Re: Salsa update: no more "-guest" and more
On 4/26/20 12:31 AM, Gard Spreemann wrote:
> Right, but what's the threat model here? For some of us, losing the
> Salsa password is essentially only possible if we have had our PGP
> dongle or offline private key backup compromised. In this case, the
> attacker can sign uploads to the archive anyway, which is arguably more
> serious than a compromised Salsa account.
It might not be you, it might be somebody else. Not everybody is doing that.
Also: even you wouldn't be the first one to click on a fake link to
salsa.debiana.org or a similar site. Targeted attacks are nothing
uncommon and it is very likely that they succeed, at least with some of
the users.
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply to: