[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Packaging docs] more advices about security

Hi folks,

I'm a packager beginner and I'm about to push my first package on fedora cvs.

To put it on cvs i need my ssh private key, and of course my spec and srpm.
But it's written in the doc that we have to build our package with a different user (which can't have any access to data like ssh private key). My question was, how can i use cvs (ie have my ssh private key in my homedir) and have access to my specs, ...

Thanks to Anvil and RemiCollet's advices, i do this well now.
I use :
- "builder" user to build my package (no private keys in this one)
- "fedoracvs" user to communicate with fedora cvs (cvs co <package>, ...) In this account, i can use my ssh key.
- I added fedoracvs in builder's group
- chmod 770 /home/builder

In this way "fedoracvs" user can access to builder homedir, and security risks are avoided.

This probably seems obvious for lots of fedora packager, but it isn't for everybody. And if *one* person give an access accidentally to fedora cvs (a malicious makefile could send a private key to evil people) it's all the fedora cvs and repository that are in danger.

So IMHO it's better to write it down.
My problem is that English isn't my mother thong and I'm not sure to be able to write something comprehensible.
If some can update this document, or help me to do it, this would be great.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]