Re: Is Debian Repeat Secure?

To: debian-mentors@lists.debian.org
Subject: Re: Is Debian Repeat Secure?
From: Russ Allbery <rra@debian.org>
Date: Sun, 19 Sep 2010 01:01:58 -0700
Message-id: <[🔎] 871v8qxitl.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 1284875897.30010.9.camel@delen> (Martin Owens's message of "Sun, 19 Sep 2010 01:58:17 -0400")
References: <[🔎] 1284875897.30010.9.camel@delen>

Martin Owens <doctormo@gmail.com> writes:

> Building debs for ppa uses gpg and signs each source package build in
> two different places requiring the unlocking of the gpg key twice.

> I've been running a script which builds 4 packages for 3 ubuntu releases
> which comes to typing in my gpg passphraise 24 times in succession (more
> if I get it wrong).

> Should I be concerned that possible snoopers have 24 opportunities to
> watch my passphraise in physical space? And if typing in the passphraise
> a lots of times isn't important, why have a passphraise at all?

I use gpg-agent with a five minute timeout, which is long enough to let me
sign a bunch of packages while I'm actively working (plus git tags and so
forth) but short enough that I'm not too worried about an attacker taking
advantage of the cached password.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Is Debian Repeat Secure?
  - From: Sascha Silbe <sascha-ml-reply-to-2010-3@silbe.org>

References:
- Is Debian Repeat Secure?
  - From: Martin Owens <doctormo@gmail.com>

Prev by Date: Re: Is Debian Repeat Secure?
Next by Date: Re: Is Debian Repeat Secure?
Previous by thread: Re: Is Debian Repeat Secure?
Next by thread: Re: Is Debian Repeat Secure?
Index(es):
- Date
- Thread