Re: Pirate upload by ETHER in Params-Util

Fri, 08 May 2026 23:49:36 -0700 

On Thu, May 7, 2026, at 04:50, Jens Rehsack wrote:
> Which is fine. I learned from Tim Bunce (but please, keep that between us), 
> that it would be possible for _me_ to upload an SQL-Statement tarball 
> containing also DBI packages, and because I am first-come for S::S, I would 
> be granted COMAINT for "pirate" packages I put into my uploads. I do not 
> intend to use this knowledge.

This is, near as I can tell, false.

Uploading a distribution that contains a mix of authorized and unauthorized 
packages will index the authorized ones, ignore the unauthorized ones, and 
certainly not change the permissions on the unauthorized ones.

Here's a PAUSE test I whipped up to prove it:
subtest "tim bunce told me" => sub {
  my $pause = PAUSE::TestPAUSE->init_new;

  $pause->add_first_come(AIDEN  => 'Asparagus');
  $pause->add_first_come(BRADEY => 'Broccoli');

  subtest "first step: initial upload" => sub {
    {
      $pause->upload_author_fake(AIDEN => {
        name    => 'Asparagus',
        version => '0.001',
        packages => [ qw( Asparagus ) ],
      });

      $pause->upload_author_fake(BRADEY => {
        name    => 'Broccoli',
        version => '0.001',
        packages => [ qw( Broccoli ) ],
      });

      my $result = $pause->test_reindex;
      $result->assert_index_updated;

      $result->package_list_ok([
        { package => 'Asparagus', version => '0.001'  },
        { package => 'Broccoli',  version => '0.001'  }
      ]);

      $result->perm_list_ok({
        'Asparagus'   => { f => 'AIDEN'  },
        'Broccoli'    => { f => 'BRADEY' },
      });
    }
  };

  subtest "second step: secret broccoli" => sub {
    {
      $pause->upload_author_fake(AIDEN => {
        name    => 'Asparagus',
        version => '0.002',
        packages => [ qw( Asparagus Broccoli ) ],
      });

      my $result = $pause->test_reindex;
      $result->assert_index_updated;

      $result->package_list_ok([
        { package => 'Asparagus', version => '0.002'  },
        { package => 'Broccoli',  version => '0.001'  }
      ]);

      $result->perm_list_ok({
        'Asparagus'   => { f => 'AIDEN'  },
        'Broccoli'    => { f => 'BRADEY' },
      });
    }
  };
};

This test passes:  the unauthorized inclusion of the Broccoli package in 
AIDEN's upload is ignored.  It is not indexed, and the permissions for the two 
packages do not expand to include a new comaint.

-- 
rjbs

Reply via email to