Hi Neil, > Am 07.05.2026 um 10:36 schrieb Neil Bowers <[email protected]>: > > Hi Jens, > I've always thought that PAUSE should work this way: > • You upload a tarball > • It goes into a holding pen > • The indexer runs and checks if you've got indexing permissions for all > packages in your code > • If you're missing any permissions then the tarball is deleted and you > get an email back > • If you pass indexing, then the tarball is copied to your author > directory and you're given first-come on any new package names.
When PAUSE would work that way, I would be fine. No objections. But the existence of https://metacpan.org/release/ETHER/Params-Util-1.103_01 speaks another language. > You'd need indexing permissions to do a developer release, but you'd also be > granted indexing permissions for an initial developer release, or a developer > release that introduces new modules. Which is fine. I learned from Tim Bunce (but please, keep that between us), that it would be possible for _me_ to upload an SQL-Statement tarball containing also DBI packages, and because I am first-come for S::S, I would be granted COMAINT for "pirate" packages I put into my uploads. I do not intend to use this knowledge. > It also stops people accidentally introducing modules in a distribution which > clash with another distribution. Right now that one module doesn't get > indexed, but if they install your distribution they might overwrite the > module from the person who has the indexing permission. > This is a much harder line than PAUSE currently draws, and I'm not sure any > other PAUSE admins/developers agree with the above, but in the current age of > supply chain attacks, there's more case for it. > Neil So I understand you correctly when I hear: "PAUSE should work that way, but it seems unfortunately does not work that way. Unfortunately PAUSE permits anybody with an account to upload anything.", which is worse than the detail Tim gave to me. And in the times of LLMs, it's not that hard to improve existing code. Luckily, we had very excessive testing in our modules. Best regards, Jens
signature.asc
Description: Message signed with OpenPGP
