And I have implemented it here -
But, using RPMs doesnt fix any problems - if the creator is hostile, or
the source compromised, then it would be possible to embed unwanted
actions in to the RPM.
For your case, I dont see anything wrong in copying plain text files
where you know the effects in to dom0, and running those states.
You could mitigate risk by keeping the dev qube offline.
Then in dom0 you can run a script that tars the files, copies them to
dom0, and untars them in place.
A good alternative, of course is to write the states in dom0 - you
already have the tools there.