Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Reject dists containing /blib #24

Open
dolmen opened this Issue · 7 comments

4 participants

@dolmen

Distribution containing a /blib directory are usually made by CPAN beginners that did a tar.gz of their working directory instead of using make dist.
PAUSE should reject such distributions.

Here is an example of such mistake: http://api.metacpan.org/source/GIDEON/Dancer-Plugin-Auth-Github-0.01/

@andk
Owner
@thaljef

I'll throw in my 2 cents on this...

I think PAUSE can and should reject a distribution for any reason it wants, so long as the criteria for rejection are well defined and documented. These criteria could include things like invalid meta, unauthorized packages, impolite tarballs, or world-writable file permissions.

PAUSE's liberal input policy places a burden on all the downstream tools to work around those problems. As the entry point to the CPAN ecosystem, PAUSE is uniquely positioned to filter bad inputs and maintain order in the Perl universe.

@dagolden

In Lancaster, Andreas clarified that PAUSE/CPAN is more in the model of Dropbox. Authors get a directory and can upload and organize what they wish. The "control" is over the index. So whenever anyone says "PAUSE should reject", what is meant is that "PAUSE must not index".

@andk
Owner
@dagolden
@thaljef

"Censorship" isn't the word I would use here. I think of it more like "cooperation".

As the size and density of any ecosystem increases, the priorities inevitably change. If you live out in the rural countryside, you can dig wells and dump sewage wherever you want on your property. But if you live in the city, you must attach to the standard municipal services.

In the early days, the CPAN ecosystem was small, standards were weak, and there was less certainty about what the tool chain would look like. So back then, it made sense to keep the barriers low and encourage lots of creative thinking. But now, the ecosystem is much larger, the standards are stronger, and the tool chain is more sophisticated. At this point, the need for interoperability trumps the desire for freedom of expression.

Saying that the index is the quality control mechanism feels unsatisfactory to me. The index has a very narrow and time-dependent view of what CPAN is. We don't expect CPAN to merely provide us with arbitrary tarballs. Rather, we expect it to provide things that the tool chain knows what to do with. But if PAUSE lets anything in the front door, then every down stream tool has to implement the same hacks and workarounds to deal with the uncertain and ill-defined input they will receive from CPAN.

@dagolden
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.