The Fedora policies e.g.
should be included in the polkit tarball with a note that these are the suggested policies that downstreams are suggested to use but that they are free to modify anything they want (e.g. change the 'wheel' group name or the defaults).
OK, this commit
is for the 'wheel' part of this change. As noted in NEWS, see
distributors who insist on being different can patch it out themselves.
For the other part, e.g.
[Wheel Group Permissions]
that gives extra powers to members in 'wheel', I'm not so sure about.
I think the answer here is that the mechanisms should be more lenient and just
use ResultActive=yes instead of insisting that authentication is needed even
for mundane tasks ... after all, this is for users at the local console (of
course, paranoid security-minded distros can lock down as they see fit).
So for now I'm just going to nuke that stanza in the Fedora policy and if there
are complaints about annoying authentication attempts, I'm just going to punt
that to the Mechnanisms.
As such, I consider this bug fixed.