Today Neil Bowers (@neilbowers) wrote a blog post titled “What happens when you upload to CPAN?” – a sneak peek at the very last part of module releasing process (when you do
cpan-upload and recieve these two strange emails). Although I’ve already released few distributions, PAUSE still seems to me as a mysterious tool with design (i.e. web interface) from previous epoch1, but somehow capable of managing over 29000 distributions maintained by over 11000 authors. What intrigued me in Neil’s article was the “hairy” part (namespace indexer), particularly a conclusion (“the permissions check should be separate from, and earlier than, the indexing stage”) and these three points:
- PAUSE checks each package in your release to see if you’re allowed to release it. You must either be the owner or have co-maint (see the doc for PAUSE::Permissions). If you’ve flagged the package with no_index in the metadata, then the check is skipped.
- You are given ownership (‘f’ permission) for any packages that don’t currently have any permission associated with them in PAUSE.
- The second email is sent to you, with the results of the permissions check.
What wasn’t clear to me was whether PAUSE let me do an “unauthorized release” of a module which doesn’t have any owner listed in
06perms.txt. To find out, I wrote a simple script which found modules without owner (using
PAUSE::Permissions) and then checked which of these are existing distributions (using
As a result I had a list containing few “abandoned” distributions, from which I chose one:
YAML::AppConfig – previously released in 2006, with few bugs on RT. I made two small fixes, bumped version to 0.17, made gzipped dist file and uploaded it to CPAN. I was expecting I’d receive two emails from PAUSE, the second informing me that distribution wasn’t indexed due to insufficient permissions. To my astonishment, I actually got “Status of this distro: OK” and “Status: Successfully indexed”, and after few hours every piece of Perl / CPAN / PAUSE ecosystem listed my release as proper one. I’ve checked
06perms.txt and found:
PAUSE gave me ‘f’ permission, which I thought are given only to original distribution author. According to one of last Perl Advent Calendar articles covering PAUSE permissions model:
The ‘f’ permission (‘first come’) says that I was the first person to upload the module.
…who I wasn’t. At this point I closed a bug on RT, and started tweaking
YAML::AppConfig, which, although “hijacked”, I consider suitable for my Monthly New Distribution Challenge 2014.
To sum up, either my understanding of PAUSE permissions is wrong or they have some flaws (or maybe features?). If I’m wrong, please correct me.
Anyway, does module hijacking counts as a module adoption?
I didn’t mean to disclose potential security threat, and I’m sure I’ll be more careful in the future writing about similar issues. Luckily, as you can see in the comment, @rjbs was in the right place in the right time (i.e. Perl QA Hackaton 2014) and fixed the bug in PAUSE.
To be honest, I looked at PAUSE code after I had “hijacked” module, but setting up PAUSE is “Very Hard™”. For example, I didn’t have any Apache 1.3 with mod_perl1 ready at hand, nor any spare time to compile it. Hope it’ll be easier in the future.
One more thing – I took the opportunity and “adopted”
YAML::AppConfig: fixed all bugs, made all tests pass, added changelog, modernized its metadata, and uploaded version 0.19 on CPAN. If you spot more bugs (either in PAUSE or
YAML::AppConfig), please report them. It’s open source after all.