> I don't understand why this is a security issue when > /etc/tomcat8/Catalina/attack is owned by root:root after the purge and > the tomcat8 user doesn't even exist anymore.
Nevermind. I missed the "world". However dpkg warns about that /etc/tomcat8/Catalina is not empty on purge, so the admin will be informed that something requires his attention. Besides all tomcat processes are killed on purge.
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.