This sounds like a prime new vector for malware, ironically.

My understanding is probably not: the hooks are configured locally, not by other packages automatically, so you’d install and setup the pre-install hooks yourself to check the packages before install/update.

Can it be exploited? Yes, anything can. But that’s not a reason to not do this if the overall result is better.

▲

self_awareness 6 hours ago | parent | prev [-]

And how a malware can use this if it's configured globally in a root:root owned config file?

▲

drdexebtjl 6 hours ago | parent [-]

Not all package managers require root.

But yeah, maybe through an exploit with a narrow reach. Once in, the malware can veto security updates and escalate to full control.

	▲	self_awareness 6 hours ago \| parent [-]
		With root, malware can reach out to UEFI anyway, and can do whatever it likes.