Back to policykit-1 PTS page

Accepted policykit-1 121+compat0.1-5 (source) into unstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 13 Oct 2022 10:46:03 +0100
Source: policykit-1
Architecture: source
Version: 121+compat0.1-5
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 580634 689473 698085 699447 723717 745983 748981 771281 772125 775158 776744 779756 779988 794723 817998 837846 863207 863784 872615 902474 903563 915332 917309 918446 923240 946231 961279 965210 980998 989429 1005784 1018897
Changes:
 policykit-1 (121+compat0.1-5) unstable; urgency=medium
 .
   * Release to unstable (Closes: #946231, #1018897)
 .
 policykit-1 (121+compat0.1-4) experimental; urgency=medium
 .
   * d/polkitd.postinst: Consistently indent with spaces
   * d/polkitd.postinst: Quote defensively
   * d/polkitd.postinst: Don't explicitly restart the systemd service.
     dh_installsystemd does this for us anyway.
   * d/polkitd.postinst: Make sure message bus policy is reloaded if needed.
     If we created or modified the polkitd user, then we need to refresh
     dbus-daemon's cached policy to take that user into account, otherwise
     polkitd will fail to start. This fixes an autopkgtest failure.
   * d/polkitd.postinst: Stop polkitd when not using systemd.
     On non-systemd systems, polkitd is a traditional D-Bus service and is
     not managed by a service manager, so the way to ensure we are running
     the upgraded version is to stop it and let the D-Bus system bus activate
     a new copy next time it is used.
   * Install a sysusers.d(5) fragment to set up the system user.
     This allows use of polkit without adduser on systems that have either
     systemd or systemd-standalone-sysusers.
   * d/polkitd.tmpfiles: Provide a tmpfiles.d(5) fragment for our directories
   * Add another override for man pages not matching Lintian expectations
   * d/rules: Build with hardening=+bindnow
   * Add doc-base metadata for the reference manual
 .
 policykit-1 (121+compat0.1-3) experimental; urgency=medium
 .
   * Merge content of polkitd-javascript into polkitd.
     Keep the polkitd-javascript package as a transitional package.
 .
 policykit-1 (121+compat0.1-2) experimental; urgency=medium
 .
   * Add a NEWS file describing the change of security policy format
   * d/control: policykit-1 Recommends polkitd-pkla.
     This arranges for upgrades from Debian 11 to install polkitd-pkla by
     default, preserving previous functionality, while also allowing it to
     be removed for legacy-free systems.
   * d/pkla/: Remove, no longer installed or used
   * d/example-rules: Add some examples of the JavaScript rules format
   * d/changelog: Merge changelog entries from testing/unstable, in
     preparation for uploading this branch to unstable
 .
 policykit-1 (121+compat0.1-1) experimental; urgency=medium
 .
   * Restructure the package to use upstream project polkit-pkla-compat
     for compatibility with 0.105 and older versions.
     - polkitd-javascript is now the only implementation of polkitd.
       The packages will probably be merged in a future upload, but keep
       them separate for now as a contingency plan.
     - polkitd-pkla now Depends on polkitd-javascript instead of having
       Breaks/Replaces on it. It's now an addon for polkitd-javascript,
       which calls out to an external helper program to check authorization
       against the old pklocalauthority(8) configuration files.
     - polkitd-javascript: Ensure that the polkitd user has a primary group.
       The polkit-pkla-compat package wants its directories to be owned by
       root:polkitd, which will only work if the polkitd user has a
       corresponding polkitd group.
     - Add polkit-pkla-compat as a secondary upstream tarball
     - Build polkit-pkla-compat instead of a PKLA build of polkitd
     - Drop patches that reinstated the ability to do a PKLA build of polkitd
   * d/p/polkitbackendduktapeauthority.c-Print-the-error-string-we.patch:
     Add patch from upstream to display error string as intended
   * d/control: Explicitly build-depend on xml-core, for its dh addon
   * d/copyright: Update
   * Update Lintian overrides
   * Standards-Version: 4.6.1 (no changes required)
   * d/tests: Skip if dbus-daemon is not running and cannot be started
   * Try harder to clean up obsolete conffiles
 .
 policykit-1 (121-2) experimental; urgency=medium
 .
   [ Michael Biebl ]
   * Use dh-sequence-gir Build-Depends to enable the gir addon
   * Remove no longer needed dh option.
