Hi Maxime!

> Is there any specific reason that bitmask must be added to the profile?
> On a multi-user system, not all users might be interested in bitmask,
> and do not need it in their "PATH".
> 
> I prefer only adding packages that are explicitely in the ‘packages’
> field of 'operating-system' to the system profile.
> 
> One possible reason could be that the polkit policy whitelists a few
> binaries, say, /gnu/store/aaa-bitmask/sbin/stuff, so
> "pkexec stuff" (equivalent to "pkexec /gnu/store/aaa-bitmask/sbin/stuff")
> doesn't require special permissions or a password of any kind.
> 
> However, if the user has a slightly different version of bitmask
> in their profile, then the store path will be different
> (/gnu/store/bbb-bitmask/sbin/stuff), then "pkexec stuff" will try
> to use the not-authorised version, which will require passwords
> or such.
Yes, that's the reason I am adding it to the profile.

I thought of patching the policy file to refer to 
/run/current-system/profile/sbin/bitmask-root, but that would also 
require bitmask to be in system profile.

Btw, the upstream is planning on removing dependency on polkit. When 
they get there, I'll remove this service-type.

> (TODO to self: modify "pkexec" to support an --action-id argument,
> in order to avoid store paths ...)

Yeah, good idea.

Regards,
RG.