On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fern�ndez-Sanguino Pe�a wrote:
>
> So, is it possible to limit those scripts or am I just thinking on
> trying to put a fence around the desert? (not really sure if that's the
> appropiate expression BTW :P
even without maintainer scripts there are plenty of ways to do evil
in a trojan.deb (or trojan.tgz, or trojan.rpm...)
simply including an /etc/passwd with backdoor accounts comes to mind.
since /etc/passwd belongs to no package dpkg won't complain. (i don't
think so anyway.. i haven't tested this)
of course that particular example would be noticed since the existing
accounts would be gone.. but you get the idea.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
