The same hack as rt.cpan.org uses - attempt a login on pause.cpan.org using the ID and password provided. If PAUSE accepts it, then you know it's the real thing.
That would mean my server if cracked could be used to collect PAUSE passwords. I am not sure I'd like to have that responsibility.
No, because you don't keep passwords. You do the auth back to PAUSE as you need it, and then merely record in your site's state that you did it.
That missed the point. If his server was hacked, an attacker could change his software to record PAUSE passwords instead of discard them.
I'm not sure if it can be done, but maybe login ID's could done with an email address rather than a nickname. That would allow module authors to clearly use their cpan email address for identity (with a password that is unique to cpanforums).
Then, for example, nicknames could be set/changed by the user, and maybe to flag actual authors, only allow an all-caps nickname if it matches /(\w+)@cpan.org/ or something like that.
David Golden
