-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Jan Danielsson" <jan.danielsson@gmail.com> writes:

>    The reason I have created a pkgsrc user is because I don't
> trust cvs.  If it runs amok, I want to limits its possibilities
> to do damage.
>
>    Now I'm setting up a new NetBSD system. On it, I would
> prefer to not have a pkgsrc user. But I still don't trust cvs.

This really depends on what you're trying to prevent cvs from
doing.  As other people have pointed out, there's no reason to
have a privileged user do the cvs update.  I have a root cron
job which (amongst other things) updates pkgsrc on a weekly basis
basically by doing

chown -R nobody:nobody /usr/pkgsrc
cd /usr/pkgsrc
su -m nobody -c '/usr/bin/cvs up -Pd'               
cd
chown -R root:wsrc /usr/pkgsrc

The above works fine except for ssh complaining about not being
able to create .ssh in /home/nobody -- which hasn't bothered me
enough to bother fixing yet.

>    Would it be possible to create a "jail" for sync:ing pkgsrc
> with root? I haven't used chroot:ed jails, but I assume that
> they are for doing what I want(?). Has anyone done what I want
> to do, and give some pointers?

I haven't used a chroot environment for the actual cvs update
part, but I find it very useful for the build part, so as not to
corrupt all sorts of things.  The above cron job goes on to check
for out-of-date or vulnerable packages, uses pkglint and
pkgdepgraph to create a dependency list, and then builds binary
packages in a chrooted environment (with pkg_conf).

Then when I get the email from cron, I manually add the packages
with pkg_add.

Hope that helps,
Cheers,
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFDog83P65RBOOHTzERAhUlAJ9DW9YQQN2dj7Cu3gHGt+9gApwkKgCgrYrp
aWkdkp4Eb3xgLHks7sX/M7c=
=fAKp
-----END PGP SIGNATURE-----