b1tles
commented
1 year ago I'd love this!
Would be great to be able to pass a .netrc file as a secret to docker build and not to worry about accidental baking in credentials in images.
Open kuchara opened 1 year ago
b1tles
commented
1 year ago I'd love this!
Would be great to be able to pass a .netrc file as a secret to docker build and not to worry about accidental baking in credentials in images.
jan-kolarik
commented
1 year ago As we focus our development on the new DNF5 package manager which should soon replace the existing default DNF in Fedora Linux, I will transfer this issue into the DNF5 project.
keithbowes
commented
1 week ago An odd request, as everyone these days are wanting to move from passwords in cleartext files to encrypted passwords, because anyone with a live disk can see the contents of all your files, even those files with 0600 permissions. I don't know who exactly wants access to my passwords, but some people seem awfully paranoid about it.
kuchara
commented
1 week ago Well, the possibility of using such option does not mean everyone must use it.
Note that in automated systems (like Kubernetes), this file shall be encrypted, and then decrypted/mounted onto docker container.
About your other concerns: On a server, somewhere in a locked server room, no one would plug live disk to evesdrop any files. For regular PC, whole partition where you keep secrets may be encrypted, so no one would be able to access it, even from a live disk.
ppisar
commented
1 week ago I guess DNF5 and librepo should call curl_easy_setopt(, CURLOPT_NETRC, CURL_NETRC_OPTIONAL) to use credentials from .netrc if not already specified explicitly within DNF5 configuration.
ppisar
commented
1 week ago It seems that the only use of direct use of curl in DNF5 is dnf5-plugins/automatic_plugin/emitters.cpp plugin and that already sets CURLOPT_NETRC like that. So the remaining piece of puzzle is librepo.
.netrc is a file intended for storing credentials to various hosts.
It allows to avoid embedding username/password inside repository configuration files, which means there could be static configuration file, that can be shared between different users (e.g. humans and bots, during production). Also when running dnf in docker, one may provide just one secret to the container (.netrc).
Note that many commands support it already, like libcurl, with CURLOPT_NETRC (and auxiliary CURLOPT_NETRC_FILE), curl CLI with
--netrcoption, wget takes .netrc by default.To preserve backward compatibility, user could opt-in to use this feature, meaning: DNF could support new option that takes credentials from .netrc. Option could be set globally in dnf.conf, or as command line argument. username/password provided in repo configuration should take preference over credentials in .netrc.