Nicolas: > Sure. I believe it should be possible to write a portable screen lock > program that fits either model. In particular, it should be possible > for a screen lock program that fits the Solaris model to run fine on > Linux.
Indeed. There are indeed some use cases where running the lock screen using our model on Linux would have uses, since there are some Linux PAM modules that are available for Linux, but which don't yet work with their model. The gnome-screensaver maintainer said that he would accept a well written patch that added the ability to split the screensaver into two processes, one running the GUI and a daemon talking to PAM with authorization, much like we already do with xscreensaver. So really this PAM issue is a non-issue. We just need to make it possible to configure gnome-screensaver this way to move forward. Since the gnome-screensaver author loves D-Bus, I suspect he would want the IPC communication mechanism to be D-Bus, which seems reasonable. The area where things get more fuzzy is how to address the Xauth snooping issue. The current lock screen programs do not address this problem, so perhaps we should just go ahead and migrate to gnome-screensaver. Maybe it will be more clear how to address this Xauth problem at some future date. This might be reasonable since there is the general problem of programs asking for passwords in GUI's (thunderbird, evolution, GAIM, etc.) and no mechanisms to protect these from snooping. I know there is talk about fixing this problem more directly in the Xserver at some point. However, if it is a requirement to meet all Trusted Path requirements to switch to a new screensaver program (as Gary seems to suggest), then we might be in a situation where we are stuck using the existing broken xscreensaver until we figure out a solution to this problem. Brian
