Subject: Re: trusting cvs & pkgsrc
To: Jan Danielsson <email@example.com>
From: Christopher W. Richardson <firstname.lastname@example.org>
Date: 12/15/2005 19:50:00
-----BEGIN PGP SIGNED MESSAGE-----
"Jan Danielsson" <email@example.com> writes:
> The reason I have created a pkgsrc user is because I don't
> trust cvs. If it runs amok, I want to limits its possibilities
> to do damage.
> Now I'm setting up a new NetBSD system. On it, I would
> prefer to not have a pkgsrc user. But I still don't trust cvs.
This really depends on what you're trying to prevent cvs from
doing. As other people have pointed out, there's no reason to
have a privileged user do the cvs update. I have a root cron
job which (amongst other things) updates pkgsrc on a weekly basis
basically by doing
chown -R nobody:nobody /usr/pkgsrc
su -m nobody -c '/usr/bin/cvs up -Pd'
chown -R root:wsrc /usr/pkgsrc
The above works fine except for ssh complaining about not being
able to create .ssh in /home/nobody -- which hasn't bothered me
enough to bother fixing yet.
> Would it be possible to create a "jail" for sync:ing pkgsrc
> with root? I haven't used chroot:ed jails, but I assume that
> they are for doing what I want(?). Has anyone done what I want
> to do, and give some pointers?
I haven't used a chroot environment for the actual cvs update
part, but I find it very useful for the build part, so as not to
corrupt all sorts of things. The above cron job goes on to check
for out-of-date or vulnerable packages, uses pkglint and
pkgdepgraph to create a dependency list, and then builds binary
packages in a chrooted environment (with pkg_conf).
Then when I get the email from cron, I manually add the packages
Hope that helps,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
-----END PGP SIGNATURE-----