darix asked me to post this ;)
Quite some time ago we had the discussion how the buildroot should be created in a secure way in %install.
BAD: %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr/... or make install
RPM_BUILD_ROOT is within /var/tmp and you just opened a trivial race condition to a local attacker on your machine to take over your account (or event root if you build as root).
It is better not to "rm -rf $RPM_BUILD_ROOT" in %install at all (and rely on %clean to do it).
If you want to clean it, better do: %install rm -rf $RPM_BUILD_ROOT mkdir $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr ... or make install
In this case the "mkdir $RPM_BUILD_ROOT" would fail and the build would abort if an attacker tries to replace the buildroot by his own symlink.
(or similar ;)