On 2/6/26 10:48, Simon McVittie wrote:
Package: ca-certificates
Version: 20250419
Severity: minor
Prompted by recent changes in fontconfig and its handling of
/usr/local/share/fonts, I noticed that ca-certificates' example local
ca-certificates-local package also creates a directory below /usr/local
with mode 2775 and owner root:staff (when it is removed).
According to Policy ยง9.1.2, since Policy 4.1.4 (2018), directories below
/usr/local should normally be created with mode 0755 and owner
root:root, a change that was made to avoid privilege escalation by
members of the staff group. (There's a flag file to opt back in to the
old behaviour.) For ca-certificates itself this was fixed as #916833,
but ca-certificates-local never got the same change.
Unfortunately dh_usrlocal probably cannot be used in this specific case.
Hi Simon,
I'm somewhat tempted to remove the ca-certificates-local example
entirely; it hasn't been updated since 2013 and I'm not sure it's all
that useful nowadays.
Cheers,
Julien