     Upstream has removed the autotools based build system so we no longer
     need to tell dh which build system to use.
   * Remove workaround for missing mocklibc
 .
   [ Simon McVittie ]
   * d/copyright: Reinstate entry for test/mocklibc
   * d/polkitd.install: Really install the XML catalog entry
   * d/rules: Enable xml-core dh sequence
   * d/catalog.xml: Fix basename of DTD
 .
 policykit-1 (121-1) experimental; urgency=medium
 .
   * New upstream release
   * d/copyright: Update
   * Drop patches that were applied upstream
   * Refresh remaining patches
   * d/control: Build-depend on duktape instead of mozjs
   * Install policyconfig-1.dtd in polkitd package, with an XML catalog
     entry (Closes: #872615)
   * d/watch: Use Gitlab tags to watch for new releases for now.
     Subsequent releases will be done via the Gitlab releases feature, but
     it's not immediately obvious what form that will take.
   * Add patch from upstream to install rules.d defaults in /usr/share.
     This brings us one step closer to the "empty /etc is valid" model.
   * d/rules: Install sudo and Ubuntu admin rules into /usr/share, too.
     This avoids these files having to be conffiles that vary between
     distros.
   * d/upstream/metadata: Add
   * d/polkitd.docs: Update
 .
 policykit-1 (0.120-6) experimental; urgency=medium
 .
   * Add patch from Fedora to fix denial of service via fd exhaustion
     (CVE-2021-4115; Closes: #1005784)
 .
 policykit-1 (0.120-5) experimental; urgency=medium
 .
   * d/*.postinst: Correct package names in initial comments
   * d/policykit-1.bug-control: Correct name of Submit-As field
 .
 policykit-1 (0.120-4) experimental; urgency=medium
 .
   * d/control: Change descriptions to refer to polkit.
     According to NEWS, the official name of the project has been polkit
     since 2012, and perhaps earlier.
   * d/patches: Use upstream's finalized patch for CVE-2021-4034.
     The patch that was provided to distributors under embargo was not the
     final version: it used a different exit status, and made an attempt to
     show help. The version that was actually committed after the embargo
     period ended interprets argc == 0 as an attack rather than a mistake,
     and does not attempt to show the help message.
   * d/patches: Move Debian-specific patches to d/p/debian/.
     This makes it clearer that these are not intended to go upstream.
   * Split policykit-1 into polkitd and pkexec packages.
     pkexec is a setuid program, which makes it a higher security risk than
     the more typical IPC-based uses of polkit. If we separate out pkexec
     into its own package, then only packages that rely on being able to run
     pkexec will have to depend on it, reducing attack surface for users
     who are able to remove the pkexec package.
   * Reinstate the .pkla backend as a separate binary package.
     Upstream polkit switched its authorization rule syntax from .ini-style
     .pkla files to JavaScript in version 0.106. Debian has historically used
     a fork of the last .pkla-based version, but this was becoming
     unsustainable: bug fixes from subsequent upstream versions were either
     applied as patches, or missing from the Debian package.
     The "local authority" code that implements .pkla files is not actually
     all that large, so patching it into a modern upstream version is a
     much smaller task than patching modern upstream bug fixes into an old
     upstream version.
     For this upload to experimental, keep both the JavaScript backend and the
     .pkla backend intact, by compiling polkitd twice with different options.
     This lets us preserve existing functionality of upstream and experimental
     polkit (with the more powerful JavaScript-based rules, which can base
     their authorization decisions on service-specific information like the
     name of a systemd unit), while also having the opportunity to evaluate
     polkitd-pkla as a more direct replacement for what's in bookworm.
   * Adjust Lintian override syntax
   * Add Debian-specific man pages for polkitd-pkla
   * d/copyright: Update
   * Always configure the sudo group as root-equivalent.
     This avoids Debian derivatives getting an unexpected change in behaviour
     when they switch from inheriting Debian's policykit-1 package to
     building their own policykit-1 package, perhaps as a result of wanting
     to apply an unrelated patch.
     The sudo group is defined to be root-equivalent in base-passwd, so this
     should be equally true for all Debian derivatives.
     (Closes: utopia-team/polkit!3; thanks to Arnaud Rebillout)
 .
 policykit-1 (0.120-3) experimental; urgency=high
 .
   * d/p/Avoid-local-privilege-escalation-in-polkit-s-pkexec.patch:
     Apply embargoed patch for local privilege escalation (CVE-2021-4034)
 .
 policykit-1 (0.120-2) experimental; urgency=medium
 .
