We introduced the gdm-fingerprint.pam in 9d41fe6fcc.
We used the [upstream Arch config] as a template, which contains an extended control field that jumps over **one** immediately-following `auth` rule unless `pam_gdm.so` succeeds.
But we decided to not include `pam_gnome_keyring.so` so there was no rule to skip over, resulting in a broken control flow and the PAM module failing with “PAM bad jump in stack”, breaking the fingerprint authentication in GDM.
Let’s actually add `pam_gnome_keyring.so`, like the Arch config does. Because we are creating the PAM file using the `text` option, `security.pam.services.gdm-fingerprint.enableGnomeKeyring` does not do anything so we need to do it manually.
For the case where gnome-keyring is not enabled, we could add a no-op rule like `optional pam_permit.so` after `pam_gdm.so` so that the branching always has something to jump over but it will be simpler to just make the both conditional. There are no further `auth` rules that could benefit from `pam_gdm.so` doing something so it should be fine.
Unlike in Arch, we are not going to invoke `pam_gnome_keyring.so` in a `session` rule since that is already done by the included `login` module.
[upstream Arch config]: 81ee658c11/data/pam-arch/gdm-fingerprint.pam
The `optional pam_permit.so` comes from the [upstream Arch config] we used as a template in 9d41fe6fcc. But I do not think it does anything in this position – see also the discussion at https://bbs.archlinux.org/viewtopic.php?id=245892 – so let’s just remove it.
Let’s also add a comment about disabling `fprintAuth` and a blank line for clarity.
[upstream Arch config]: 81ee658c11/data/pam-arch/gdm-fingerprint.pam
`gdm-autologin` and `gdm-password` PAM modules are defined using the `text` option, so the option here is a no-op.
Furthermore, `gdm-password` already includes `login` for all module types,
and that invokes `pam_gnome_keyring.so` in the same way Arch’s `gdm-password` module would:
81ee658c11/data/pam-arch/gdm-password.pam
This reverts commit c24c7933ba.
Previously, the blocky package was hardcoded to the one in pkgs. This
change allows to set it, so the user can configure the blocky service to
run blocky from nixpkgs-unstable, for example.
I am the singular maintainer for these packages. They are difficult to
maintain and are going to start to bitrot pretty much as soon as BMD
releases new software versions. Therefore, I am not only removing myself
as the maintainer but dropping them entirely.
