Quoting Jeremie Marguerie <jere...@marguerie.org>:
Thanks for bringing that issue! I feel the same way when I install a packet from a non-official PPA.
Unfortunately, every package can do anything: pre-inst, post-inst, pre-rm, post-rm run as root. If you don't trust a PPA the same way you trust your OS vendor (Debian, Ubuntu or whoever), install only in a VM or a container (not sure, whether a docker container is considered safe enough, but chroot is not sufficient). Alternatively, download the package, unpack it, remove maintainer script or check them carefully, check for s-bits on binaries etc. repack it and install. I'm probably missing more checks here. While it would be nice to have sth. like "less trusted sources" and allow their packages only certain kinds of install/de-install operations (i.e. no maintainer scripts) etc., it's hard to get right and a broken solution would put users at risk. Cheers -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140530204120.horde.zo1cetednp5glvdc16ay...@webmail.in-berlin.de