Atomic Desktops: Drop compatibility for pkla polkit rules
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary 
Remove support for deprecated pkla polkit rules from all Fedora Atomic Desktops. All other ostree/bootable container images dropped it already.
Owner
- Name/Email: Timothée Ravier, siosm@fedoraproject.org
Detailed Description
Compatibility support for the legacy pkla format of pokit rules has been moved to Recommends in f306ce1 polkit hogs cpu on every login/logout which landed in Fedora 41. At the exception of the Fedora Atomic Desktops, all ostree/bootable container systems disable recommends thus they dropped the polkit-pkla-compat package with the update to Fedora 41 (see for Fedora CoreOS). This change does it for the Atomic Destkops.
Feedback
This was initially suggested in F37: Make pkexec and pkla-compat optional which was rejected at the time (see discussion in Change proposal: Make pkexec and pkla-compat optional).
Since then:
- the
polkit-pkla-compatpackage has been made optional by the polkit maintainer - this change reduces the scope to Atomic Desktops only where we currently donât include any package using pkla legacy rules and leaves pkexec as is
Users that still want to use pkla rules can layer the polkit-pkla-compat package on their systems or build derived images.
However, itâs likely that the ecosystem has moved on at this point:
- The last version of Debian with support for those rules is Debian 12 (oldstable) as Debian 13 (stable) dropped the package (Debian -- Details of package polkitd-pkla in bookworm)
- The last version of Ubuntu with support for those rules is 24.04 (Ubuntu â Package Search Results -- pkla) and the package has not been included by default since Ubuntu 24.04 (at least).
Benefit to Fedora
Remove support for obsolete configuration files for a privileged component of the OS and align Atomic Desktops will other ostree/bootable container images.
Scope
- Proposal owners: Will exclude
polkit-pkla-compatfrom Atomic Desktops - Other developers: Convert remaining pkla rules to the new format as needed for the remaining packages.
- Release engineering: N/A
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy: General improvement for Atomic Desktops
Upgrade/compatibility impact
Systems that still rely on pkla rules will need to have those rules converted to the new polkit format.
Early Testing (Optional)
Do you require âQA Blueprintâ support? N
How To Test
Remove the polkit-pkla-compat locally or from the container image. Verify normal operation of privileged operations.
User Experience
Nothing specific to note.
Dependencies
None.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) Revert the change. The Atomic Desktops maintainers will do it.
- Contingency deadline: N/A (not a System Wide Change) but Beta/Final freeze
- Blocks release? N/A (not a System Wide Change) but No, can be easily reverted
Documentation
See release notes.
Release Notes
Support for the legacy pkla format for polkit rules has been removed from all Fedora Atomic Desktops. If you have applications that still rely on those rules, you can re-install the package (by overlaying it or by building your own container image).
Last edited by @siosm 2026-01-26T11:36:26Z
Last edited by @siosm 2026-01-26T11:36:26Z
instead of reiterating. You can even do this by email, by replying with the heart emoji or just â+1â. This will make long topics easier to follow.