Martin Owens <docto...@gmail.com> writes: > Building debs for ppa uses gpg and signs each source package build in > two different places requiring the unlocking of the gpg key twice.
> I've been running a script which builds 4 packages for 3 ubuntu releases > which comes to typing in my gpg passphraise 24 times in succession (more > if I get it wrong). > Should I be concerned that possible snoopers have 24 opportunities to > watch my passphraise in physical space? And if typing in the passphraise > a lots of times isn't important, why have a passphraise at all? I use gpg-agent with a five minute timeout, which is long enough to let me sign a bunch of packages while I'm actively working (plus git tags and so forth) but short enough that I'm not too worried about an attacker taking advantage of the cached password. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871v8qxitl....@windlord.stanford.edu
