On Sat, 7 Sep 2019 20:20:06 +1000 teor teor@riseup.net wrote:
As with adding any third-party repository, it means trusting the repository provider to install and run any root-privilege code on the machine. In case the repository server (or actually the release process, including signing) is compromised, on the next update it can serve malicious or backdoored versions of the software. So naturally from the security standpoint it is beneficial to add (and trust) as few repositories as possible, just to reduce the "attack surface".
So one thing Tor could do here is run easily and securely without root?
This will not address the concern, because AFAIK in Debian the package management scripts (contained inside the .deb's DEBIAN dir: preinst, postinst, prerm and postrm) always run with root privileges on package addition or removal.