[Rpm-maint] [rpm-software-management/rpm] install-time data API (Discussion #3874)
Panu Matilainen
notifications at github.com
Thu Sep 25 06:50:18 UTC 2025
> I have a similar use case (https://github.com/rpm-software-management/rpm/discussions/3503) that would make use of being able to add install-time data about packages.
Huh? Is there a typo in that link, I fail to see how %check or rpmbuild in general is related at all?
> What are the malicious concerns and corresponding safeguards?
Without additional safeguards, this is an open check to add arbitrary content to an installed package, ranging from scripts to signatures to misleading data, all of which goes outside the signed header part so it's silent. There needs to be some fundamental restrictions for the data that can be added through this mechanism, maybe an explicit allow-list for tags that are permitted or something like that.
> Are there API footguns around a superset of rpmtsAddInstallElement that adds a Header aux argument?
rpmtsAddInstallElement() is not a good fit for various use-cases we have, we'd rather not add to a bad API that already has too many arguments to it. Also, you don't need to. You can hook up to rpmtsSetChangeCallback() to get access to rpmte's as they are added, which also lets you deal with the cases where rpm replaces an element that got obsoleted etc.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/3874#discussioncomment-14506881
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/repo-discussions/3874/comments/14506881 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250924/504ae55a/attachment.htm>
More information about the Rpm-maint
mailing list