|
Kirrily Skud Robert wrote:
> Johan and/or modules@xxxxxxxx,
>
> What is the "official" best way to manage a module which may have
> different people acting as release managers over time? It seems
> like the only current way is to just have the release manager upload it
> under their own CPAN id.
This is the correct thing to do. Randle L. Schwartz was at my last PM
meeting and gave us the big run down of how CPAN works.
> This seems bad to me... currently CPAN allows anyone to upload anything
> with any name, so I (SKUD) could upload (for instance) an LWP module
> with a higher version number than the current one, and it could cause
> all kinds of problems.
Yes anyone can upload any file this is true. Separate from that there is
the published modules-list. This does not include every file uploaded to
CPAN. Only the modules flagged as real modules by the CPAN maintainers.
That means the modules list will only show the latest version of LWP
from the real maintainer, no matter what anyone else on CPAN uploads to
their own directories.
> However, it would be fairly obvious that I'd
> done something bad, because someone would fairly rapidly realise that
> I'm not actually the maintainer of that module and spank me.
No one would know you uploaded a new version of LWP unless they
specifically looked in your directory. doing an `install LWP` would not
download your "newer" copy. Only if someone were to type in `install
authors/id/S/SK/SKUD/lib-www-perl-9000.100.tar.gz` (or something to that
affect) would it download and install.
> Even that
> -- relying on a social fix to potentially dangerous exploits -- is
> pushing our luck, but at least it's *something*.
What exloit?
> If a module often changes hands, perhaps every couple of versions, then
> how will anyone know whether they can trust any given version?
You have to specifically tell the CPAN librarians the module is changing
hands before the published modules list will reflect this.
> The situation becomes yet more complex when we have a family of modules,
> any of which could be maintained by different people over time.
> Wouldn't it be better to go to authors/id/R/RE/REEFKNOT/ and be able to
> see all the reefknot-related modules in one place? (We currently have
> Net::ICal, and will shortly have Net::ITIP, Net::IMIP, and a number of
> Reefknot::* modules).
The directory they are in on the actual archive is for the most part
transparent to the CPAN user. As long as they do `install module::name`
it's always going to pull from the correct published location.
> Is there any effort underway to address these and other CPAN issues?
> Can we expect a "CPAN 2" sometime? Or do we need to start a push for
> such a thing?
no, no, and probably not.
Disclaimer: I could be 100% wrong about this, but this is basically the
entire rundown that Randel gave us just this past Monday, so take it as
that.
--
=======================================================================
Paul J. Baker Internet Systems Technician
pbaker@xxxxxxxxxxxxxxx Where2GetIt.com
phone 847-498-0111x234
fax 847-480-7422
=======================================================================
|
