Web lists-archives.com

Re: Limiting the power of packages




On Wed, Oct 03, 2018 at 08:19:17PM +0300, Lars Wirzenius wrote:
> The problem: when a .deb package is installed, upgraded, or removed,
> the maintainer scripts are run as root and can thus do anything.
> 
> Sometimes what they do is an unwelcome surprise to the user. For
> example, the Microsoft Skype .deb and the Google Chrome .deb add to
> the APT sources lists and APT accepted signing keys. Some users do not
> realise this, and are unpleasantly surprise.

Note that packages can do that without a maintainer script.

Mike