Signing a package
Is it necessary to use "sudo" to sign a package when running
"dpkg-buildpackage"? The only examples I have seen have used -rsudo.
I prefer not to use this if I can avoid it.
The group I work with has settled on using ssh or kerberos
authentication for actions that require super user permission. I am
reluctant to install sudo simply so I can sign a package I create.
Using sudo would be against our current practice and, more importantly, I
will then be the person responsible for ensuring that it doesn't leave
security holes. This means I have to be very careful how I configure
it. Reading the "sudoers" manual page was not pleasant. I had
visions of having to embark on a project similar to configuring
sendmail simply so I could do one trivial action. (Regretably this
caused me to vent at a person who was trying to help me. I apologize
Dirk).
I would ask for one of three options:
1) Please tell me what I would need to do by hand running as a regular
user to sign packages I create using "dpkg-buildpackage -us -uc".
I do have pgp (for me, the pgp-us package) installed and have created
a key.
2) Please tell me if I can use a -r"ssh ..." option to
dpkg-buildpackage. I would already have executed ssh-agent and
ssh-add. I tried a couple of obvious incantations like
-r"ssh -l root localhost"
but that didn't work, presumably because I lose some environment
variables and the current working directory upon the creation of
the new shell.
3) Please describe a minimal, secure /etc/sudoers file that would
allow me to use dpkg-buildpackage -rsudo but not let the bad guys
get root access.
--
Douglas Bates bates@stat.wisc.edu
Statistics Department 608/262-2598
University of Wisconsin - Madison http://www.stat.wisc.edu/~bates/
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: