Package: pciutils Version: 1:3.3.1-1 Severity: important Debian bug #804299 made me realize that update-pciids also has the same problem of downloading unauthenticated data from the web and then parsing it, potentially being open to potential exploits in the parser. The risk is probably less than update-smart-drivedb, which might potentially take action based on the data that could result in drive damage, I suppose it's possible there is something that is taking action based on pciids data.
In the short term it should probably be disabled or at least prompt the user to manually verify a checksum or something. Longer term maybe both utils can use a similar solution. Thanks, -- Matt Taggart tagg...@debian.org