[Packaging docs] more advices about security
Maxime Carron
maxime.carron at fedoraproject.org
Wed Jun 20 07:46:05 UTC 2007
Hi folks,
I'm a packager beginner and I'm about to push my first package on fedora
cvs.
To put it on cvs i need my ssh private key, and of course my spec and srpm.
But it's written in the doc that we have to build our package with a
different user (which can't have any access to data like ssh private key).
My question was, how can i use cvs (ie have my ssh private key in my
homedir) and have access to my specs, ...
Thanks to Anvil and RemiCollet's advices, i do this well now.
I use :
- "builder" user to build my package (no private keys in this one)
- "fedoracvs" user to communicate with fedora cvs (cvs co <package>,
...) In this account, i can use my ssh key.
- I added fedoracvs in builder's group
- chmod 770 /home/builder
In this way "fedoracvs" user can access to builder homedir, and security
risks are avoided.
This probably seems obvious for lots of fedora packager, but it isn't
for everybody.
And if *one* person give an access accidentally to fedora cvs (a
malicious makefile could send a private key to evil people) it's all the
fedora cvs and repository that are in danger.
So IMHO it's better to write it down.
My problem is that English isn't my mother thong and I'm not sure to be
able to write something comprehensible.
If some can update this document, or help me to do it, this would be great.
Cheers
Maxime
More information about the fedora-docs-list
mailing list