Release v1.11.0

Security and Correctness

• Fixed regrab retry stall after NotifyUngrab. The main poll loop now
  schedules a short wakeup whenever a grab reinstate is pending, so failed
  re-acquisition retries within ~100 ms instead of potentially blocking
  indefinitely until an unrelated event arrives. Restores the pre-event-driven
  poll-loop retry cadence for the grab-failure path without reintroducing an
  unconditional tick.
• Fixed input starvation in the auth prompt under sustained X event load.
  WaitForAuthActivity() no longer takes a pre-poll fast path on XPending();
  it always polls — with a zero timeout when Xlib has buffered events — and
  checks stdin and authproto readiness before X. A flood of attacker-generated
  X events on the same display can no longer indefinitely defer typed
  passphrase bytes or authproto messages, so the lock prompt cannot be hung
  this way.

Tests, CI, and Developer Tooling

• Fixed AssertDoubleNear test helper to abort on NaN (and infinities). The
  previous absolute-difference comparison silently accepted NaN because every
  IEEE-754 comparison with NaN is false; the rejection-of-nan/inf cases
  in env_settings_test would have passed even if GetFiniteDoubleSetting()
  regressed to returning a non-finite value. Inverted the comparison to
  !(diff <= tolerance) so unordered diffs trigger the abort.

Artifact provenance

The source tarball has a GitHub Artifact Attestation. Verify it with:

gh attestation verify xsecurelock-1.11.0.tar.gz -R Zaczero/xsecurelock

Release v1.10.0

This is the first maintained-fork release after upstream v1.9.0. Compared
with v1.9.0, the net result is a safer, more portable, better tested
XSecureLock that keeps the original architecture: a small X11/POSIX locker with
separate auth, authproto, and saver helpers.

Security and Correctness

• Hardened authproto packet handling. Packet reads now validate type,
  separator, bounded length, payload, and trailing newline explicitly; packet
  writes report failures; password-like packet buffers are cleared on error
  paths.
• Strengthened PAM handling. XSecureLock now rejects null PAM auth tokens by
  default when supported by the PAM implementation, preserves explicit user
  cancellation, validates PAM conversation input defensively, wipes PAM response
  memory before free, skips PAM_TTY when DISPLAY is unset, and enforces
  required expired-password changes even when ordinary account-failure checking
  is disabled. Cleanup also avoids using the PAM handle after pam_end().
• Improved secret cleanup in the auth UI. Prompt state and deleted prompt bytes
  are wiped with explicit_bzero() instead of being left in ordinary memory.
• Fixed child-exit wakeups. The main locker and saver_multiplex now wake from
  SIGCHLD through a self-pipe, so exited auth or saver children cannot leave
  the process asleep until an unrelated X event or user signal arrives.
• Hardened child process and fd mechanics. Fork/exec, process-group setup,
  stdio wiring, close-on-exec pipes, EINTR-safe I/O, waits, signal re-raise, and
  child status logging now share common code instead of being reimplemented in
  several helpers.
• Strengthened lock-window recovery. The locker validates root/display
  dimensions, cleans up partial grab failures, remaps or raises lock windows
  after suspicious map/unmap/visibility/configure events, and has a clearer
  composite overlay/obscurer path.
• Added XSECURELOCK_AUTO_RAISE=1 as an opt-in compatibility fallback for
  compositor stacks that do not generate enough useful visibility events.
• Improved forced-grab support without Xmu/Xmuu. The force-grab path now uses a
  local Xlib-only client-window lookup instead of XmuClientWindow(), removing
  the hard Xmu/Xmuu dependency while keeping the existing client-vs-frame
  behavior.
• Hardened X11 resource handling. X properties, atom names, class hints, GCs,
  pixmaps, cursors, Xft objects, auth windows, dimmer windows, saver windows,
  and composite resources now have clearer checked allocation and cleanup paths.
• Hardened numeric and geometry handling. Rectangle and monitor clipping use
  checked endpoint arithmetic, auth dialog placement clips through shared
  rectangle helpers, dimmer opacity uses an explicit 32-bit value for the
  32-bit X property payload, mlock() page calculations check overflow through
  the final size_t conversion, and nanosleep() checks time_t range.
• Improved blanking and DPMS behavior. DPMS state is parsed once, auth timeout
  and blanking ownership are documented more clearly, and requested DPMS mode is
  reapplied while blanked so external state changes do not leave the monitor in
  the wrong power state.
• Fixed XRandR monitor-change handling for RRNotify events, so auth and saver
  helpers refresh their monitor layout after CRTC/output changes instead of
  only after full screen-size notifications.
• Made active auth redraws refresh their monitor snapshot, covering XRandR 1.5
  virtual monitor changes that some X servers do not report as useful events.
• Fixed runtime handling when XScreenSaver support is compiled in but the X
  server does not provide the extension.
• Tightened helper path handling. Helper-name resolution no longer relies on
  PATH_MAX; installed helper names are checked through the configured helper
  directory, while absolute helper paths remain supported.
• Reduced dependency surface by dropping unused libbsd detection and the hard
  Xmu/Xmuu build requirement.

