Hi Jens, I've always thought that PAUSE should work this way:
• You upload a tarball • It goes into a holding pen • The indexer runs and checks if you've got indexing permissions for all packages in your code • If you're missing any permissions then the tarball is deleted and you get an email back • If you pass indexing, then the tarball is copied to your author directory and you're given first-come on any new package names. You'd need indexing permissions to do a developer release, but you'd also be granted indexing permissions for an initial developer release, or a developer release that introduces new modules. It also stops people accidentally introducing modules in a distribution which clash with another distribution. Right now that one module doesn't get indexed, but if they install your distribution they might overwrite the module from the person who has the indexing permission. This is a much harder line than PAUSE currently draws, and I'm not sure any other PAUSE admins/developers agree with the above, but in the current age of supply chain attacks, there's more case for it. Neil
