Scott Anguish of Stepwise has written a very good article that discusses some serious problems with Apple's package installer program. It's a bit technical at times, but a couple of key tidbits include:
This is a tricky situation, as some products (such as mySQL and PHP) seem to require an installer, based on their need to put pieces in a number of locations. In general, avoid the package installers if you can, but if you can't, make sure you (a) have a backup of important data before proceeding, and (b) know and trust the source of the package.
- If a package installer encounters a directory that already exists, it will set its permissions and ownership to the permissions of the version in the archive. If the installer maker wasn't very careful with the permissions settings, you may find your Applications folder has new permissions which make it impossible to use (jCalendar originally shipped with such a problem, and the author has now switched to a disk image installer as a result)
- If you have a symbolic link that points to another directory (if you've moved your Applications directory, for example, and replaced it with a link to the new location), the installer will replace the link with a directory, and any files below that directory will be installed in place. This can also have serious side effects, including disabling your system completely.
- If the installer package requires your password to launch, then code inside the package that's owned by root will be executed with full root privileges. This makes it very easy for malicious code to damage areas of your system which would normally be protected.
This is a tricky situation, as some products (such as mySQL and PHP) seem to require an installer, based on their need to put pieces in a number of locations. In general, avoid the package installers if you can, but if you can't, make sure you (a) have a backup of important data before proceeding, and (b) know and trust the source of the package.
•
[6,602 views]

