Re: Obtain information from a not installed RPM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

E SA wrote: 
--- Scot Mc Pherson <scot@xxxxxxxxxxxxxxxxxxxx> wrote:


On Saturday 23 October 2004 04:10 pm, E SA wrote:

All,

I would like to be able to look at the full spec 

file

from a vendor's RPM.

I know that if I do:

rpm -qp --scripts foo.1-1.rpm

I can see part of it.

How can I see %prep, %setup, %make and others?

Beforehand, thank you for your help! 

You can't, you need the srpm to get the spec file.

The spec file isn't packaged normally with the RPM.
Something that might be of interest is to provide the spec file as a %doc when
packaging.
> 
MMMmmmmm.... Is that not a huge security hole?

I *have* to install an rpm from a vendor... source
rpm is not an option, as the binary rpm is all I
have.

The rpm will execute tasks as root...  However, I
can no tell what they are?


 $ rpm -qp --scripts foo-x.y.z.i386.rpm

will show the scriplets run at various stages in the package install / update / removal process.

 $ rpm -qlp foo-x.y.s.i386.rpm

will show the files which the package thinks it owns.

What if they are compromising my system?

You are on the horns of an insoluble dilemma, even though RPM will show you the install-time scripts, because the application which the vendor installs could be back-doored to hell and gone, but be invisible to you. Typical binary-only packages, for instance, might be device drivers, which run *inside your kernel at "ring 0"*. Other packages might be *intended* to start services; you can't know that the binary-only version doesn't have a back-door account wired in. Even for "client-side" software, you can't know that the application won't scour your hard drive, your mail, etc., and phone home to some IRC ha#0rs channel.

A vendor who won't give you the source is asking you to truxt him implicitly; your choices are to go ahead, taking your chances, or else to find another vendor.

Tres.
--
===============================================================
Tres Seaver                                tseaver@xxxxxxxx
Zope Corporation      "Zope Dealers"       http://www.zope.com

_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/rpm-list
[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux