[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian and fingerprint readers

On Fri, Mar 5, 2021 at 11:57 am, Philip Hands <phil@hands.com> wrote:
Wouter Verhelst <wouter@debian.org> writes:

 On Thu, Mar 04, 2021 at 05:57:15PM -0500, Sam Hartman wrote:
The parts of Debian that are trying to do that are some of the desktop environments. So, I'd approach the maintainers of Gnome and KDE and
 see if they are interested in recommending this functionality.

It could also be added to the laptop task, which would mean it would be installed by default on all laptops that are installed with debian-installer

Alternatively, d-i has some hardware detection functionality, to install the correct drivers for hardware that is found. One could add entries for supported fingerprint readers to the hardware detection in d-i, and
 then install the necessary packages.

The hard part, however, is configuring all this so it works correctly
 out of the box, also for users who don't want to use it.

For users that don't want to use it, I'd suggest that the only correct
answer is for them to never have had the software on their computer at
any point, given that it's security sensitive software, and any bugs may
well have the potential to hurt.

I presume if one installs this software, that even when the screen is
locked, when someone swipes a finger (or a specifically crafted toxic
pattern for that matter) on the reader, that something will be provoked
to run that would not have been run if it were not installed.

That seems like an increase in attack surface to me, that we should not lightly inflict on unsuspecting users just because *shiny finger scanner*.

I'd expect that people that want their fingerprint scanners to be in use
are mostly aware of that fact, so as long as we make the optional
packages easily installable, that seems completely sufficient to me.

From an earlier reply of Mark,
"It's just a case of needing the libfprint and fprintd packages installed
and then under settings->user you can start registering your prints."

So I think there is still a manual step required before this is active.

Reply to: