On Sat, Mar 30, 2024 at 08:52:29PM +0100, Ansgar 🙀 wrote: > Hi, > > On Sun, 2024-03-31 at 00:40 +0500, Andrey Rakhmatullin wrote: > > On Sat, Mar 30, 2024 at 05:00:26PM +0100, Marco d'Itri wrote: > > > > > I think that the real question is whether we should really still > > > use > > > code-signing keys which are not stored in (some kind of) HSM. > > What are the options for random DDs for that? > > Yubikeys, Nitrokeys, GNUK, OpenPGP smartcards and similar devices. > Possibly also TPM modules in computers. > > These can usually be used for both OpenPGP and SSH keys. Sure (though all the discourse around USB keys in the past 10 years or so has suggested to me that all of them are bad according to one DD or other).
> If someone cannot afford them, I think Debian paying for them is a good > investment; Debian buying tokens for all project members would also be > nice, This was even suggested at least once in the past. > but logistics are probably annoying... Exactly. -- WBR, wRAR
signature.asc
Description: PGP signature
