[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

On 4/26/20 12:31 AM, Gard Spreemann wrote:

> Right, but what's the threat model here? For some of us, losing the
> Salsa password is essentially only possible if we have had our PGP
> dongle or offline private key backup compromised. In this case, the
> attacker can sign uploads to the archive anyway, which is arguably more
> serious than a compromised Salsa account.

It might not be you, it might be somebody else. Not everybody is doing that.

Also: even you wouldn't be the first one to click on a fake link to
salsa.debiana.org or a similar site. Targeted attacks are nothing
uncommon and it is very likely that they succeed, at least with some of
the users.

 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Reply to: