Joe Buck on Monday, August 29. 2016:
If I understand correctly, to exploit bugs of this nature on a Red Hat system you’d have to produce a corrupted .rpm and >convince someone to sign it, which might also require you to trick them into installing the key that you signed the >package with. But installing an RPM will execute installation scripts, as root. So there’s no need to exploit data >corruption to someone get an exploit: the victim is already giving you root on their system just by the fact that they are >installing your RPM. So I think it’s appropriate for Red Hat to treat bugs of this kind as lower priority than other security >bugs (though ideally they should be fixed).
Based on this comment, it makes me think that this is an example of someone trying to communicate something important (RPM’s development process is busted) and doing a REALLY poor job of it by pointing out what appear at least at first glance to be extremely low risk security issues.
Kind of a pity, I’ve long felt that RPM and its constellation of tools are a bit of a mess.