Todd Zullinger wrote:
By policy, there are things that rpm scriptlets should not do. But if you created an rpm which had a %post section containing rm -rf /, rpm would run it AFAIK.
I wonder how easy it is to create a rootkit/trojan horse/whatever and get it loaded on Fedora users' computers.You would need to create a trojan package and get it onto the mirrors, signed by the Fedora package signing key for a particular release. This is not an easy task
Really? Have you seen a list telling you who reviewed which package before it got signed with Fedora key?
Probably there are lots of packages reviewed by their authors only? STF ======================================================================= http://eisenbits.homelinux.net/~stf/ OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062 =======================================================================
Description: OpenPGP digital signature