Subject: Re: trusting cvs & pkgsrc
To: Jan Danielsson <>
From: Christopher W. Richardson <>
List: netbsd-users
Date: 12/15/2005 19:50:00
Hash: SHA1

"Jan Danielsson" <> writes:

>    The reason I have created a pkgsrc user is because I don't
> trust cvs.  If it runs amok, I want to limits its possibilities
> to do damage.
>    Now I'm setting up a new NetBSD system. On it, I would
> prefer to not have a pkgsrc user. But I still don't trust cvs.

This really depends on what you're trying to prevent cvs from
doing.  As other people have pointed out, there's no reason to
have a privileged user do the cvs update.  I have a root cron
job which (amongst other things) updates pkgsrc on a weekly basis
basically by doing

chown -R nobody:nobody /usr/pkgsrc
cd /usr/pkgsrc
su -m nobody -c '/usr/bin/cvs up -Pd'               
chown -R root:wsrc /usr/pkgsrc

The above works fine except for ssh complaining about not being
able to create .ssh in /home/nobody -- which hasn't bothered me
enough to bother fixing yet.

>    Would it be possible to create a "jail" for sync:ing pkgsrc
> with root? I haven't used chroot:ed jails, but I assume that
> they are for doing what I want(?). Has anyone done what I want
> to do, and give some pointers?

I haven't used a chroot environment for the actual cvs update
part, but I find it very useful for the build part, so as not to
corrupt all sorts of things.  The above cron job goes on to check
for out-of-date or vulnerable packages, uses pkglint and
pkgdepgraph to create a dependency list, and then builds binary
packages in a chrooted environment (with pkg_conf).

Then when I get the email from cron, I manually add the packages
with pkg_add.

Hope that helps,
Version: GnuPG v1.4.2 (NetBSD)
Comment: Processed by Mailcrypt 3.5.8 <>