demerphq wrote:
>> I really, really, really don't want PAUSE modifying my stuff after it's
>> uploaded. Oh god the mysterious bugs. And then there's the fact that the
>> code I've put my name and signature on is not the same code as is being
>> distributed! That's a trust violation as well as maybe a license violation.
>
> Oh please, save me the drama. We aren't talking about modifying "your
> stuff" we are talking about twiddling some bits in a tar file.
I use the term "common carrier" [1] because it has a very special meaning. It
is the difference between just transporting sealed packages and not. Once you
peek inside them and get involved in their business, for whatever reason, you
are no longer a common carrier. This is a whole different ball game.
What a common carrier says is they are responsible for moving things from
point A to point B and that's that. They're not responsible for what's inside
the package. They're not responsible for if it works, what you do with it or
even if the contents are legal. Shipping companies, telcos, Internet
providers, postal services... these are all (or should be) common carriers.
They don't peek inside your package/conversation/packets/mail, no matter what
the good intentions, and they'll take all comers.
As soon as they do, as soon as they take it upon themselves to inspect the
contents, whether to accept some and reject others or to "fix" problems or
whatever, they take on responsibility for those contents. Their role has
change and become much more complicated. The relationship between the sender
and the carrier has also changed and become much more complicated.
This is why you used to never have to worry about a US phone company listening
on your calls (except with a government mandated wire tap), because if they
did they'd lose their common carrier status and suddenly have a crapload of
extra, expensive, responsibility. Once they lose that status, or if they
never had it in the first place (common carrier status for Internet providers
is not clear), they'll monkey with your packets all they want. Now they
monitor and traffic shape to their heart's content. This slope is very
slippery and very steep, but it has a very clear edge and CPAN has crossed it.
This is why I want CPAN to return to its common carrier policy. Don't inspect
them, don't open them, don't reject them and especially don't try to fix them,
just leave the packages sealed.
> And if you really do want to be picky about this, then it could be
> voluntary as was already suggested.
>
> Then when PAUSE bounces my package it can say "We've rejected your
> package for blah blah blah, but we can fix it for you if you visit
> this [link], or if you reupload a new package with SPECIALFLAG set in
> the FNORBLE file."
Why are we fixing this at PAUSE at all? You can do this with the right tar
flags. What's the next subtle, cross-platform problem that PAUSE is supposed
to fix for you?
I already said I'd consider a MakeMaker patch to automatically strip world
write bits on Windows, but I don't think one ever materialized. If it did and
I missed it I apologize, but I really don't consider this to be an urgent issue.
>> They will be well intentioned and they will add complications and generate
>> false negatives and get in people's way and continue to erode CPAN's policy
>> of
>> being a common carrier.
>>
>> Now that the CPAN shells and archiving modules are handling it at their end,
>> I
>> think the PAUSE filter should be removed. It's not PAUSE's job to be the
>> code
>> police.
>
> I agree with this. However we are where we are, and PAUSE fixing the
> package in a way that doesn't require windows users to get annoyed is
> a good solution.
We are not stuck "where we are". The PAUSE check is security theater and can
simply be removed.
[1] "common carrier" is a legal idea from common US/UK law. I don't want to
get into the legal mumbo jumbo because we're not lawyers, but invoking the
idea is useful and powerful.
--
54. "Napalm sticks to kids" is *not* a motivational phrase.
-- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army
http://skippyslist.com/list/
