On Sat, Oct 15, 2011 at 07:50:42PM -0400, Michael Gilbert wrote: > Josh Triplett wrote: > > > shouldn't necessarily be viewed as some kind of security lapse > > > (especially since the screen is going to lock after some timeout > > > anyway). > > > > "immediately" versus "after several minutes" makes a big difference. > > Once the user becomes familiar with the changed behavior, they will > make appropriate behavioral changes; that doesn't mean the screen > locking security model is broken, it's just different.
The user won't discover the changed behavior until after the first time they close the lid, potentially walk away from their system, and come back to find it still completely unlocked. That should not happen even once. > > > As a counter-point, xscreensaver does not automatically lock on lid > > > close either, and isn't expected to do so, so such behavior need not be > > > considered as a security issue. I guess what I'm saying is that lid > > > close screen locking has in the past been a choice left up to the user, > > > so there's no reason to consider the same behavior as a security issue > > > now. > > > > The regression makes it a security issue. gnome-screensaver previously > > locked on lid close, and now it doesn't. It doesn't matter what > > xscreensaver does, or what gnome-screensaver does in different > > configurations. > > The regression may certainly be a bug, and that's a fine thing to track. > The xscreensaver and gnome-screensaver security models are identical, > and the screen does not have to be locked on close in either. That's an > option for the user to choose if they like something like that. The screen does not *have* to be locked, no. The user may choose to have the screen locked (which to the best of my knowledge represents the default configuration for gnome-screensaver/gnome-power-manager). If the user *does* choose such a configuration, then a regression in that behavior without any warning opens a hole in the user's security. Even *with* warning it seems problematic, but perhaps not quite as serious. - Josh Triplett -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