   * d/rules: Extend timeout for unit tests.
     Meson's default 30 second timeout is uncomfortably short even on x86,
     and too short on e.g. mips.
 .
 policykit-1 (0.120-1) experimental; urgency=medium
 .
   * New upstream release
   * Drop patches that were applied upstream
   * Depend on default-dbus-system-bus | dbus-system-bus instead of dbus.
     We need the system bus: let's be specific about that. This will allow
     dbus-broker to be substituted for dbus, if desired.
   * Build-depend on dbus-daemon instead of dbus.
     We only need dbus-run-session at build time; we don't need a
     fully-working system bus.
   * debian/missing/docs: Remove extra copy of documentation.
     This is in the new upstream release.
     - d/source/include-binaries: Remove, no longer needed
   * d/p/Don-t-pass-positional-parameters-to-i18n.merge_file.patch:
     Add patch to fix FTBFS with Meson 0.60.0
   * Standards-Version: 4.6.0 (no changes required)
   * Use d/watch format version 4
 .
 policykit-1 (0.119-1) experimental; urgency=medium
 .
   * New upstream release
     - Fixes local privilege escalation involving
       polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
       (Closes: #989429)
   * d/missing, d/rules: Work around missing docs/polkit/overview.xml etc.
     in 0.119 tarball
   * Build using Meson
   * d/p/build-Remove-redundant-computation-of-dbus-data-directory.patch,
     d/p/build-Don-t-require-dbus-development-files.patch,
     d/p/meson_post_install-Use-geteuid-instead-of-getpass.patch,
     d/p/meson_post_install-Don-t-fail-if-the-polkitd-user-doesn-t.patch,
     d/p/meson_post_install-If-installation-steps-are-skipped-say-.patch,
     d/p/meson_post_install-Don-t-install-pkexec-group-writable.patch,
     d/p/meson_post_install-Don-t-make-programs-setuid-if-we-are-n.patch,
     d/p/meson_post_install-Respect-DESTDIR-for-absolute-paths.patch,
     d/p/build-Make-the-directory-for-helper-executables-consisten.patch:
     Add some patches to improve the Meson build system
   * d/missing, d/rules: Get mocklibc into the right layout for the build
   * Stop providing static libraries.
     The Meson build infrastructure only supports shared libraries, and the
     static libraries built by Autotools were already not particularly
     useful, because they indirectly depend on the libmount shared library.
 .
 policykit-1 (0.118-2) experimental; urgency=medium
 .
   [ Helmut Grohne ]
   * Annotate Build-Depends: dbus <!nocheck> (Closes: #980998)
 .
   [ Michael Biebl ]
   * Remove old maintscript migration code from pre-oldstable
   * Use --restart-after-upgrade.
     With debhelper 13.1, --no-start will disable --restart-after-upgrade.
     Since we want the service to be restarted on upgrades, request that
     explicitly.
     See #959678
 .
   [ Simon McVittie ]
   * d/rules: Remove --libexecdir override.
     This has no practical effect: the upstream build system no longer uses
     the libexec directory.
   * d/rules: Remove redundant dh_missing --fail-missing override.
     This is the default in dh compat level 13.
 .
 policykit-1 (0.118-1) experimental; urgency=medium
 .
   * New upstream release
     - Drop patch that was applied upstream
   * d/control: Update build-dependency to mozjs78
 .
 policykit-1 (0.117-1) experimental; urgency=medium
 .
   * New upstream release
   * Rebase patches
   * Bump Standards-Version to 4.5.0
   * Add polkitbackendjsauthoritytest-wrapper.py to release tarball
   * Add python3-dbusmock to Build-Depends and mark it <!nocheck>.
     Required by test/polkitbackend/polkitbackendjsauthoritytest-wrapper.py
   * Bump debhelper-compat to 13
   * Add symlink for polkit-agent-helper-1 after the move to /usr/libexec.
     Support upgrades from 0.105-27 (and later versions in unstable), which
     moved the private binaries from /usr/lib/policykit-1 to /usr/libexec.
     (Closes: #965210)
 .
 policykit-1 (0.116-3) experimental; urgency=medium
 .
   * Team upload.
   * Port to mozjs-68 (Closes: #961279)
 .
 policykit-1 (0.116-2) experimental; urgency=medium
 .
