Package: ca-certificates
Version: 20250419
Severity: minor
Prompted by recent changes in fontconfig and its handling of
/usr/local/share/fonts, I noticed that ca-certificates' example local
ca-certificates-local package also creates a directory below /usr/local
with mode 2775 and owner root:staff (when it is removed).
According to Policy ยง9.1.2, since Policy 4.1.4 (2018), directories below
/usr/local should normally be created with mode 0755 and owner
root:root, a change that was made to avoid privilege escalation by
members of the staff group. (There's a flag file to opt back in to the
old behaviour.) For ca-certificates itself this was fixed as #916833,
but ca-certificates-local never got the same change.
Unfortunately dh_usrlocal probably cannot be used in this specific case.
Thanks,
smcv
