* Michael G Schwern <[EMAIL PROTECTED]> [2008-11-13 04:15]: > I really, really, really don't want PAUSE modifying my stuff > after it's uploaded. Oh god the mysterious bugs. And then > there's the fact that the code I've put my name and signature > on is not the same code as is being distributed!
Count me in this camp. I do think that PAUSE could fix this, but it *MUST* require author consent. User data is untouchable by principle. The fact that tarballs are “just an envelope” does not matter; they are no less part of the user’s data than the extracted contents. My suggestion on IRC when dmq stumbled into this was that PAUSE should not index the tarball nor mangle it; but it could produce a repacked version and include a link to it in the “was not indexed” mail. That way the author can rubberstamp the repacked version by pasting the link right back into the URL field in the PAUSE upload form. Or else they can fix their toolchain on their own terms and prepare a fresh upload. Or take their ball and go home. Whatever. The real fix is to patch the Windows code in EU::MM and M::B so that tarballs produced through them won’t contain world-writable files, so that ultimately the whole process would become entirely transparent to the Windows-based crowd. But in the meantime, having PAUSE provide assistance (not automagic!) for such people would be a helpful way of keeping the fuss down. (Needless to mention, once the toolchain is appropriately patched, the won’t-index mail should also include the hint that if on Windows, one might want to upgrade one’s toolchain to avoid having to deal with this hassle.) > This security check has sent CPAN on the slippery slope of > security. Not hardly. > Until now CPAN has been a common carrier. Pretty much anything > was allowed, stuff was only rejected for extreme reasons and > always on a case-by-case basis and always by human judgment. The filtering does not change this. It doesn’t cause the upload to be rejected. It merely causes it not to be indexed, and there a lots of reasons for which PAUSE will already refuse to index an upload that it accepts. Checking for world-writable files feels to me just like the other “is this a sane tarball” tests that are already being performed. It seems to me like a minor and hardly objectionable addition – were it not for Windows marching to a different drummer. Silently mangling tarballs, in contrast, would be entirely new territory. * Jan Dubois <[EMAIL PROTECTED]> [2008-11-13 20:25]: > CPAN (at least the indexing part of it) always poked inside the > packages and verified "ownership" of namespaces. Do you really > want *anybody* to be able to upload a new version of your > modules and have them replace your versions in the index? If > you don't, then you'll have to let go of this "common carrier" > idea. You are confusing two separate things, which is no surprise because Michael confused them too. CPAN is two things: a file distribution mirror network and an indexing service. The mirror network, so far, distributes the files you put on there in bit-for-bit identical form, and therefore is in fact a common carrier. The indexing service, OTOH, is not. But the author does not get to touch the index database anyway. All they can do is affect it in a roundabout way by uploading tarballs for distribution that the indexer will consider interesting enough to take a look at. Changing the indexer’s idea of what is interesting or not is not related to the mirror network’s bit-for-bit identity contract. I would not want to see the latter change. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/>
