Re: Is Debian Repeat Secure?
Martin Owens <firstname.lastname@example.org> writes:
> Building debs for ppa uses gpg and signs each source package build in
> two different places requiring the unlocking of the gpg key twice.
> I've been running a script which builds 4 packages for 3 ubuntu releases
> which comes to typing in my gpg passphraise 24 times in succession (more
> if I get it wrong).
> Should I be concerned that possible snoopers have 24 opportunities to
> watch my passphraise in physical space? And if typing in the passphraise
> a lots of times isn't important, why have a passphraise at all?
I use gpg-agent with a five minute timeout, which is long enough to let me
sign a bunch of packages while I'm actively working (plus git tags and so
forth) but short enough that I'm not too worried about an attacker taking
advantage of the cached password.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>