Packages might ship tarballs. They might have different permissions depending on the umask.

Detection

Example debbindiff output

Solution

Add --mode=go=rX,u+rw,a-s to tar command line.