Jan Dubois wrote:
> On Thu, 13 Nov 2008, Michael G Schwern wrote:
>> This is why I want CPAN to return to its common carrier policy. Don't
>> inspect
>> them, don't open them, don't reject them and especially don't try to fix
>> them,
>> just leave the packages sealed.
>
> CPAN (at least the indexing part of it) always poked inside the packages and
> verified "ownership" of namespaces. Do you really want *anybody* to be able
> to upload a new version of your modules and have them replace your versions
> in the index? If you don't, then you'll have to let go of this "common
> carrier"
> idea.
>
> Another "violation" of your common carrier ideal is that PAUSE won't index
> packages with a version number lower than the highest already released one.
> Do you want to get rid of that too?
>
> Finally, there is a difference between what you can upload to CPAN and what
> is being included in the index (although stuff not in the index is of course
> invisible to many CPAN users).
These are all related to how CPAN works or CPAN specific security holes. Sort
of a "clear and present danger" clause with the added notion that it's a
problem created by CPAN and only PAUSE can solve the problem.
It's sort of like the post office needing to know who it's from and where it's
going... except we put that information on the inside so PAUSE has no choice
but to peek. And we do it with incorruptible robots.
And these were pragmatic decisions made to get shit done. They were not done
under the general purpose banner of "Think Of The Children". Sorry, "Protect
The User".
Namespace spoofing is very clear, real and CPAN specific security problem.
Namespace protection is necessary to prevent a malicious Trojan horse. It's a
security problem created by CPAN which should be (and can only be) solved by
CPAN.
The version numbering thing is necessary because the index is limited to
showing just one version. Are you going to index the latest or the highest?
PAUSE had to make a decision and went with the highest.
The difference between the CPAN index and what's on CPAN is a lamentable part
of how the CPAN index is implemented, it can only show version. With only one
tool at its disposal, PAUSE has to take an all-or-nothing approach. If the
index technology were improved to allow a complete index with metadata (what
search.cpan.org effectively does for itself) then we could have a complete
listing with information about the authority of each dist marked in the index.
That would relieve a lot of problems and give PAUSE a lot of flexibility.
[1] Someone's going to point out that an independent could create their own
index from a CPAN mirror and publish that, but it's going to fall out of sync.
--
Reality is that which, when you stop believing in it, doesn't go away.
-- Phillip K. Dick
