-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/13/2014 11:09 AM, Rocki Hack wrote: >> An attacker gains access to your machine while it's powered on >> and you are away (maybe gone to lunch?) > > Sorry, but what? How responsible are you? Don't blame software for > things it can't do... > > If an attacker has physically access: _Checkmate_. You can easily > dump the TrueCrypt master key from ram if the volume is currently > mounted... Nothing you could do against it really... I'm afraid we have to assume our development machines are already compromised. We also should assume github is compromised. It is an interesting problem, trying to write secure software on untrusted machines, while collaborating with untrusted authors using untrusted servers. Linus has a small tree of trusted people he depends on, and a secure-ish air-gapped machine. We don't even have that. If nothing else, signing commits before pushing protects our code while it resides on US controlled servers at github. Otherwise, we'd have to find a more secure solution. Note that Linux does *not* develop on github. He only mirrors to github, and never pulls, SFAIK. If he did all his development on github, I think he would feel differently about signing commits. Also note that Linux has been back-doored before on git mirrors before. People working with unsigned development code cloned from untrusted mirrors like github code are at risk. I happen to be cloning linux from github right now... Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTm0pnAAoJEL9an3rWhBk+iKkP/ipkv69TP5KVGJiaD/JFXPOQ zyL93qFAmbq2RRHM1FEzM4uN4KGp0uzOxlU5iidQPGPF2+ruaSnRCvHHuQSyDlgr 7BhgXDDQVm32P4eqiCkPGJWL2UdsOCn+UZ+NmV2VlX/OjF//7YqilAhrUurgWYEM g0pVJNLWUTnIcXBIrKJ6kAFYaJFO2ImtJQt3Pt4sqMwsd37Y6zVNKxsE+qglBv2I zaBteFH5eqoSrTW5cycDtY/K3v5JJzwt68bL5e8YbZxhZ50wJomn3Qvo0REs5Xej MvMrq+Z8+hliQfFv0osB2UMD43l1QafiW/XRCOgtBeWpiJRavjFXBN5GaqZTPeLA 4XrUWL68TZ5SracfOxgri5uPf/eWAC8piIoMbfikPSf9ImXvdOv7UT341OBHLQvm Iku1BLeuZ6u77l8uEg0XPdehCrktaEUStqPHaHQLRdCWpA3lbhmsk/rUUUFUiyZo RzaFhJi7K8bJEmbEelA8aE3vAHyEPMLcI12WiktjxUyB3WO+yAHRAPqc2Cm+nDbc 1JAGy3df8izgOl/96imzic3CnuYP3F2zkqFMJ8wkhaCyW/mXX8+17p9r0mEraZMO seMIn1eHvAQ2wlb+3BylAxMnqfukYho22ApODDBm3nomvA1M6aKj0szrrUTWFHRk BNA30vS0Q2aWTKUJJsi4 =wAP4 -----END PGP SIGNATURE-----