On 4/26/20 12:31 AM, Gard Spreemann wrote: > Right, but what's the threat model here? For some of us, losing the > Salsa password is essentially only possible if we have had our PGP > dongle or offline private key backup compromised. In this case, the > attacker can sign uploads to the archive anyway, which is arguably more > serious than a compromised Salsa account. It might not be you, it might be somebody else. Not everybody is doing that. Also: even you wouldn't be the first one to click on a fake link to salsa.debiana.org or a similar site. Targeted attacks are nothing uncommon and it is very likely that they succeed, at least with some of the users. -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
- Re: Salsa update: no more "-guest" and more Bernd Zeimetz
- Re: Salsa update: no more "-guest" and mor... Bastian Blank
- Re: Salsa update: no more "-guest" and... Bernd Zeimetz
- Re: Salsa update: no more "-guest"... Debian/GNU
- Re: Salsa update: no more "-guest&q... Bernd Zeimetz
- Re: Salsa update: no more "-gu... Gard Spreemann
- Re: Salsa update: no more "... Phil Morrell
- Re: Salsa update: no more "... Bernd Zeimetz
- Re: Salsa update: no more "-gu... Thomas Goirand
- Re: Salsa update: no more "... Bernd Zeimetz
- Re: Salsa update: no more &... Johannes Schauer
- Re: Salsa update: no more &... Bernd Zeimetz
- Re: Salsa update: no more &... Thomas Goirand
- Re: Salsa update: no more &... Russ Allbery
- Re: Salsa update: no more &... Russ Allbery
- Re: Salsa update: no more &... Thomas Goirand
- Re: Salsa update: no more &... Russ Allbery
- Re: Salsa update: no more &... Thomas Goirand