[KDE4] what component does the screenlocking?

Martin Gräßlin mgraesslin at kde.org
Sun Mar 5 16:57:41 UTC 2017


Am 2017-03-05 09:32, schrieb René J. V.  Bertin:
> Kai Uwe Broulik wrote:
> 
>> Turn the screen off. Problem solved.
> 
> Sure, that's why I use computers, to have to remember myself to do
> everything by
> hand... I'd suggest to remove all current hooks into power management 
> too if
> that's the prevalent mindset - just turn the computer off. Problem 
> solved.
> 
> At least that'll work with laptops and all-in-ones too.
> 
> O-)
> 
> 
> I'll keep using xscreensaver but may come back to that topic after some 
> more
> testing.

Given what you want to have I strongly suggest to stick to xss. We will 
definitely not add back support for xss hacks nor for starting the 
locker without requiring password. If you want those two features stay 
with xss. As an alternative you can write a dedicated application to do 
this just without any authorization. Just a fullscreen application 
rendering the xss hack.

For anyone wondering: I want to keep the Lockscreen as stupid and simple 
as possible. It has two tasks: preventing unauthorized access to the 
system and to be secure. Xss hacks violate both these conditions. The 
possibility to not require a password clearly violates the preventing 
unauthorized access condition. And xss hacks in general complicate the 
setup so that guaranteeing the secure aspect becomes difficult. There 
are xss hacks which also violate the unauthorized access condition by 
using the desktop in a distorted way. That is something our Lockscreen 
architecture prevents. To support this we would have to add a backdoor 
to the architecture. So overall absolutely not acceptable.

Also on kde4 times the xss hacks to a completely different code path - 
basically two different applications.

Cheers
Martin


More information about the Plasma-devel mailing list