* On Wed, Nov 12 2008, David Golden wrote: > On Wed, Nov 12, 2008 at 3:17 PM, demerphq <[EMAIL PROTECTED]> wrote: >> IMO if the toolchain is to work this should happen at PAUSE (if it can >> detect this problem IMO it should just damn well fix it itself) or at >> extraction. > > It *is* being fixed at extraction. But it requires people to upgrade > CPAN and CPANPLUS (maybe Archive::Extract as well). It was a faster > fix to close the PAUSE indexing door than to get those fixes released.
I agree with demerphq here, why can't PAUSE just fix this? It won't break signatures (since they sign file content, not file metadata), and it won't break the CHECKSUMS file (since that could be generated after the tarball is fixed). It could be weird if what you upload to CPAN isn't what you download... but it fixes a security problem, and it doesn't require authors to know that this problem exists. Abstraction++ Regards, Jonathan Rockway -- print just => another => perl => hacker => if $,=$"
