When mysql is installed there is no question or warning about setting a password for the mysql user root. This means that any user on the host that mysqld is running on has all privileges and can do anything with all databases until a password is set. -psi
If you install it, you need to configure it. Default passwords considered harmful.
The rpm version distributed by the mysql group warns the installer to set a password at least. The current RH mysql install is silent, this is likely to cause some interesting problems for the unwary. I strongly agree that default passwords are bad. -psi
Returning output (or asking for input) from one of the post/pre scripts is considered bad - you wouldn't necesarrily see it. RPM is designed to be non-interactive.
What then about adding something like this to /etc/rc.d/init.d/mysql, just after starting mysqld: mysqladmin --user root processlist > /dev/null 2> /dev/null && echo "Unsafe mysql!" This will unfortunately also trigger if the password is set in /root/.my.cnf but that case should be easy to take care of with a few script lines. The important thing is to warn of a very insecure situation.