:26) reports some of the checksums added in https://build.opensuse.org/request/show/1147158 now mismatch

plasma6-disks:

E: dbus-file-digest-mismatch (Badness: 10000) /usr/share/dbus-1/system.d/org.kde.kded.smart.conf expected sha256:83b4e002b9bdab964dd49e9aacca5531e5b3f28c524f43b90de74020b05e90ce, has:5d237d26c933e2b8b525c666c0d1c97e76bdffbc123ec9896a4b726067fd2cad

libksysguard6:

dbus-file-digest-mismatch (Badness: 10000) /usr/share/dbus-1/system.d/org.kde.ksysguard.processlisthelper.conf expected sha256:e08be1fffd5b7ebddb31f396f603e7a9fac08784c5473f37195262b55c663d45, has:0eb5379a313fff2be98a64e5adbebffdb45ba5879a6434e7787f203334cf5785

kinfocenter6:

E: dbus-file-digest-mismatch (Badness: 10000) /usr/share/dbus-1/system.d/org.kde.kinfocenter.dmidecode.conf expected sha256:55400352c8d0450d3d4c1eeb8f009c2a2741a02b9ec5d3f8f1034644a7f9e2d2, has:6ac8b997890e65dc800e9106444f39c75c1b87416fd7ad4d82f05c0e9eae1aea

and for kde-inotify-survey, we now have:

/usr/share/dbus-1/system-services/org.kde.kded.inotify.service expected sha256:89a2ce5a4c6ebd7cb471f820a28fbd2dd418e377cb2ed0eaea1af59840c1dabd, has:e56b75bc5cbaa9e4dfb5829dcb5c0d5d871c0533076b83ea2c0f363c00318ad4

/usr/share/dbus-1/system.d/org.kde.kded.inotify.conf expected sha256:4eb68f2c3bc75842df0f3d67874588fc672ec540769db09c3a71cbb292a989f7, has:7dd017f2535dabd623fdb59ecb6362ac60fa836e9a146243c2a450b04d9aee5d

Yes that is to be expected, see bug 1220215. The adjusted checksums are
already on their way.

With drkonqi the final whitelisting for KDE6 is through and we can close this
tracker.