> However, we (the CPAN community) can do a lot of things after that to
> mitigate any damage. I wholeheartedly agree with transferring namespace
> permissions to something that the PAUSE admins control, so any random joe
> cannot claim the namespace and upload whatever he likes into it (this is an
> attack vector we must keep closed). We also need to be able to act quickly
> to publish something in its place so installations pulling directly from the
> CPAN do not break. I would suggest an email alert go out to the modules@
> list (or another list, should this prove too noisy) providing notification
> that an indexed module is being deleted and de-indexed.
I’ve got no idea what the monthly volume of deletions is, but I think there are
two main cases:
1. dists that aren’t used by anything else
2. dists that are somewhere on the river
It would be nice to have a feed of all dists scheduled for deletion, as soon as
they’re scheduled, with additional alerting if the dist is upriver at all.
PAUSE doesn’t (currently) know the river position, but if it published a feed
of deletion-schedulings, then some third-party agent could monitor the feed and
check for dists that are on river. I think those are the dists that should be
alerted to modules@
Even if all deletions go to modules@, it would still be handy if that
notification mentioned river position. Maybe PAUSE could publish an hourly list
of files that are currently scheduled for deletion, similar to various other
files it generates?
Obviously the issue here is DarkPAN: a dist might not have any CPAN dependents,
but may be used plenty out in the big bad world. That’s a separate problem :-)
Neil
