> On Mar 23, 2016, at 11:20 AM, David Golden <x...@xdg.me> wrote: > > On Wed, Mar 23, 2016 at 11:25 AM, Stefan Seifert <n...@detonation.org > <mailto:n...@detonation.org>> wrote: > > * I think we have to allow mass deletion, even if that de-indexes stuff. I > > think that's an author's right. > > I've never gotten that argument. > > Let's try a narrower argument: Should an author be allowed to delete *any* > distribution? > > * Old tarballs? Seems reasonable. > > * Currently indexed tarballs? What if a file was included that was never > meant for publication? What if there was a really dangerous bug? What if it > was accidentally uploaded company code that *isn't* open source? > > I can think of several legitimate reasons to allow deletion and de-indexing. > > Moreover, if we disallowed deletion, an author could just upload an empty > module except for a higher version number and get that indexed and that is as > effective at breaking things as removal. > > So given that removal (a) has several reasonable uses and (b) doesn't stop > authors from mass-breaking dependents if they want to, I see no reason to > prohibit it. > > David
I agree with you taking away delete doesn't solve anything. So at best, all we can do is mitigate the catastrophes when they happen. For me the scenario I worry about is: KWILLIAMS declares Module::Build a failure. He then removes all co-maints and wipes all of his tarballs. IMO, PAUSE admins should have a right to say: NOPE. Leon is now the owner of M::B, especially if the module removal breaks a large enough part of CPAN. +1 to addressing https://github.com/andk/pause/issues/169 <https://github.com/andk/pause/issues/169>. This is a potential security issue waiting to happen. Todd
