Upgrade note for kscreenlocker to Plasma 5.10
mgraesslin at kde.org
Wed Mar 8 18:50:40 UTC 2017
I'm currently planning to change the interaction between
kscreenlocker_greet and kcheckpass. As a result a kscreenlocker_greet
started in Plasma 5.9 won't be able to unlock with a kcheckpass from
Plasma 5.10. This is a situation which could happen during an upgrade.
Kcheckpass gets invoked when trying to unlock, so an upgrade while the
session is locked could result in this situation.
There are two solutions to the problem which might need a small change
for your packaging:
1) Perform offline updates for the upgrade (my preferred solution)
2) send SIGTERM to any running kscreenlocker_greet after installing
kcheckpass. This will trigger a restart of kscreenlocker_greet which is
then also from Plasma 5.10 and thus will work.
This change will happen pretty soon, so if you provide developer builds
(looking at Neon, Argon and friends ;-) ), please consider this. I
intend to push the changes on Monday next week. For the Plasma 5.10
cycle more such changes might happen.
In case you wonder why I change what isn't broken: I'm working on
integrating libseccomp into kscreenlocker_greet and for that I need to
change the interaction to kcheckpass as I want to forbid fork+exec and
kcheckpass needs to be started prior to activating seccomp as kcheckpass
calls a setuid binary of PAM which wouldn't work with seccomp enabled.
Thus some changes are needed.
Which is another heads-up: kscreenlocker will most likely get a new
optional dependency to libseccomp. I encourage all distributions to
enable this dependency. It will only be available if kcheckpass is not
setuid, that is if PAM is used. Given that I encourage all distributions
which are not yet using PAM to migrate to PAM.
More information about the Distributions