--- a/debian/changelog	Tue Aug 28 09:21:09 2012 +0200
+++ b/debian/changelog	Fri Aug 30 17:15:59 2013 +0200
@@ -1,3 +1,10 @@
+logbuch (0.39+nmu1) stable; urgency=low
+
+  * Non-maintainer upload.
+  * initialize repositories group/world inaccessible
+
+ -- Matthias Förste <foerste@schlittermann.de>  Fri, 30 Aug 2013 16:35:48 +0200
+
 logbuch (0.39) stable; urgency=low
 
   * grep {defined} … and not grep defined => …

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/preinst	Fri Aug 30 17:15:59 2013 +0200
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for logbuch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+case "$1" in
+    install|upgrade)
+        if  [ -n "$2" ] && \
+            dpkg --compare-versions "$2" le "0.39" && \
+            [ -f /etc/logbuch/config.pm ]; then
+            dirs=$(perl -e 'use lib "/etc/logbuch"; use config; print join " ", @config::notify_dirs');
+            if [ -n "$dirs" ]; then
+                for d in "$dirs"; do
+                    chmod -R go= $d/.hg
+                done
+            fi
+        fi
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
+

--- a/log.pl	Tue Aug 28 09:21:09 2012 +0200
+++ b/log.pl	Fri Aug 30 17:15:59 2013 +0200
@@ -124,14 +124,22 @@
     }
 
     if ($opt_initdir) {
+
         my $repo = Logbuch::HG->new(repo => $opt_initdir);
 
         $repo->is_repository()
           and die "$ME: directory already initialized, skipping\n";
 
+        # any repository is likely to contain sensitive data somewhere
+        my $umask = umask 0077
+            or die "$ME: Can't set umask: $!";
+
         $repo->init()
           or die "E: initialization failed\n";
 
+        umask $umask
+            or warn "$ME: Can't restore umask: $!";
+
         $repo->addremove();
         $repo->commit("initial check in");