Check the signiture of the RPM, to be sure it is realy from the source you think it is. You can also look at the file list, and the scripts that are run when installing, removing, ect. I use Midnight Commander (mc) to look at what is in the RPM, and "rpm --checksig <rpm name>" to verify the RPM. urpmi also checks the signiture, and asks you about installing if it doesn't match. (Not sure what it does if they do not match when running in the auto mode.) You do have to make sure your keys are kept up to date.
So how exactly does one safeguard against a trojan when installing an RPM?
If you are building from a source RPM, check the .spec file to see what scripts it runs, as well as checking the source. Build as a normal user, and not root. Most .spec files are written to allow this. (You do not have to build as root for the files in the RPM to be owned by root when installed.)
Mikkel --
Do not meddle in the affairs of dragons, for you are crunchy and taste good with Ketchup!
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
