Anybody who is porting a package that adds permissions should check and make sure that they don't have the same problem that Luke has uncovered. I've come across this same problem in the core and in cms. I've been working around it by dropping the trigger on acs_privilege_hierachy at the start of the transaction and re-enabling it before the last add_child call within the transaction. This works because the trigger on acs_privilege_hierarchy only modifies the acs_privilege_hierarchy_index one time when the last add_child call is made with the trigger reapplied.
