On Tue, Aug 01, 2000 at 11:07:47PM +0200, Andreas J. Koenig wrote: > >>>>> On Tue, 1 Aug 2000 14:50:19 -0500, [EMAIL PROTECTED] (Elaine M. Ashton) >said: > > > Andreas J. Koenig [[EMAIL PROTECTED]] quoth: > > *> > > *>I'm not arguing for changing the format but to optimize it for what we > > *>are doing. The most urgent points I would like to see addressed are: > > *> > > *>- List of and checksums for all files in the distribution, > > > Could you elaborate on this a bit? What is the checksum good for, where > > would it be stored and could it be obsoleted by a cryptographic signature? > > My idea was to have the complete list of contained files, each with a > checksum. This can be signed then. A signature that is produced this > way can be included in the distribution file and doesn't need to be > distributed separately. Distributing separately is considered annoying > and errorprone. I had a thought about this. What is this actually giving us. It obviously gives some comfort if the dist is signed by it's author. But what is to stop some evil person you hacks some CPAN FTP site from just removing the signature when they corrupt a distribution. Maybe pause could create signatures for non-signed uploads. > > What else would people like to see besides author, email, name, version, > > url, signature, dependancies....??? > > I'd like to NOT have author's name and email in there because that is > redundant information and tends to get out of date. So does the README. It may be redundant due to the fact that it is in an authors directory on CPAN. But once the distribution leaves CPAN that knowledge is lost and having it in the OSD gives a KNOWN place to find such information. > Author's credentials are not in the OSD, right? Right. > But > they are in the PPD. Hmmm. I'd say, it should go away. The CPAN ID is > fine, it is associated with a record in a public database and the > record can be edited by the person. PAUSE could refuse an upload if > the ID in the OSD isn't the same as the person doing the upload or > some such. Would you always want to force that. For example why would the perl distribution not be able to set the field to <[EMAIL PROTECTED]> ? Graham.
