maemo5 is very vulnarable to MITM attacks because even serious developers just download deb packages and install them with dpkg -i. This way installing the authenticity of the package is not checked in any way, it can be anything if there is a MITM attack.

Once a Thompson's Trojan Horse type of attack has been succesfully made to some developer's system, the crack and the back door can propagate through whole Linux-community.

This is the long known weakness in deb-package-based system.
There is a fix for having embedded signatures in deb-packages, but practically noone is using it.

In rpm-system, the packages themselves have GPG signatures embedded.
So whether you install them by first transfering the package via ubstick, ftp, wget, bluetooth, *, the signature comes along always and is checked when package is installed with rpm-program or by yum, zypper or whatever package manager Meego will have. (Ok, there can be RPM packages w/o signatures but one have to force rpm to install this kind of package if the rpm settings are correctly set in the first place.)

I've been told the above reason is not why they chose RPM in Meego, nor the fact RPM is preferred by LSB, but for me it is an important plus and improvement. Also RPM-package system has transaction-support, which comes handy if system is cold rebooted suddenly in the middle of package installation for example battery has drained out.

Yes, I hope Meego will have SELinux also, or at least AppArmor (not as good but simplier).