On Wed, Oct 03, 2018 at 08:19:17PM +0300, Lars Wirzenius wrote: > The problem: when a .deb package is installed, upgraded, or removed, > the maintainer scripts are run as root and can thus do anything. > > Sometimes what they do is an unwelcome surprise to the user. For > example, the Microsoft Skype .deb and the Google Chrome .deb add to > the APT sources lists and APT accepted signing keys. Some users do not > realise this, and are unpleasantly surprise.
Note that packages can do that without a maintainer script. Mike