   [ Mark Hindley ]
   * Depend on new virtual packages default-logind and logind
     (Closes: #923240)
 .
   [ Simon McVittie ]
   * d/*.symbols: Add Build-Depends-Package metadata
   * d/policykit-1.lintian-overrides: Override systemd unit false positives.
     The systemd unit is only for on-demand D-Bus activation, and is not
     intended to be started during boot, so an [Install] section and a
     parallel LSB init script are not necessary.
   * d/policykit-1.bug-control: Add systemd, elogind versions to bug reports.
     reportbug doesn't currently seem to interpret
     "Depends: default-logind | logind" as implying that it should include
     the version number of the package that Provides logind in bug reports.
     Workaround for #934472.
   * Standards-Version: 4.4.0 (no changes required)
   * Switch to debhelper-compat 12
 .
 policykit-1 (0.116-1) experimental; urgency=medium
 .
   * New upstream release
     - Document polkit_subject_equal() as unsuitable for security decisions
       (CVE-2019-6133)
     - Allow process uid to be unset again, fixing a regression in the
       solution for #915332
     - Port the JS authority to mozjs-60 (Closes: #917309)
     - Fix some resource leaks
     - Documentation and debug message fixes
   * Drop patch for #915332, applied upstream
   * Standards-Version: 4.3.0 (no changes required)
   * Set experimental branch in Vcs-Git
   * Change the policykit-1 package from Architecture: any to
     Architecture: linux-any, and remove the consolekit [!linux-any]
     dependency. polkit no longer has any backends for non-Linux.
     (Closes: #918446)
 .
 policykit-1 (0.115-3) experimental; urgency=medium
 .
   * Allow negative uids/gids in PolkitUnixUser and Group objects.
     Fixes a vulnerability in PolicyKit that allows a user with a uid greater
     than INT_MAX to successfully execute arbitrary polkit actions.
     (CVE-2018-19788, Closes: #915332)
 .
 policykit-1 (0.115-2) experimental; urgency=medium
 .
   [ Simon McVittie ]
   * d/gbp.conf: Set patch-numbers to false to match current practice
 .
   [ Michael Biebl ]
   * Switch to dh_missing and abort on uninstalled files
   * Move D-Bus policy file to /usr/share/dbus-1/system.d/
     To better support stateless systems with an empty /etc, the old location
     in /etc/dbus-1/system.d/ should only be used for local admin changes.
     Package provided D-Bus policy files are supposed to be installed in
     /usr/share/dbus-1/system.d/.
     This is supported since dbus 1.9.18.
   * Remove obsolete conffile
     /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf on upgrades
   * Bump Standards-Version to 4.2.1
   * Remove Breaks for versions older than oldstable
   * Stop masking polkit.service during the upgrade process.
     This is no longer necessary with the D-Bus policy file being installed
     in /usr/share/dbus-1/system.d/. (Closes: #902474)
   * Use dh_installsystemd to restart polkit.service after an upgrade.
     This replaces a good deal of hand-written maintscript code.
   * Remove upgrade code which changes the home directory of the polkitd user
 .
 policykit-1 (0.115-1) experimental; urgency=medium
 .
   * New upstream version 0.115
     - Fixes CVE-2018-1116 (Closes: #903563)
     - d/p/jsauthority-pass-s-format-string-to-remaining-report.patch:
       Drop, applied upstream
   * d/watch: Use https
   * d/watch: Download upstream PGP signatures
   * debian/upstream/signing-key.asc: Add public keys for Ray Strode,
     Miloslav Trmac, David Zeuthen
   * d/gbp.conf: Merge upstream tags into the upstream branch
   * Add myself to Uploaders
   * d/libpolkit-gobject-1-0.symbols: Update for new semi-private ABI
   * d/rules: Skip build-time tests if DEB_BUILD_OPTIONS=nocheck
   * Standards-Version: 4.1.5 (no changes required)
   * Set Rules-Requires-Root to no
 .
 policykit-1 (0.114-1) experimental; urgency=medium
 .
   [ Michael Biebl ]
   * New upstream version 0.114
   * Rebase patches
   * Switch to mozjs 52 (Closes: #863784)
   * Drop -Wl,--no-as-needed, no longer necessary
   * jsauthority: pass "%s" format string to remaining report function
   * Add Provides to gir1.2-polkit-1.0 to reflect its contents
 .
