[arch-general] drop slim in favor of lightdm
Hello everybody, slim has some known security weaknesses (for example it has no separate greeter process thus the graphical interface is running with super user privileges) and a lot of open bugs. Additionally it does not support latest packages (consolekit and friends) out of the box. Though lately the SVN got some commits and a new version has been released the arch package has not been updated since it was flagged out of date in February. I propose to drop slim from [extra] and replace it with lightdm and lightdm-gtk-greeter. This is a very active project with responsive upstream developer. Security is a key feature and it integrates with latest desktop techniques really well. The AUR package for lightdm has 259 votes at the time of writing. Any thoughts on that? -- main(a,b){char*/* Schoene Gruesse */c="B?IJj;M" "EHCX:;";for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
I propose to drop slim from [extra] and replace it with lightdm and
Am 08.05.2012 03:35, schrieb Christian Hesse: lightdm-gtk-greeter. Why not just provide both?
John Hutchison <heimdal@athetius.com> on Tue, 2012/05/08 03:53:
I would be just fine with that. ;) Though it is not a good idea to ship packages with security flaws in general. -- main(a,b){char*/* Schoene Gruesse */c="B?IJj;M" "EHCX:;";for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
Maintaining slim doen't seem a big effort; I'd stay with lightdm *and* slim in [extra]. 2012/5/8 Christian Hesse <list@eworm.de>
[2012-05-08 11:37:06 +0200] Alessio 'Blaster' Biancalana:
Maintaining slim doen't seem a big effort;
Great. Then you can do just that in the AUR. -- Gaetan
2012/5/8 Gaetan Bisson <bisson@archlinux.org>
I'd like to have a pre-compiled package, as I'm very lazy :D It's a nice software, maybe moving it to [community] is the best 'in medio stat virtus' approach. Otherwise, I'll be glad to maintain it in the AUR ;)
On 08/05/12 18:35, Christian Hesse wrote:
https://bugs.archlinux.org/index.php?string=slim Seems to be a severe lack of bug reports made if there are so many issues with it... Allan
Allan McRae <allan@archlinux.org> on Tue, 2012/05/08 19:14:
The upstream bug tracker [0] has a lot more... And for some of them patches exist [1] but never got included. However, I would not mind to keep it. But I vote for moving lightdm to [extra] or [community] as well. [0] http://developer.berlios.de/bugs/?group_id=2663 [1] http://developer.berlios.de/patch/?group_id=2663 -- main(a,b){char*/* Schoene Gruesse */c="B?IJj;M" "EHCX:;";for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
On 05/08/2012 06:28 AM, Nicholas MIller wrote:
For me slim especially since the new version has been great! Very light weight. Though not sure why the new version has not been pushed through the repos yet, it has been flagged out of date for awhile. I posted a PKGBUILD and I have seen 2 other's but there seems to be no interest in updating it to solve most of the security issues as well as other fixes that are in the current release. I would say include both AND update slim to it's recent version.
On Tue, 8 May 2012 10:35:50 +0200 Christian Hesse <list@eworm.de> wrote:
In the past I had a problem with the package not honouring my localization & keyboard setting. Has it been resolved now? That's the reason why we stayed with lxdm. Sincerely, Gour -- In the material world, one who is unaffected by whatever good or evil he may obtain, neither praising it nor despising it, is firmly fixed in perfect knowledge. http://atmarama.net | Hlapicina (Croatia) | GPG: 52B5C810
On Tue, May 8, 2012 at 10:35 AM, Christian Hesse <list@eworm.de> wrote:
Any thoughts on that?
I was interested by your suggestion as slim user since 2 years. Consolekit integration (and my ugly workaround) is my only issue with it. So i took the time to test this light login manager, and my conclusion is : It's not light. There are dependencies to gtk3 and qt without any greeter installed. gtk greater needs gnome-common, kde greater needs kdelibs, so if I have to use kde or gnome i would look to kdm or gdm instead of a not so light lightdm. I don't think we can compare slim and lightdm ! I tested xdm (with xdm-arch-theme), it's light and have consolekit integration. Tobias has just released slim with consolekit integration and it works great (except for the omission of removing pam ck connector). Cheers, -- Sébastien Luttringer www.seblu.net
Am 08.05.2012 17:53, schrieb Seblu:
And done removed it from the pam file. Everything should now work and i can only confirm lightdm is not light at all! greetings tpowa -- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tpowa@archlinux.org
On 05/08/2012 09:53 AM, Seblu wrote:
I don't think those deps in the AUR are correct. You can ship lightdm without the libraries in which case it won't depend on the graphical libs. I think some other distributions ship the lightdm binary itself, then have separate packages for the greeter libs. Also, I have the gtk greeter installed and no gnome-common, just gtk3 and glib2. Right now the biggest issue with LightDM IMO is that it uses AccountsService -- if installed -- with no config to force it's own users.conf file.
Christian Hesse <list@eworm.de> on Tue, 2012/05/08 10:35:
Any thoughts on that?
Ok, some notes from myself... There were two reasons why I did not use lxdm: * I thought it did not work with challenge response authentication via pam. Obviously this is not true: You can enter the password only only, but it is tested for every pam prompt. So I can enter unix password or oath token - both work. The only "problem" is that it does not show the pam message ("One-time password (OATH) for ..." - but I can live with that. * I had trouble interactively selecting a session from lxdm. It took me some time to find the cause: The greeter did not give session type to lxdm when no language selection dropdown was shown. I fixed that (see https://bugs.archlinux.org/task/29814), now everything works fine. Additionally it seems to fix a problem with mouse cursor... So for now I will stick with lxdm I think. Thus I am fine with not having lightdm in the official repos. -- main(a,b){char*/* Schoene Gruesse */c="B?IJj;M" "EHCX:;";for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
Op 9 mei 2012 15:59 schreef "Christian Hesse" <list@eworm.de> het volgende:
[...] Just being curious, but wasn't it lxdm that caused a bit of a security stir in Ubuntu and others? I haven't checked the Arch package, but i understood that it creates a guest user by default. From what i understand, it's bit even a system user, but a built-in account in lxdm. Then again; i could be wrong and mixing dm's here... mvg, Guus
participants (13)
-
Alessio 'Blaster' Biancalana
-
Allan McRae
-
Christian Hesse
-
Don deJuan
-
Gaetan Bisson
-
Gour
-
Guus Snijders
-
John Hutchison
-
Matthew Monaco
-
Nicholas MIller
-
Seblu
-
Stephen E. Baker
-
Tobias Powalowski