From 54863453c263202d4804d4a5369a9ec20ee85719 Mon Sep 17 00:00:00 2001
From: Alexandre Gauthier <alex@lab.underwares.org>
Date: Thu, 9 Apr 2026 12:21:25 -0400
Subject: [PATCH] fix(cmdeploy): Set permissions on dovecot pin

Ensure the preferences.d snippet that pins dovecot packages to block
Debian dist-upgrades is owned by root:root and has 644 permissions.

Files in this directory are generally expected to be world readable to ensure unprivileged operations such as apt-get in simulation mode. Having them not world readable breaks such usages.
---
 cmdeploy/src/cmdeploy/dovecot/deployer.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/dovecot/deployer.py b/cmdeploy/src/cmdeploy/dovecot/deployer.py
index 99952da6..3aa4d1a6 100644
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -61,6 +61,9 @@ class DovecotDeployer(Deployer):
                 "Pin-Priority: -1\n"
             ),
             dest="/etc/apt/preferences.d/pin-dovecot",
+            user="root",
+            group="root",
+            mode="644",
         )
 
     def configure(self):