   [ Martin Pitt ]
   * debian/copyright: Use https URL for Format:
   * Update Vcs-* links for move to salsa.debian.org.
   * Move to debhelper compat level 10.
     Remove explicit dh-autoreconf, it's now done by default.
   * Bump Standards-Version to 4.1.3
   * Add autopkgtest.
     This covers the pkaction and pkcheck CLI tools.
 .
 policykit-1 (0.113-6) experimental; urgency=medium
 .
   * master/Add-gettext-support-for-.policy-files.patch: Backport from master:
     Add .loc and .its files so that gettext can be used to translate policy
     files. Some upstreams, particularly those that are switching to meson,
     expect these files to be present so that their PK policy files can be
     translated. (Closes: #863207)
 .
 policykit-1 (0.113-5) experimental; urgency=medium
 .
   [ Simon McVittie ]
   * Build-depend on intltool instead of relying on gtk-doc-tools'
     dependency (Closes: #837846)
 .
   [ Michael Biebl ]
   * Use https:// for the upstream homepage.
   * Update Vcs-Browser to use cgit.
   * Drop the polkitd.service Alias. The version in unstable, based on 0.105,
     now also uses the name polkit.service for the systemd service unit.
 .
   [ Martin Pitt ]
   * Use PAM's common-session-noninteractive modules for pkexec instead of
     common-session. The latter also runs pam_systemd (the only difference
     normally) which is a no-op under the classic session-centric
     D-BUS/graphical login model (as it won't start a new one if it is already
     running within a logind session), but very expensive when using
     dbus-user-session and being called from a service that runs outside the
     PAM session. This causes long delays in e. g. gnome-settings-daemon's
     backlight helpers. (LP: #1626651)
 .
 policykit-1 (0.113-4) experimental; urgency=medium
 .
   [ Simon McVittie ]
   * Run tests with a session bus pretending to be the system bus,
     so they can pass in a buildd environment
 .
   [ Michael Biebl ]
   * Create our custom rules files in debian/tmp so we don't FTBFS for
     binary-indep builds and run dh_install after that.
   * Run wrap-and-sort -ast.
   * Bump Standards-Version to 3.9.8.
 .
 policykit-1 (0.113-3) experimental; urgency=medium
 .
   * Generate tight inter-package dependencies.
     This ensures that everything from the same source package is upgraded in
     lockstep. (Closes: #817998)
   * Drop obsolete Breaks from pre-wheezy.
 .
 policykit-1 (0.113-2) experimental; urgency=medium
 .
   [ Simon McVittie ]
   * policykit-1.links: statically alias polkit.service (upstream's name)
     as polkitd.service (Debian's historical name)
 .
   [ Martin Pitt ]
   * debian/policykit-1.{pre,post}inst: Temporarily mask polkit.service while
     policykit-1 is unpackaged but not yet configured. During that time we
     don't yet have our D-Bus policy in /etc so that polkitd cannot work yet.
     This can be dropped once the D-Bus policy moves to /usr.
     (Closes: #794723, LP: #1447654)
 .
 policykit-1 (0.113-1) experimental; urgency=medium
 .
   * Team upload.
 .
   [ Martin Pitt ]
   * policykit-1.postinst: Don't kill polkitd under systemd, but properly
     restart it. This avoids killing it shortly after systemd tries to
     bus-activate it on installation. (LP: #1447654)
 .
   [ Simon McVittie ]
   * Disable silent build rules. (Previously done in Ubuntu, although
     it seems to have been lost in a merge somewhere.)
   * New upstream release
     - drop most patches: they either came from upstream, or have been
       merged upstream
     - add new function to symbols file
     - fixes CVE-2015-4625, CVE-2015-3218, CVE-2015-3255, CVE-2015-3256
   * Annotate remaining patches with a bit more information. They are:
     - 01_pam_polkit.patch: use Debian's common-* infrastructure,
       plus pam_env to get the global environment and locale.
       Debian-specific.
     - 02_gettext.patch: Use gettext to translate .policy files at
       runtime, allowing for Ubuntu-style language packs.
       Debian-specific (mainly for Ubuntu's benefit, really).
     - 05_revert-admin-identities-unix-group-wheel.patch: Debian does
       not use the "wheel" group like Red Hat derivatives do;
       treat uid 0 as the administrative identity instead.
       Debian-specific.
     - 08_chdir_root.patch: Explicitly use chdir("/") instead of
       relying on user's home in `getent passwd` being set properly.
