[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [ANNOUNCE] experiemental dpkg available



On Thu, 28 Oct 1999 00:59:53 -0700, Joey Hess wrote:

>Eric Weigel wrote:
>>  echo password 

>I hope you realize how utterly insecure this is.

The echo command?  Yes, I just did it that way for testing the
--passphrase-fd option.  And my password's not 'password' :)

Also yes, if dpkg-signpackage was to collect the password, then feed it
to each instance of gpg, that's less secure than letting gpg ask for
the passphrase directly.

But having it ask for the passphrase 8 times for a 4 binary package
would be really annoying.

So while it should certainly not be the default mode for
dpkg-signpackage, it should maybe be an option the developer can choose
(with a warning in the doc about the security risk?)

>-- 
>see shy jo
>
>
>-- 
>To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>



Reply to: