5 Sep
2010
5 Sep
'10
10:36 a.m.
On Sun, 05 Sep 2010 10:53:59 +0200, Thomas Bächler <thomas@archlinux.org> wrote:
The presence of the file in the pool is not good enough. An evil developer could delete the file from the pool, then commit his own package.
If you are evil you could still mess up with the repo by bypassing dbscripts. There is no point in assuming that there are evil developers.
dbscripts should probably check whether a package with the same pkgname-pkgver-pkgrel triple is already in any other repository and then allow/deny adding it.
That is a plan. -- Pierre Schmitz, https://users.archlinux.de/~pierre