| === TheMaster is now known as Unit193 | ||
| hallyn | say, anyone here very well versed in the translation stack? xlm2po and itstool and such? | 14:43 |
|---|---|---|
| hallyn | Pieces of the german manpages for shadow are coming out untranslated, and i've not yet figured out why. but it's all black magic to me | 14:44 |
| rbasak | hallyn: try #ubuntu-devel maybe? Gunnar is the person I'd ask but it doesn't look like he's online right now. | 15:08 |
| BloatJanitor | Why isn't the default for smartcards to lock on removal? | 15:16 |
| leosilva | sarnold: do you have a design answer for that question ^ | 15:27 |
| BloatJanitor | That is Gnome's default but it seems the default doesn't make much sense for people that actually use the feature. | 15:42 |
| JanC | it depends on who uses it for what, I suppose | 15:42 |
| BloatJanitor | The other option listed is forced-logout. I just don't see an actual usecase where you wouldn't want one of the two action behaviors. | 15:48 |
| JanC | BloatJanitor: I agree that a automatic lockscreen makes a lot of sense; probably best file a bug upstream with Gnome about that | 16:33 |
| JanC | but I assume some people just want to use a smartcard to login, but also be able to keep using their system while using the smartcard for something else (at home or in another place where everyone is trusted, I suppose) | 16:37 |
| JanC | maybe the default is just because it's less likely to lock you out of your system in case something is flaky or otherwise doesn't work well... | 16:39 |
| BloatJanitor | I only mention it because I haven't see a single guide, STIG or otherwise that doesn't have it changed to lock or logout | 16:47 |
| BloatJanitor | (For using smartcards on linux on gnome) | 16:47 |
| BloatJanitor | Even healthcare and education guides are mentioning it | 16:48 |
| JanC | BloatJanitor: maybe that's why they don't make it default: people who really need it in a professional setting probably already know how to configure that, while tinkering home users won't be locked out of their account as easily? | 17:08 |
| BloatJanitor | Doesn't that happen anyways by... not having a smartcard? | 17:10 |
| BloatJanitor | The userbase of smartcards is prosumer or professional use by default. Does a single consumer PC exist with a builtin smartcard reader? | 17:12 |
| JanC | everyone in Belgium & several other EU countries has a smartcard (ID cards are smartcards) | 17:12 |
| BloatJanitor | By that rationale my credit card is a smartcard | 17:13 |
| JanC | and you need that to file your taxes, access healthcare/social security etc. | 17:13 |
| JanC | so most people here have a smartcard reader too | 17:13 |
| BloatJanitor | So explain the usecase. Your browser USB API connects to the reader to login to health data CRM? | 17:14 |
| BloatJanitor | Mind, this is specifically about login tied smartcards | 17:15 |
| BloatJanitor | https://github.com/GNOME/gnome-settings-daemon/blob/master/plugins/smartcard/gsd-smartcard-manager.c | 17:15 |
| JanC | there is a browser security plugin that can access the certificate on the card after you enter a PIN, but you can also use it for login to your desktop (most people don't do that, but I could see some trying it...) | 17:16 |
| BloatJanitor | So wouldn't you want to secure said user who chooses an extra layer of security as a sub-niche of a sub-niche of a sub-niche? After all If they login and look up their health data then looking at their driving renewal, that would be a single use instead of three times? | 17:18 |
| JanC | the browser is separate from the Gnome login | 17:19 |
| BloatJanitor | Which is exactly my point | 17:19 |
| BloatJanitor | If you're using both it matters. If you're using one it doesn't. | 17:19 |
| JanC | the browser plugin drops the certificate when the card disappears, so that is secure (now) | 17:21 |
| BloatJanitor | Which has what do to with the login? | 17:22 |
| JanC | anyway, you betetr ask Gnome upstream for their motivations, I'm just giving you possible reasons of why the default is like it is now | 17:24 |
| BloatJanitor | If you're using a smartcard to login, there is a rational or irrational reason to fear your environment by default in non-compliance conditions. | 17:24 |
| JanC | I just know some people configured it to login using their eID—mostly because they could, not because they have to—but they might not necessarily want the card in the slot all the time :) | 17:24 |
| JanC | and those people don't have any compliance to care about | 17:24 |
| BloatJanitor | Can you come up with a usecase in which they wouldn't while also needing to use the computer? | 17:25 |
| JanC | many, but they all involve people who don't really require smartcards (for compliance/security reasons) | 17:34 |
| JanC | e.g. if I would set up a system at home to log in using my eID/smartcard, I would want to be able to put away my eID in my wallet immediately, so that I don't forget it when leaving the house :) | 17:35 |
| JanC | but again: for the actual reasoning about the default, ask upstream | 17:36 |
| JanC | maybe if your smartcard reader has a habit of going to sleep or reset after a while, or the card gets "disconnected" easily if you accidentally bump it, that could be annoying too if you get logged out/locked out every time that happens... | 17:46 |
| hallyn | rbasak: thanks. travelling, but will ping him when i will be at kbd for more than a few mins | 21:40 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!