Am 05.09.2010 10:00, schrieb Pierre Schmitz:
On Sat, 04 Sep 2010 13:20:15 +0200, Thomas Bächler <thomas@archlinux.org> wrote:
[1] staging packages are in pool/, so if you commit a package to staging with the same filename as an extra package, the extra package will disappear and have a wrong md5sum in the extra db.
No, dbscripts will disallow you to do this (at least if the old package was already in a pool) If it's not in a pool you'll have the same pacakge in different repos; but the extra one shouldn't be removed.
The presence of the file in the pool is not good enough. An evil developer could delete the file from the pool, then commit his own package. dbscripts should probably check whether a package with the same pkgname-pkgver-pkgrel triple is already in any other repository and then allow/deny adding it.