A user recently complained about the OTRS package manager ability to execute code from packages (CVE-2018-7567). There are good reasons for this (packages install code anyway, required for complex setup routines), but of course, it means that admins better double check the packages they install.
After looking for ways to improve the situation, we decided to slightly change the default behavior of the package manager. By default, only packages verified by OTRS can be installed now; there is a new configuration option to allow installation of packages from other/untrusted sources.
