Re: Inspecting .deb files with ar
The next time you're starved for amusement (or worried that there might be a Trojan in your .deb), read the man page for 'ar' and play around unpacking a .deb with it to inspect the contents...
The command is ar -x PACKAGENAME
You could also try dpkg -x PACKAGENAME OUTPUTDIR which is likely to work even when the deb format changes, as I assume at sometime in the future it will. Not using bzip2 for these packages is silly, it would cut down package size and bandwidth requirements at the cost of a few extra cycles on local machines. Anyone know what compression/archiver redhat uses? I seem to recall using cpio and gzip (?) maybe.
Re: Assume the packages are hostile... ( above )
You make some good, if not paraniod points
That said, things like dpkg --listfiles should help somewhat here. See what's going to happen before you install a package if you don't trust it. Some kind of option to show the actions which would be performed would also be good (like make -n). This does not help if you are doing huge automated upgrades, but it would help if you are installing third party packages on a system you need to know is secure.
Note: dpkg --listfiles is only for already installed packages, you should use dpkg --contents PACKAGENAME.deb instead if the package is not already installed
The real problem will relying on this is that both RPMs and debs have install scripts which you cannot examine will out opening the package ( which is no big deal, but far less convenient ). If I really wanted to write a trojan I'd put the file corruption/replacement stuff in the script and then after the package is installed I'd replace the script with a blank file or innocous script, covering my tracks. This would also prevent RPM/dpkg/apt from complaining that I was relpacing a file owned by another package.