       Potentially upstreamable?
   * policykit-1.postinst: restart polkit.service, not polkitd.service
     (which doesn't exist)
 .
 policykit-1 (0.112-5) experimental; urgency=medium
 .
   * Team upload.
   * Go back to mozjs 1.8.5, like the version in unstable: mozjs 17 has
     been removed from Debian, and mozjs 24 requires significant upstream
     changes and no longer has a C API (Closes: #776744)
   * Add a symlink so the old library can run the new agent helper
     (Closes: #699447)
   * Add patch from upstream to work around older versions of libpam-systemd
     which would give root processes the real uid's XDG_RUNTIME_DIR
     under su; it shouldn't be necessary any more, but is harmless
     (Closes: #772125)
   * Replace 03_complete_session.patch with a change from upstream
     which seems like a more correct solution for LP#445303, LP#649939
   * Add patches from upstream to treat background processes as part of
     the same uid's active GUI session if any, fixing use of
     dbus-user-session (Closes: #779988)
   * Add patches from upstream to fix some memory leaks (Closes: #775158,
     LP: #1417637)
   * Add patch from upstream to fix redundant removal of an event source
   * Add patch to use libsystemd instead of the libsystemd-login compat
     library (Closes: #779756)
 .
 policykit-1 (0.112-4) experimental; urgency=medium
 .
   [ Andreas Henriksson ]
   * Install typelib files into MA libdir.
 .
   [ Martin Pitt ]
   * Rebuild against libsystemd0. This drops the last remaining dependency to
     libsystemd-login0. (Closes: #771281)
   * Bump Standards-Version to 3.9.6 (no changes necessary).
 .
 policykit-1 (0.112-3) experimental; urgency=medium
 .
   * Team upload.
   * debian/rules: Really enable logind support on linux architectures only
   * debian/control: Use canonical VCS-* URL's
   * debian/control: Bump Standards-Version to 3.9.5 (no further changes)
   * debian/control: Depends against libpam-systemd instead of just systemd
   * debian/control: Add a Breaks against gdm3 (<< 3.8.4-7~) to ensure it
     registers a logind session properly (Closes: #745983)
   * debian/policykit-1.postinst: Explicitly set a home directory for the
     polkitd user (Closes: #748981)
 .
 policykit-1 (0.112-2) experimental; urgency=low
 .
   * Use logind on linux and consolekit on non-linux
   * Update to mozjs17
 .
 policykit-1 (0.112-1) experimental; urgency=low
 .
   * New upstream release.
     - Fixes CVE-2013-4288, unix-process subject for authorization is racy.
       (Closes: #723717)
   * Remove 00git_pkexec_pam_env.patch and 09_link_libmozjs.patch, both merged
     upstream.
   * Drop explicit Build-Depends on gir1.2-glib-2.0.
   * Bump Standards-Version to 3.9.4. No further changes.
 .
 policykit-1 (0.110-3) experimental; urgency=low
 .
   [ Martin Pitt ]
   * Add 00git_pkexec_pam_env.patch: pkexec: Set process environment from
     pam_getenvlist(). Backported from upstream git head.
   * 01_pam_polkit.patch: Adjust patch to invoke pam_env, so
     our global settings from /etc/default/locale are applied correctly.
     Thanks Steve Langasek!
 .
   [ Michael Biebl ]
   * Use gir addon instead of calling dh_girepository manually.
 .
 policykit-1 (0.110-2) experimental; urgency=low
 .
   * When cleaning up /etc/polkit-1/nullbackend.conf.d/ and
     /etc/polkit-1/localauthority.conf.d/ don't fail if those directories have
     already been removed. (Closes: #698085)
 .
 policykit-1 (0.110-1) experimental; urgency=low
 .
   * New upstream release.
   * Drop patches which have been merged upstream.
   * Drop debian/clean, no longer necessary.
 .
 policykit-1 (0.109-1) experimental; urgency=low
 .
   * New upstream release. (Closes: #689473)
   * Update Build-Depends:
     - Bump libglib2.0-dev to (>= 2.30.0).
     - Add libmozjs185-dev for the JS rules support.
   * Remove polkitbackend library.
   * Use systemd service file provided by upstream.
   * Reload systemd as the name of the .service file has changed.
   * Update policykit-1.install:
     - Private binaries have been moved to /usr/lib/polkit-1.
