Comment 14 for bug 634183

Creating a hardlink (in most cases for RPM managed files) assumes privilege
that makes any other escalation vector through hardlinks to "previously RPM-manged"
files moot.

And if hardlink creation is possible, its a packaging, not an RPM implementation,
error.

But feel fee to file all the CVE's you want against RPM for _NOT_ cleaning up
metadata data (be it setuid/capability/ACL/XATTR) attached to an inode
that was "previously RPM-managed" if/when a hardlink has been created
through external means.

You might well report the same problems against rm(1) since the same
system call unlink(2) is unaware of unknown persistent side effects if/when
an additional hardlink has been created.

There are -- in fact -- no escalations of note reported for any of the (2? or is it 3 now?)
CVE's being reported against RPM.