On Thu, 11 Jun 2015 21:58:33 -0400 David Kaylor <[email protected]> wrote:
> On Thu, Jun 11, 2015 at 5:59 PM, Giancarlo Razzolini > <[email protected]> wrote: > > > Em 11-06-2015 17:56, Remi Gacogne escreveu: > > > >> (FDE and strong passphrases only buy you some time to do it). > >> > > In the case of stolen/lost, it buy you a lot of time. Or you are > > aware of some cryptanalisys development I'm not aware of. > > > > Now, if your machine is compromised, then I think that you might > > have bigger worries than the keys used to publish some packages on > > AUR. > > > > Cheers, > > Giancarlo Razzolini > > > > That's certainly true, but it's not the point. Seperate, individually > revokable keys are a good idea if someone will be submitting from > multiple machines. And it would help protect AUR down the line. So if > it's fairly easy to implement, like Lukas said, +1 on that. Easiest way to attack a password protected private key: Just put a keylogger on the target. This is why we need u2f/similar support everywhere :/
