On Thu, 11 Jun 2015 21:58:33 -0400 David Kaylor <dpkaylor@gmail.com> wrote:
On Thu, Jun 11, 2015 at 5:59 PM, Giancarlo Razzolini <grazzolini@gmail.com> wrote:
Em 11-06-2015 17:56, Remi Gacogne escreveu:
(FDE and strong passphrases only buy you some time to do it).
In the case of stolen/lost, it buy you a lot of time. Or you are aware of some cryptanalisys development I'm not aware of.
Now, if your machine is compromised, then I think that you might have bigger worries than the keys used to publish some packages on AUR.
Cheers, Giancarlo Razzolini
That's certainly true, but it's not the point. Seperate, individually revokable keys are a good idea if someone will be submitting from multiple machines. And it would help protect AUR down the line. So if it's fairly easy to implement, like Lukas said, +1 on that.
Easiest way to attack a password protected private key: Just put a keylogger on the target. This is why we need u2f/similar support everywhere :/