Arnaud Rebillout <arnaudr@debian.org> writes: > On 11/05/2024 16:59, Simon Josefsson wrote: >> I feel uncomfortable having a salsa >> write permission token in plain text on my laptop, which seemed required >> to use some of the suggested tools > > Just passing by. > > What are you referring to, why is a salsa token required? Often > enough, you can store secrets in with libsecret (check package > libsecret-tools) rather than plain text. On https://wiki.debian.org/Teams/pkg-security#Packaging_rules it mention the 'bin/update-repos' which complains: It looks like no token has been configured for /usr/bin/salsa. see 'man salsa' and setup a SALSA_TOKEN in the devscripts configuration file. The man page for salsa https://manpages.debian.org/bookworm/devscripts/salsa.1.en.html says I should put a Salsa token in plaintext in ~/.devscripts. If I understand correctly, leaking that token will leak write-permission to my account on Salsa. I don't feel comfortable about having this magic cookie around, it seems safer to rely on SSH or PGP keys (which I have on a smartcard) instead. /Simon
Attachment:
signature.asc
Description: PGP signature