     - The extension system has been removed.
     - The .pkla files are gone and so is /var/lib/polkit-1.
   * Remove obsolete conffiles and the corresponding (empty) directories on
     upgrades.
   * Convert the old localauthority conf files to the new JavaScript based
     rules file format and make sure it is executed before 50-default.rules.
   * Refresh patches to apply without fuzz.
   * The polkitd daemon now runs as unprivileged polkitd user instead of root.
     Create this system user in postinst and change the directory permissions
     accordingly so the daemon has access to the rules files.
   * debian/patches/08_chdir_root.patch: Explicitly use chdir("/") instead of
     relying on $HOME being set properly.
   * Since /etc/polkit-1/rules.d/50-default.rules is a proper conffile, remove
     the comment from upstream that changes to that file are not preserved on
     upgrades. (Closes: #580634)
   * debian/patches/09_link_libmozjs.patch: Explicitly link against libmozjs,
     even if that library is dlopenend as we want to have a proper shlibs
     dependency.
   * Use --no-as-needed flag to ensure the linker doesn't remove the libmozjs
     dependency.
   * Use dh-autoreconf to update the build system.
   * Update the Homepage: field.
Checksums-Sha1:
 02ee6cc9ba9f70c0bcc90298326b48b35514d72f 3927 policykit-1_121+compat0.1-5.dsc
 6575d13f4bf7c37f8923f1183163a568466ec722 44416 policykit-1_121+compat0.1-5.debian.tar.xz
 b3350a69fe02af69741cf63d2e0e7aa6bd5d4726 8985 policykit-1_121+compat0.1-5_source.buildinfo
Checksums-Sha256:
 f979b82ac7fd9e52adc9004e21dda2e3131cb50f49f14b9f42c0c460d60ebd75 3927 policykit-1_121+compat0.1-5.dsc
 b9d86ccc91a3c10ef20d9782121583ead103bef1f6d814bc8be204eaf551f39a 44416 policykit-1_121+compat0.1-5.debian.tar.xz
 b1114f2ac4ebee214f18a96d10e079e89f0902b9d45f26fcca3bdec9ab70ca6a 8985 policykit-1_121+compat0.1-5_source.buildinfo
Files:
 036b99217424bf0d7d34e83f87c99350 3927 admin optional policykit-1_121+compat0.1-5.dsc
 f2c3c8e65b9dec7cff00bba6b3dc066c 44416 admin optional policykit-1_121+compat0.1-5.debian.tar.xz
 1d0897cc1cb8f882743ccb94bd1930ba 8985 admin optional policykit-1_121+compat0.1-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmNH4eAACgkQ4FrhR4+B
TE9aTQ//S5k4jd83Az/5wW2TwQaCyUriNEZn2ex1s+25JQYwuXUw9BIHpWhMBmps
ndpQxdUlvwtmuNDTbpA4BXWVRw6HC7b5s1QfcFzwiWSA7NX4dNQzUYPhUIh7Lyh4
WooJG8YSiUnwmYPYFEJeWORE97O087euzaZMHtS+C7u4KFUC30edel7X5Fz37YFK
U4he8Pl5TAhqGHPWE21iJQBGUVvJmeeYUDeXmiyWzOyfgdtjQfBV28eIx/Nu7q8j
Z1X2EoeCg2NGxkOzI0mj/i7FhXOHPVtoqQ1adqk645tmUEOzgKtAwYGieytXDLvw
aD6YG2DUEZfcyAGNuYABWFJpiG2jMOGbw8jm/5YxYgQWorDz0J5LI5EUhxHFF1jr
rSSTNk8OytfEIJBBAFV5URiLLKQdBfEVpk481FZ5UBgLCpfO1NN6RO5ULoz13kjE
RbtlbrD/wuwS/8TqYE6qMBwOxCRkIKzHsXUPoJN4ssVIkHlciB6Su+B2fuclLbR4
EcYr7bOCjeRU0fCCRxG6nEcZFTx44+P3JP1cqsabyElnraSDuOkaf1qe9wV3ejHn
K9zvBZuTOl06OILiIL5u+ypvBHmOTDqZ+u3T1/03OpRs4iuY6YvWddnjijpYftKr
CrmEy9/Ve+cQ7FTOUuASEEb67Km/P5jPZ75sR2b/WJQrCPuGOis=
=J1nY
-----END PGP SIGNATURE-----