Todd Zullinger wrote:
By policy, there are things that rpm scriptlets should not do. But
if
you created an rpm which had a %post section containing rm -rf /, rpm
would run it AFAIK.
Oh! 8-O
> I wonder how easy it is to create a rootkit/trojan
horse/whatever
> and get it loaded on Fedora users' computers.
You would need to create a trojan package and get it onto the mirrors,
signed by the Fedora package signing key for a particular release.
This is not an easy task
Really? Have you seen a list telling you who reviewed which package
before it got signed with Fedora key?
Probably there are lots of packages reviewed by their authors only?
STF
=======================================================================
http://eisenbits.homelinux.net/~stf/
OpenPGP: 9D25 3D89 75F1 DF1D F434 25D7 E87F A1B9 B80F 8062
=======================================================================