[Packaging docs] more advices about security

Maxime Carron maxime.carron at fedoraproject.org
Wed Jun 20 07:46:05 UTC 2007

Hi folks,

I'm a packager beginner and I'm about to push my first package on fedora 

To put it on cvs i need my ssh private key, and of course my spec and srpm.
But it's written in the doc that we have to build our package with a 
different user (which can't have any access to data like ssh private key).
My question was, how can i use cvs (ie have my ssh private key in my 
homedir) and have access to my specs, ...

Thanks to Anvil and RemiCollet's advices, i do this well now.
I use :
- "builder" user to build my package (no private keys in this one)
- "fedoracvs" user to communicate with fedora cvs (cvs co <package>, 
...) In this account, i can use my ssh key.
- I added fedoracvs in builder's group
- chmod 770 /home/builder

In this way "fedoracvs" user can access to builder homedir, and security 
risks are avoided.

This probably seems obvious for lots of  fedora packager, but it isn't 
for everybody.
And if *one* person give an access accidentally to fedora cvs (a 
malicious makefile could send a private key to evil people) it's all the 
fedora cvs and repository that are in danger.

So IMHO it's better to write it down.
My problem is that English isn't my mother thong and I'm not sure to be 
able to write something comprehensible.
If some can update this document, or help me to do it, this would be great.



More information about the fedora-docs-list mailing list