User-Facing Improvements

• Added auth dialog customization:
  • XSECURELOCK_AUTH_TITLE
  • XSECURELOCK_AUTH_PADDING
  • XSECURELOCK_AUTH_BORDER_SIZE
  • XSECURELOCK_AUTH_X_POSITION
  • XSECURELOCK_AUTH_Y_POSITION
• Added XSECURELOCK_LAYOUT_SWITCH_KEYSYM, allowing Ctrl-layout switching to
  use a configurable keysym such as Tab or space.
• Added XSECURELOCK_SAVER_NOTIFY_ON_AUTH_OPEN=1, which sends SIGUSR2 to the
  saver when the auth dialog opens.
• Improved keyboard-status display. Caps Lock can be reported from keyboard
  state, layout/indicator text is formatted more reliably, and XIM locale
  modifiers are initialized for better non-ASCII input behavior.
• Fixed prompt display issues, including the visible cursor marker and disco
  prompt buffer handling.
• Static PAM informational messages shown by auth_x11 remain interactive, so
  users can advance or cancel instead of waiting passively for timeout.
• Fixed CLI argument handling: --help and --version now work from an
  uninstalled build tree before installed helper paths are checked, while
  invalid arguments now exit with failure.
• saver_multiplex now notices failed per-monitor savers promptly and restarts
  them without spinning.
• saver_xscreensaver is more robust and portable: it handles empty saver lists
  before selection arithmetic, avoids tail -n +N, ignores SIGUSR2, and runs
  selected saver commands through sh -c consistently.
• Media saver scripts no longer require GNU shuf; they use an awk/sort
  fallback when needed.
• Added documented examples for XFCE lock-command integration and logind
  power/sleep-button inhibition while locked.
• Expanded README guidance for xss-lock, suspend/resume, immediate auth prompt
  workflows, DPMS/blanking ownership, systemd user sessions, custom auth/saver
  helpers, optional runtime tool paths, PAM privileges on BSD, and the
  maintained-fork status.

Portability, Packaging, and Build System

• Configure now explicitly requires a C99-capable compiler.
• Feature-test macros are supplied through compiler flags so they are visible
  before system headers in every translation unit.
• Warning probes now populate project warning flags instead of mutating user
  CFLAGS.
• Optional X extension detection now requires both the development header and
  the link symbol. XRandR 1.5 support additionally checks for
  XRRGetMonitors().
• Target link dependencies are explicit. Helper binaries link only the
  libraries they actually use instead of relying on global LIBS and
  --as-needed.
• Build configuration generated by configure is split into build-config.h,
  including compiled helper/doc paths and configured default helper names.
• Out-of-tree build rules and generated version handling were fixed. Version
  generation now escapes arbitrary git-version bytes and works in non-git
  distribution builds.
• Shell scripts and tests use more portable POSIX-sh constructs and mktemp
  templates.
• Added compatibility coverage for Linux/glibc, older C99-style builds,
  32-bit/i386, musl/Alpine, and FreeBSD.

Tests, CI, and Developer Tooling

• Added GitHub Actions CI:
  • Linux full-suite job running make check under Xvfb/Xephyr, including the
    XDO suite.
  • Linux PAM build/install job.
  • Debian 11 portable C99 native-smoke job.
  • i386 build job.
  • Alpine/musl native-smoke job.
  • FreeBSD 13.5 native-smoke job.
  • POSIX shell/checkbashisms job.
  • XDO log upload on failure.
• Added a one-click GitHub release workflow that validates the release commit,
  builds the upstream-style source tarball, publishes changelog-based release
  notes, and attaches GitHub Artifact Attestation provenance.
• make check now runs a real validation path: settings-documentation checks,
  an out-of-tree clang/ASan/UBSan install, native helper/unit smoke tests, an
  authproto packet round-trip, and the XDO desktop-behavior suite.
• Expanded the tracked test suite from 11 files in upstream v1.9.0 to 63 files
  in this release, including 29 new dedicated native _test.c sources and XDO
  scenarios growing from 5 to 13.
• Added native regression coverage for auth titles, authproto bounds and PAM
  flow, blanking/DPMS parsing, buffer writing, configured shell commands,
  dimmer math, environment parsing, explicit_bzero() fallback behavior, grabs,
  signal pipes, process/wait helpers, retry I/O, KeySym parsing, mlock() page
  handling, prompt display/state/randomness, rectangle clipping, XKB indicator
  text, XScreenSaver environment export, and force-grab unmap behavior.
• Added XDO coverage for static authproto info messages, global saver override,
  saver auth-open notification, saver multiplex restart, SIGUSR2 auth start,
  XScreenSaver blank-state behavior, and auth geometry across XRandR resize and
  monitor-layout changes.
• XDO tests now wait on observable state where practical, making the suite
  faster and less timing-fragile while preserving useful visual feedback.
• Added .clang-format, .clang-tidy, configured clang-tidy arguments, and a
  settings-documentation consistency check.

Codebase Quality

• Split the former monolithic auth_x11.c and main.c structure into focused
  modules for auth UI config/resources/windows/drawing/prompt handling, prompt
  display/state/randomness, XKB status, blanking, grabs, lock windows, child
  lifecycle, configured commands, and XScreenSaver environment export.
• Split generic utility code into narrower modules for buffer writing, I/O,
  process handling, time/deadlines, X11 resource cleanup, and signal helpers.
• Centralized setting parsing, executable-path lookup, KeySym parsing,
  child-process mechanics, rectangle clipping, and auth-window slot ownership.
• Normalized includes, SPDX headers, const/bool usage, and C99 style where it
  improved portability or warning coverage.

Compatibility Notes

• PAM stacks that intentionally allow empty passwords now require
  `XSECURELOCK_ALLOW_NULL_PAM_AUTHTOK...