This email has appeared in the cpan-discuss mailing list a couple of hours ago. -- José Pedro Oliveira * mailto: jpo@xxxxxxxxxxxx * http://gsd.di.uminho.pt/jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *
--- Begin Message ---
- To: cpan-discuss@xxxxxxxx
- Subject: Disabling Module::Signature for a while
- From: Adam Kennedy <cpan@xxxxxx>
- Date: Thu, 11 May 2006 18:25:03 +1000
- Delivered-to: jpo@xxxxxxxxxxxx
- Delivered-to: mailing list cpan-discuss@xxxxxxxx
- Delivered-to: cpan-discuss@xxxxxxxx
- Mailing-list: contact cpan-discuss-help@xxxxxxxx; run by ezmlm
- User-agent: Thunderbird 1.5.0.2 (Windows/20060308)
Hi gangI've been seeing some problems with Module::Signature for a while, and I notice from the following that it's starting to become a problem for other people as well.http://cpanratings.perl.org/dist/Module-SignatureAddition problems include the lack of pgp|gpg on Windows, which creates an enormous dependency chain (15-30 modules) of security modules many of which have platform problems or overly flexible installers, making it nearly impossible to install without forcing default options.install Bundle::CPAN ... "Would you like to enable PEM support?" ... (repeat for up to a dozen other security questions)On top of this, Module::Signature has a high bug count, many of which are serious and old.http://rt.cpan.org/Public/Dist/Display.html?Name=Module-SignatureI've done a small amount of work myself on the Makefile.PL but anything else is beyond my skillset and time availability.Audrey is obviously fully involved in pugs/Perl 6 is does not have time to spend on it, and I've been unable to locate a maintainer with enough time to deal with the problems.Overall, I think (and some others agree) that Module::Signature has reached the point where it is causing more harm than good.Any improvement in security is dwarfed by the problems it is causing for many people and modules.The core toolchain is supposed to be highly robust and install painlessly in most environment.I'd like people's thoughts on "resting" Module::Signature for a while, until suitable maintainers can be found and the major set of critical bugs have been resolved.This would probably mean disabling it by default in CPAN.pm, removing the nag warnings, and removing it from Bundle::CPAN.Would this cause any "showstopper" problems beyond just personal preferences or inconveniences.Thanks for your time Adam K
--- End Message ---
<<attachment: smime.p7s>>
