Uploading a tarball with packages you don't control has always (or at least for 15 years) been permitted. Roughly speaking, "anyone" can upload "anything". The permissions system only governs what gets into the index.
I don't know how metacpan decides what to show as an unauthorized release. That seems likely to cause confusion, but probably showing it solves some other problems I can't get at. On Sat, May 2, 2026, at 09:49, Jens Rehsack wrote: > Hey, > > I always thought there are rules for uploading updates to PAUSE. > > Concretely: ETHER has no permissions on the Params::Util namespace and never > requested any. Nevertheless, ETHER uploaded > ETHER/Params-Util-1.103_01.tar.gz. Numerically 1.103_01 (1.10301) is greater > than my legitimate developer release 1.103_001 (1.103001), so MetaCPAN > displays the unauthorised upload as the "latest" release for the namespace. > > For context: in response to Issues #5 and #6, plicease (Graham Ollis) did > request co-maintenance through the proper channel, which I declined for > reason. ETHER bypassed that process entirely. That is overreaching and > disrespectful. > > I request: > > 1. Removal of ETHER/Params-Util-1.103_01.tar.gz from CPAN. > 2. A standing block preventing ETHER from uploading into any namespace I own. > > Best regards, > Jens Rehsack > > *Attachments:* > • signature.asc
