Upgrade note for kscreenlocker to Plasma 5.10

Martin Gräßlin mgraesslin at kde.org
Wed Mar 8 18:50:40 UTC 2017

Hi distributions,

I'm currently planning to change the interaction between 
kscreenlocker_greet and kcheckpass. As a result a kscreenlocker_greet 
started in Plasma 5.9 won't be able to unlock with a kcheckpass from 
Plasma 5.10. This is a situation which could happen during an upgrade. 
Kcheckpass gets invoked when trying to unlock, so an upgrade while the 
session is locked could result in this situation.

There are two solutions to the problem which might need a small change 
for your packaging:
1) Perform offline updates for the upgrade (my preferred solution)
2) send SIGTERM to any running kscreenlocker_greet after installing 
kcheckpass. This will trigger a restart of kscreenlocker_greet which is 
then also from Plasma 5.10 and thus will work.

This change will happen pretty soon, so if you provide developer builds 
(looking at Neon, Argon and friends ;-) ), please consider this. I 
intend to push the changes on Monday next week. For the Plasma 5.10 
cycle more such changes might happen.

In case you wonder why I change what isn't broken: I'm working on 
integrating libseccomp into kscreenlocker_greet and for that I need to 
change the interaction to kcheckpass as I want to forbid fork+exec and 
kcheckpass needs to be started prior to activating seccomp as kcheckpass 
calls a setuid binary of PAM which wouldn't work with seccomp enabled. 
Thus some changes are needed.

Which is another heads-up: kscreenlocker will most likely get a new 
optional dependency to libseccomp. I encourage all distributions to 
enable this dependency. It will only be available if kcheckpass is not 
setuid, that is if PAM is used. Given that I encourage all distributions 
which are not yet using PAM to migrate to PAM.


More information about the Distributions mailing list