Hi Rich,

From the spec file,

%if %{buildnonet} mkdir repo pushd repo cp $(find /var/cache/yum/build -name '*.rpm') . createrepo . popd %define extra --with-mirror=file://$(pwd)/repo --with-repo=fedora-12

How about the following instead:

%if %{buildnonet} mkdir repo find /var/cache/yum/build -type f -name '*.rpm' -print0 | xargs -0 cp -t repo createrepo repo %define extra --with-mirror=file://$(pwd)/repo --with-repo=fedora-12

Then, even if someone puts maliciously-named files in that directory, those commands will copy only the intended ones. In a pathological case, the cp $(...) command could end up copying files from arbitrary locations.

The only drawback is that the new commands rely on GNU find and xargs for -print0 and -0, and GNU cp for it's --target-directory=DIR (-t DIR).

IMHO, this feels like another reason to put the .spec file under version control with the rest of the code.