Assuming that you actually use rename() to do the unlinking and atomic updating, the "make install" should also ensure that write permission is removed from the new files.
* https://github.com/jdebp/nosh/blob/79b1c0aab9834a09a59e15d47...