Comment 2 for bug 1434545

In particular, since this code seems designed to run on Trove guests, I'm wondering if this could be used to execute commands somehow on a different guest. I'm not familiar enough with the architecture to know, but running malicious package names causing arbitrary code execution on a guest seems like an interesting vector.