On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fernández-Sanguino Peña wrote: > > So, is it possible to limit those scripts or am I just thinking on > trying to put a fence around the desert? (not really sure if that's the > appropiate expression BTW :P
even without maintainer scripts there are plenty of ways to do evil in a trojan.deb (or trojan.tgz, or trojan.rpm...) simply including an /etc/passwd with backdoor accounts comes to mind. since /etc/passwd belongs to no package dpkg won't complain. (i don't think so anyway.. i haven't tested this) of course that particular example would be noticed since the existing accounts would be gone.. but you get the idea. -- Ethan Benson http://www.alaska.net/~erbenson/
pgpdKvhWaCgMt.pgp
Description: PGP signature