Releases: archledger/irlume
Release list
irlume v0.1.1
Packaging patch release: the Fedora Copr pipeline now works end-to-end, and native packages for all three families are attached. No functional changes to the daemon, CLI, or PAM module.
Install
Fedora (Copr, auto-updates with dnf upgrade):
sudo dnf copr enable archledger/irlume
sudo dnf install irlume
Arch:
sudo pacman -U irlume-0.1.1-1-x86_64.pkg.tar.zst
Debian/Ubuntu:
sudo apt install ./irlume_0.1.1_amd64.deb
Fixed
- Packit Copr builds request build-time networking (
enable_net) so cargo can reach crates.io. Cargo.lockis now committed, socargo build --lockedworks from release tarballs.- Fedora spec: added missing
clang-devel,kernel-headers,pkgconf-pkg-configBuildRequires (bindgen for V4L2 bindings; pkg-config for tss-esapi). - Fedora spec: the SELinux policy module is compiled from its committed
.tesource during the build.
Full changelog: https://github.com/archledger/irlume/blob/main/CHANGELOG.md
irlume v0.1.0
irlume v0.1.0
Local infrared face authentication for Linux — clean-BOM, TPM-sealed, meant to meet or beat Windows Hello.
First public release. irlume logs you in by your face using the IR (Windows Hello) camera, with the password always available as a fallback — no lockout, ever.
✨ What you get
- Privilege-separated by design — a thin
pam_irlume.soandirlumeCLI are untrusted clients of a privilegedirlumeddaemon (the only thing that touches the camera, IR emitter, models, templates, or TPM), over aSO_PEERCRED-authenticated Unix socket. - Clean model bill-of-materials — every weight is permissive and GPLv3-compatible, so the whole stack ships bundled:
Stage Model License Detection YuNet MIT Recognition AuraFace (512-D ArcFace) Apache-2.0 Liveness — IR gate self-built, algorithmic — Liveness — passive blink (opt-in) MediaPipe FaceMesh → EAR Apache-2.0 - Your face never leaves as an image — only 512-D embeddings (a one-way projection), AES-256-GCM encrypted under a key the TPM seals to your boot state. Disk-theft tested: the sealed data is undecryptable on another machine.
- Tiers by hardware — IR camera → Secure (login,
sudo, lock screen, keyring unlock); RGB-only → Convenience (screen unlock only); optional fingerprint companion. - Smart PAM wiring —
irlume login enablewires the greeter + lock screen correctly for your login manager (GDM/SDDM/plasmalogin), method, and tier. Opt-in; never auto-wired on install.
📦 Install
Fedora
sudo dnf copr enable archledger/irlume
sudo dnf install irlumeArch (from the Release assets)
sudo pacman -U ./irlume-*.pkg.tar.zst
# fresh install prompts for an onnxruntime provider — choose onnxruntime-cpuDebian / Ubuntu (from the Release assets)
sudo apt install ./irlume_*.debonnxruntime is bundled on Fedora and Debian/Ubuntu; Arch uses the system package. Nothing else to install.
Then, once:
irlume ir-setup # enable the 850 nm IR emitter (IR cameras)
irlume tui # enroll your face + configure, guided
sudo irlume login enable --apply # opt-in: wire the greeter + lock screen✅ Validated
Working end-to-end on real hardware across Fedora, Arch, and Debian/Ubuntu — IR Secure tier, RGB Convenience tier, and fingerprint. Packaged and install-tested for all three families.
⚖️ Honest limitations
- Passive blink liveness is a deterrent, not a guarantee. It closes casual and typical print/screen attacks, but a determined life-size glossy print can still slip through occasionally, and it doesn't cover glasses-wearers. Every miss falls safely to the password. Beating a determined glossy print needs a trained PAD model or true depth hardware.
- RGB-only laptops get the Convenience tier — face unlocks the screen only, never
sudo/login/keyring. By design. - Not lab-certified. Self-tested against ISO/IEC 30107-3; no paid iBeta pass. Demographic FMR tuning is ongoing.
Interfaces may still shift before 1.0.
🔏 Verify the release
This tag is GPG-signed (C10B8492BD7F30C6, archledger236@gmail.com):
git verify-tag v0.1.0📄 License
GPL-3.0-or-later — fully open, copyleft.