id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,blockedby,blocking,platform 12564,"pkgman install *un*installs the package (if passed a local hpkg, no problem with remote hpkr's)",ttcoder,bonefish,"dsuden keeps running into this vulnerability ever since I told him about ""pkgman install"", it's driving me nuts :-) ""Installing"" a package which happens to be already installed, actually results in its de-installation (possibly because one of the performed steps, involves moving the ""old"" hpkg into a 'archive' subfolder of admnistrative, but both the ""old"" and ""new"" files are the same ?) Furthermore, if said package is a dependancy of others, this obviously results in a cascade of consequences, ouch! Reproducible ""show and tell"" session coming up below ---- Some naive enhancement ideas: if one of the package files passed to BPackageManager::Install() matches an already installed package for the specified repository... - reject the transaction as a whole ? - reject only that part of the transation ? - start applying the whole transaction, but abort/fail it at the stage of creating the .hpkg file within /system/packages, before the actual backup-to-archive stage (maybe might be as simple as tweaking an {{{open()}}} call, passing it the O_NOCLOBBER.. flag and throwing an exception if open() returns file-already-exists ?) - something else ? Any of the above would result in cutting short the vulnerability exploit before the package gets uninstalled (and its dependancies if any) which would be great by me :-) ",enhancement,closed,normal,,Kits/Package Kit,R1/Development,not reproducible,,,,,All