Bug#1109435: unblock: gdm3/48.0-2

Simon McVittie smcv at debian.org
Thu Jul 17 16:55:35 BST 2025 

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: gdm3 at packages.debian.org, marco at ubuntu.com
Control: affects -1 + src:gdm3
User: release.debian.org at packages.debian.org
Usertags: unblock

(Explicitly cc'ing Marco since he's the author of most of our 
integration glue for gdm smart card auth, to give him one last 
opportunity to propose a better solution.)

[ Reason ]

RC bug #1051785

[ Impact ]

If not accepted, booting a GNOME system with a smartcard inserted in a 
reader, or with a smartcard-based authentication token like a Yubikey, 
makes it more difficult or sometimes impossible to log in with a 
username and password (depending whether libpam-sss is installed).

The proposed version also removes some misleading commented-out example 
configuration, which would have no effect if uncommented (#1105057); 
adds commented-out example configuration for disabling fingerprint 
authentication; and fixes a future FTBFS with gcc-15 (#1096689) while I 
was preparing an upload anyway.

[ Tests ]

Manually tested, login works normally. Plugging in a Nitrokey Pro to an 
otherwise unconfigured test system does not affect the login flow any 
more.

[ Risks ]

Key package, central to our default desktop environment.

I'm not a primary maintainer of this package, I'm only stepping in to
fix the RC bug since other GNOME team members don't seem to have had 
enough time available.

Sysadmins who want to allow smart card authentication might not realize 
that, in addition to enrolling smart cards and setting up the smartcard 
to uid mapping, they will need to edit /etc/gdm3/greeter.dconf-defaults 
to re-enable it.

Sysadmins who want to *only* allow smart card authentication (with 
password auth forbidden) might not realize that they need to 
`update-alternatives --config gdm-smartcard`, as well as installing 
libpam-sss.

(I think those are not a big concern in practice, because sysadmins who 
want to set this up will already need to do quite lot of other setup, 
and can be expected to know what they're doing.)

The changes for #1105057 are low-risk, they only add/remove comments and 
remove the headings of some empty .ini-style groups.

The changes for #1096689 are low-risk, they only rename a local variable.

[ Checklist ]

  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock gdm3/48.0-2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdm3_48.0-2.diff
Type: text/x-diff
Size: 10713 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20250717/9a09e0c4/attachment-0001.diff>

More information about the pkg-gnome-maintainers mailing list