Re: Limiting the power of packages
- Date: Thu, 4 Oct 2018 07:04:59 +0900
- From: Mike Hommey <mh@xxxxxxxxxxxx>
- Subject: Re: Limiting the power of packages
On Wed, Oct 03, 2018 at 08:19:17PM +0300, Lars Wirzenius wrote:
> The problem: when a .deb package is installed, upgraded, or removed,
> the maintainer scripts are run as root and can thus do anything.
> Sometimes what they do is an unwelcome surprise to the user. For
> example, the Microsoft Skype .deb and the Google Chrome .deb add to
> the APT sources lists and APT accepted signing keys. Some users do not
> realise this, and are unpleasantly surprise.
Note that packages can do that without a maintainer script.