Current versions of rpm provide some help in determining whether I trust
some package enough to go ahead and install it, but people often still have
to do some work by hands.
Basically, rpm provides a way to query the package for all the information
I may want (including GPG/PGP signatures), but it does not provide any
mechanisms to help me put all that information together.
Here is what I would like to see:
(1) A way to quickly know how dangerous installing this package may be. The
levels of danger would be something like:
(a) May run programs as root (which should be reported if package
installs any files into /etc/cron.*/ hierarchy, installs files containing
scripts into /etc/logrotate.d directory, has some nontrivial
[post][un]install scripts, etc)
(b) May allow local users to run programs as root (if package installs
(c) Should be harmless (if neither a, nor b)
(2) Allow to associate signatures with some level of trust (e.g. I do not
mind installing dangerous packages if they are signed by RedHat and I do
not mind installing "harmless" packages if they are signed by any valid
I've done some small work on safety-auditing RPM packages, but it's
hard. If you assume a malicious RPM author, most if not all of the
bets are off (eg, consider an RPM that plunks a trojan version of
a commonly used-in-scripts binary down in a spot earlier on root's
default $PATH than the real one). Even if you just want to avoid
surprises, it's very system and even release-dependant, and thus
probably best left to an add-on program that uses information from
rpm to work all this out. (Possibly one could make it driven by
a configuration file that could be tuned on each system.)
When you're installing programs outside a VM, you can do pretty much everything.
GPG lets you check if you trust the packager, and that's about all you can do.
(you can of course look at scripts and choose not to run them, but that won't
help much). Solution: Don't install packages from untrusted sources unless