Quoting Justin B Rye (justin.byam....@gmail.com): > But why does it need a special script to install a package? (Goes and > looks...) Yipe! It just checks I'm root and then runs > > dpkg -i /tmp/publicfile-installer/publicfile*_*.deb > > Does the build really leave its output in a predictable location in a > world-writable directory? (Checks) Yes, so if my evil kid brother > has created a /tmp/publicfile-installer/publicfile_0.52-0_amd64.deb, > the build-script will happily dump its .deb alongside it. Then when I > run "sudo install-publicfile" it'll install the bogus package first, > executing its install-scripts as root.
That seems correct and probably deserves another bug report, in my opinion. Thanks for pointing this, Justin...
signature.asc
Description: Digital signature