If you do not work for RedHat or have a commercial contract with them, and do not belong to the PolicyKit-DBus-AccountsService social inner ring, how do you even point out critical flaws in them? Post a bug or gitlab message, and it'll be closed with a "go troll somewhere else" -type snotty response.
Related story, feel free to skip:
The
Apache suEXEC Security Model is insane. Specifically, enforcing point 18, that a CGI executable can only be executed as the owner user/group, means that any script you execute using suEXEC will be able to modify itself. It also means it is impossible to determine whether a new executable script was created by a human administrator, or by any script executed using suEXEC, allowing script drops.
Years ago, I tried to explain why the opposite, requiring that a CGI script be executed with at least the owner user being different than the owner of the file, with local user accounts created and reserved for CGI scripts, is necessary to stop the proliferation of script drops and pwning of sites via small flaws in their upload scripts.
"Too hard." "That would mean we'd have to create two user accounts per human user, instead of one; we don't wanna." "Plesk does not support that." "cPanel does not support that."
It is quite possible to create web sites where common bugs cannot be escalated into security holes; where only the login, logout, and user account management pages need to be carefully vetted to avoid data leaks, since the other pages simply do not have access to the sensitive information at all. And it isn't
hard, it is just done differently than what is currently commonly assumed is the normal way of doing things.
Compare that to policykit. You get some asshats from RedHat producing privilege escalation software with "ToDo: explain how this works (later)" getting to insert their crappy code into just about every distribution, because of company politics and social pressure among projects. (Just go look at how DBus, PolicyKit, and AccountsService all tie in together; but we warned, you'll get angry and/or depressed, if you understand the implications.)
Technical merits do not matter –– hell, for PolicyKit they were never even described publicly! The only thing they told was that using sudo for applications is too hard!
What matters, is that it is done by Nice People who do not occasionally swear and are always Politically Correct. What we learned from the Unix world (and its predecessors) about security and what works, does not matter, because New Is Always Better Than Old. Mark my words: the PolicyKit authors will not receive a single granule of shit (outside from 'anti-systemd nutjobs' like myself) from this. Nobody will note the abovementioned ToDo, nobody will comment on the empty AUTHORS file.
I'd prefer people fuck me with a cactus instead of this crazy shit.