On Sat, 2004-10-23 at 13:10 -0700, E SA wrote: > All, > > I would like to be able to look at the full spec file > from a vendor's RPM. > > I know that if I do: > > rpm -qp --scripts foo.1-1.rpm You probably want to add --triggers here too. > I can see part of it. > > How can I see %prep, %setup, %make and others? As others have said if you have a binary blob all bets are off. This is not rpm's fault. Even seeing the steps for %prep %setup and friends isn't going to provide you with any extra security - for that you need to audit the package. If something has a fall through case or even a simple rogue unlink seeing ./configure && make && make DESTDIR=$RPM_BUILD_ROOT install isn't going to buy you anything. It's a question of trust - if you need to guarantee security or box off the application you need to look at frameworks to allow you do that. A MAC framework such as SELinux is ideal in this case as you can allow the binary blob to do certain tasks but no more, if you stress the package in a very strict policy you'll see avc errors for everything the package tries to do. Without the source MAC is the only way really you can guarantee certain behaviour. Even if you allow network access if the daemon is compromised the privileges obtained from the shell will be restricted to that daemon so it can clobber it's config, logs, etc but nothing else (assuming a good policy). As with any security decision it is up to you to asses the risk and make a call. RPM isn't a policy tool having that info isn't going to help - you have the SHA-1/MD5 to ensure no tampering and also signatures to verify it's from a source. Paul _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
