in $FILES/setperms why is everything done blindly without checking if the files within cgi-bin actually belong to dspam-web? This will silently break all permissions a user may have set (and applications which rely on them).
I usually install web applications in their own virtual host, especially those needing a cgi-bin dir. How do you propose to check if a file belongs to dspam-web or not?
Not everyone has virtual hosts or wants to set them up. Equery can get a list of files that belong to a given package. Or, hardcode the list of things in setperms.
I will still have to change owner:group of the cgi-bin directory to dspam:dspam, otherwise apache will not be able to run dspam CGI scripts under this identity. Are you OK with that? I can't imagine how you'll be able to run the other CGI scripts since both cgi-bin directory and CGI script must have the same owner:group when suexec is involved.
After a long discussion on IRC, we both agreed it is currently impossible to install dspam-web on a site that has other cgi scripts. I've added a warning about this in postinst. Bug closed as CANTFIX.
