> I don't understand why this is a security issue when > /etc/tomcat8/Catalina/attack is owned by root:root after the purge and > the tomcat8 user doesn't even exist anymore.
Nevermind. I missed the "world". However dpkg warns about that /etc/tomcat8/Catalina is not empty on purge, so the admin will be informed that something requires his attention. Besides all tomcat processes are killed on purge.
signature.asc
Description: OpenPGP digital signature
