fileutils.go | 20 ++++++++++++++------
 main.go      |  5 ++++-

diff --git a/fileutils.go b/fileutils.go
index 140caec01bc533a162d3df66a19b966ba1af3c2c989ef647123af429aecfbe40..c01501d3354608202c9bce2f05e605a18070bed92ee170a5b5b61e387670f776 100644
--- a/fileutils.go
+++ b/fileutils.go
@@ -22,17 +22,25 @@ 	"log"
 	"net/http"
 	"os"
 	"path/filepath"
-	"strconv"
 	"time"
 )
 
-var NoSync = os.Getenv("GOCHEESE_NO_SYNC") == "1"
+var (
+	NoSync   = os.Getenv("GOCHEESE_NO_SYNC") == "1"
+	UmaskCur int
+)
 
 func TempFile(dir string) (*os.File, error) {
-	// Assume that probability of suffix collision is negligible
-	suffix := strconv.FormatInt(time.Now().UnixNano()+int64(os.Getpid()), 16)
-	name := filepath.Join(dir, "nncp"+suffix)
-	return os.OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, os.FileMode(0666))
+	tmp, err := os.CreateTemp(dir, "gocheese")
+	if err != nil {
+		return nil, err
+	}
+	err = os.Chmod(tmp.Name(), os.FileMode(0666&^UmaskCur))
+	if err != nil {
+		tmp.Close()
+		return nil, err
+	}
+	return tmp, nil
 }
 
 func DirSync(dirPath string) error {
diff --git a/main.go b/main.go
index d1d0214e8421846155ef6566ec8a72a01cbbe94fc1b45f0099a456e270f265d6..666fa5cdc14a0ffc9b816ea9e4d481f30469e0f52ec05df978570cee39ed4266 100644
--- a/main.go
+++ b/main.go
@@ -44,7 +44,7 @@ 	"golang.org/x/net/netutil"
 )
 
 const (
-	Version   = "3.5.0"
+	Version   = "3.6.0"
 	UserAgent = "GoCheese/" + Version
 )
 
@@ -211,6 +211,9 @@
 	if (*TLSCert != "" && *TLSKey == "") || (*TLSCert == "" && *TLSKey != "") {
 		log.Fatalln("Both -tls-cert and -tls-key are required")
 	}
+
+	UmaskCur = syscall.Umask(0)
+	syscall.Umask(UmaskCur)
 
 	var err error
 	PyPIURLParsed, err = url.Parse(*PyPIURL)