Bug#645427: [Secure-testing-team] Bug#645427: Stopped locking the screen when closing the laptop lid

[Josh Triplett]

severity 645427 grave
tags 645427 + security
thanks

On Sat, Oct 15, 2011 at 06:36:27PM -0400, Michael Gilbert wrote:
> severity 645427 important
> tag 645427 -security
> thanks
> 
> > I guess what I'm saying is that lid close screen locking has 
> > in the past been a choice left up to the user,  so there's no 
> > reason to consider the same behavior as a security issue now.
> 
> Removing security relevance.

Re-adding security relevance for now.  Justification (summarized from my
previous mail):

- This is a regression from previous working configurations, which
  allows access to the user's account in a situation where it previously
  did not.

- Regardless of any other choice the user might have made (whether
  configuring gnome-screensaver to not lock the screen, or choosing an
  alternative screensaver implementation), *this* valid configuration of
  gnome-screensaver has security relevance, and now no longer works.

- The user will not discover the problem until after the first time they
  close the lid, possibly walk away, and return to find their system
  still completely unlocked.

- If this represents an intentional change, it needs huge warnings in
  NEWS.Debian.gz and release notes to prevent problems.

- If this represents a dependency problem with other components of GNOME
  3, it still remains a security bug.

- This bug could also put the user in violation of various entirely
  sensible organization security policies ("lock your computer when
  unattended").

If you really want to remove the tag and/or lower the severity, I won't
change it again, but please do consider the above justification before
doing so.

- Josh Triplett