>>>>> On Wed, 12 Nov 2008 14:51:26 -0600, Jonathan Rockway <[EMAIL PROTECTED]> >>>>> said:
> I agree with demerphq here, why can't PAUSE just fix this? It didn't come up in the hasty discussion about this problem, it didn't occur to me for a moment. And to nobody else. And the number of victims seemed to be low. I'm watching the number of rejects every day and I have counted 50 since Sep 23rd, so exactly one per day on average. I will probably take the time implement the suggestion, but can't promise it at the moment. > It won't > break signatures (since they sign file content, not file metadata), and > it won't break the CHECKSUMS file (since that could be generated after > the tarball is fixed). It seems you're right. > It could be weird if what you upload to CPAN isn't what you > download... but it fixes a security problem, and it doesn't require > authors to know that this problem exists. Abstraction++ (demerphq,jrockway)++ -- andreas
