On Thu, Apr 10, 2008 at 3:28 PM, Ville Skyttä <ville.skytta@xxxxxx> wrote: > It extracts rpm contents only with "rpm2cpio | cpio", not tarballs etc within. Oh, I see, right. > Not sure if running "rpmbuild -bp" would be considered a potential security > issue, and I'd rather not even try re-implementing what %setup does to get > around that (at least in upstream rpmlint; in Fedora it could use > rpmdev-extract for that). It wouldn't be very hard to write a SELinux policy for this, but I guess people would still want a DAC solution. Well, I think we do need some program to run for automated checks on sources. If that can't be rpmlint, I guess a new one is in order? -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
