[quarterto]

How would it catch something like

  cp /bin/rm ponies ; ./ponies -rf /

[icebraining]

The same way checkinstall detects which files have been installed - it overrides the relevant syscalls when running the program/script: http://asic-linux.com.mx/~izto/checkinstall/installwatch.htm...

Of course, not everything is as obvious to detect as deleting files :)

[acveilleux]

Well, checkinstall acts at the dynamic linking level. If you use ASM to call the syscall directly (or more generally, a statically linked binary) then checkinstall will not even see it (strace/DTrace/ktrace would.)

[aioprisan]

or you can create a ponies alias, even more harmless-looking