[arch-dev-public] Junior developers and [staging]

Thomas Bächler thomas at archlinux.org
Sun Sep 5 04:53:59 EDT 2010

Am 05.09.2010 10:00, schrieb Pierre Schmitz:
> On Sat, 04 Sep 2010 13:20:15 +0200, Thomas Bächler
> <thomas at archlinux.org> wrote:
>> [1] staging packages are in pool/, so if you commit a package to staging
>> with the same filename as an extra package, the extra package will
>> disappear and have a wrong md5sum in the extra db.
> No, dbscripts will disallow you to do this (at least if the old package
> was already in a pool) If it's not in a pool you'll have the same
> pacakge in different repos; but the extra one shouldn't be removed.

The presence of the file in the pool is not good enough. An evil
developer could delete the file from the pool, then commit his own
package. dbscripts should probably check whether a package with the same
pkgname-pkgver-pkgrel triple is already in any other repository and then
allow/deny adding it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20100905/30749c22/attachment.bin>

More information about the arch-dev-public mailing list