I'm now also looking into where aptd opens those files in the first place, and how we can move the PolicyKit check before that, as we really don't want untrusted users to be able to parse/decompress random files in a root process, which happens if it's reading the deb.
I'm now also looking into where aptd opens those files in the first place, and how we can move the PolicyKit check before that, as we really don't want untrusted users to be able to parse/decompress random files in a root process, which happens if it's reading the deb.