-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tels wrote:
> > However, I am _really really_ starting to wonder whether we need a > Kwalitee rating based on *excessive usage of prerequisites*. Doing work based on existing CPAN modules instead of reinventing the wheel by oneself is typically *beneficial* to quality, because it tremendously enhances test coverage: the prerequisites are supposedly useful to other things besides supporting the top-most module, and are tested for such alternate uses. Witness e.g. Catalyst. On the other hand, what about a negative kwalitee metrics of "this module depends on a lot of *crappy* [low-kwalitee] modules"? A case could be made that that denotes poor architectural oversight on the part of the top-most module's author. > * technically, I would have to audit each module before installing > it... Sorry, this is a strawman argument: human-based audits are not a credible defense against _intentional_ security vulnerabilities in code. Case in point (for C): http://www.brainhz.com/underhanded/ Bottom line: you have to trust the CPAN authors to some extent (for not being evil). > * "perl Makefile.PL && make test && make install" is the mantra for > everything ... including a credible surrogate for auditing code whose author you do trust. Actually that's the best the industry can do yet, short of sandboxing (which is orthogonal to the issue at hand) and program proving (which is a pipe dream for Perl, needless to say) > > ** some modules use Module::Build and the above doesn't work Not all Module::Build modules lack a working Makefile.PL. My idea of measuring the average kwalitee of the dependencies would of course capture this ("depends on a module that is not buildable by CPAN" = bad, baad) > [Lots of CPAN-related problems] Yes, CPAN can be a pain; however (kw|qu)alit(ee|y) is not meant to be a metrics of how easy to install a module is, but rather of whether it is possible to build something strong upon it, and to do so quickly and easily. (Or am I mistaken?) I have another idea. What about reversing the odds, and rewarding those modules that provide an all-in-one archive (e.g. CatInABox, http://use.perl.org/~jk2addict/journal/28071) or a pure-Perl zero-dependency version with perhaps a restricted feature set, in addition to the "full" CPAN version? (hmm, maybe this check would be difficult to automate) - -- Dominique QUATRAVAUX Ingénieur senior 01 44 42 00 08 IDEALX -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2k2AMJAKAU3mjcsRAixAAKCECzfjIpHY4ACZcRVku5ykLGuR2wCgooHO vzWpvzCv+w6jmTWZ4ry68ms= =L8V7 -----END PGP SIGNATURE-----
