Package: sdic-gene95 Version: 2.1.3-22 Severity: important User: debian...@lists.debian.org Usertags: piuparts
Hi, during a test with piuparts I noticed your package failed to install if the only internet connectivity available is a proxy set via environment variables {http,https,ftp}_proxy. The postinst checks nc -w 3 -z www.namazu.org 80 (ignoring any proxy settings) before downloading the file with wget (which would honour the proxy settings). This seems to be the only package doing it this way. And while we are at it: * there is no validation of the downloaded file (e.g. comparison with a known sha512 sum) * the default download location is /tmp which is writable by everyone, so everyone can place files with names expected by the postinst script there. It does not look like these will be used, but their presence will at least break package installation. And there may be a possibility for symlink attacks and race conditions. cheers, Andreas