On Sat, 2002-03-09 at 04:32, Luca Olivetti wrote:
Bill Anderson wrote:
RPMs have one glaring problem. To be safe, you *must* either download and rebuild a .src.rpm, or download both. Why? you may ask? Simple. You can get a list of the file sin an RPM, sure. But you don't get to see what scripts the rpm will execute when installing, without looking at the spec file. Period.
rpm -qp --scripts just-downloaded-rpm-file.rpm
Only the ones listed in the spec-file, If I put mynastyscript.sh in the /tmp directory, and then run it in the postinstall, and the script removes itself, you have learned essentially nothing. Sorry, I was a bit terse in the original post. RPMs do little-to-nothing for security, convenience, yes, but not security. By the time you have looked at the scripts list, the files list, and verified the signature, you have fairly well eliminated a lot of the convenience. -- Bill Anderson Linux in Boise Club http://www.libc.org Amateurs built the Ark, professionals built the Titanic. Amateurs build Linux, professionals build Windows(tm).