Bug #107647 for Submodules: Namespace pollution

Thu Oct 08 23:42:24 2015 KENTNL [...] cpan.org - Ticket created

Subject:

Namespace pollution

There are a lot of modules in "fakelib" and "fakelib2", which due to lack of care, are now indexed on CPAN.

You should mask those paths out with `no_index` https://metacpan.org/pod/CPAN::Meta::Spec#no_index

Unfortunately, this also means that those names will be "owned" by you in perpetuity unless you can work out how to get PAUSE to release them, and other users will be barred from getting modules with those names indexed.

Thu Oct 08 23:42:55 2015 KENTNL [...] cpan.org - Correspondence added

Additionally, from the documentation, it is not clear how this module differs substantially from Module::Pluggable and friends.

Fri Oct 09 17:20:16 2015 ZARABOZO [...] cpan.org - Taken

Fri Oct 09 17:44:43 2015 ZARABOZO [...] cpan.org - Correspondence added 30 min

On Thu Oct 08 23:42:24 2015, KENTNL wrote: Show quoted text

> https://metacpan.org/release/Submodules > > There are a lot of modules in "fakelib" and "fakelib2", which due to > lack of > care, are now indexed on CPAN.

Hello, It wasn't lack of care. I'm new to uploading distributions and I tried to read correct documentation on how to proceed, but seems like it wasn't the right one. I read perlnewmod and then I went for module-starter, which does not make it clear how to prevent files from being indexed. I'm aware of that. I emailed modules@perl.org asking how to prevent files from getting indexed but unfortunately I did not get a response. Show quoted text

> You should mask those paths out with `no_index` > https://metacpan.org/pod/CPAN::Meta::Spec#no_index

Ok, I just read the documentation from that link, and I still don't know what that is for or how to use it. I understand what the specification says and how to build that data structure, but I don't know yet after reading it where am I supposed to use that and how. Maybe you can give me a little help on it? Show quoted text

> Unfortunately, this also means that those names will be "owned" by you in > perpetuity unless you can work out how to get PAUSE to release them, and other > users will be barred from getting modules with those names indexed.

PAUSE has a section to abandon permissions for a namespace without reassigning them to anyone. I'll do that as soon as I can figure out how to prevent the indexing, otherwise it will just happen again when I upload a new realease. Any help understanding this will be hightly appreciated. Thank you.

Fri Oct 09 17:44:43 2015 The RT System itself - Status changed from 'new' to 'open'

Fri Oct 09 17:44:44 2015 ZARABOZO [...] cpan.org - Fixed in 1.0000 added

Fri Oct 09 17:44:44 2015 ZARABOZO [...] cpan.org - Fixed in 1.0002 added

Fri Oct 09 17:44:44 2015 ZARABOZO [...] cpan.org - Fixed in 1.0004 added

Fri Oct 09 23:37:47 2015 KENTNL [...] cpan.org - Correspondence added

On 2015-10-10 10:44:43, ZARABOZO wrote:
> On Thu Oct 08 23:42:24 2015, KENTNL wrote:
> It wasn't lack of care. I'm new to uploading distributions and I tried
> to read correct documentation on how to proceed, but seems like it
> wasn't the right one. I read perlnewmod and then I went for module-
> starter, which does not make it clear how to prevent files from being
> indexed.

Yeh, My bad, I chose a word wrong a bit and then wondered why I used it immediately after. Call it a lack of care on my behalf if you will :P

> > You should mask those paths out with `no_index`
> > https://metacpan.org/pod/CPAN::Meta::Spec#no_index
>
> Ok, I just read the documentation from that link, and I still don't
> know what that is for or how to use it. I understand what the
> specification says and how to build that data structure, but I don't
> know yet after reading it where am I supposed to use that and how.
> Maybe you can give me a little help on it?

There's actually 2 ways to get them not to index, some people use both to be sure.

Because the PAUSE indexer is linebased, there's a specific way to hide the "package" declarations in any file so PAUSE cant see it.

package # hide from pause

Foo;

^ This idiomatic convention doesn't change how perl itself sees it, but the "package Foo" token being split by a newline and a comment subverts PAUSE seeing it.

The other way ( which I recommend ) when you're using MakeMaker is using the META_MERGE key:

https://metacpan.org/pod/ExtUtils::MakeMaker#META_MERGE

However, That requires additional care due to needing a minimum EUMM version.

Here's some suggestion code that gets around that problem without needlessly raising the minimum EUMM version: https://gist.github.com/kentfredric/4416671ac5a0453a2d09

You can verify its worked by checking what is in the META.json of the tarball made with `make dist`, as the contents of this array should change:

https://metacpan.org/source/ZARABOZO/Submodules-1.0004/META.json#L16

Additionally, for extra security, you can also consider putting those dirs in t/ instead of at the top level, which gives you extra security, as "t/" is both

- automatically included in EUMMs generated META.json by default

- automatically excluded by the PAUSE indexer

Hope that helps =)

Sat Oct 10 01:35:12 2015 ZARABOZO [...] cpan.org - Correspondence added 30 min

On Fri Oct 09 23:37:47 2015, KENTNL wrote: Show quoted text

> Hope that helps =)

It was of amazing help. Thank you so much! :-) I tried a new distribution with your code and tips and it was enough to have PAUSE index just the two files that were supposed to get installed. Thanks again, I really appreciate the time you put into this. Best regards, Francisco Zarabozo

Sat Oct 10 01:35:18 2015 ZARABOZO [...] cpan.org - Status changed from 'open' to 'resolved'

Sat Oct 10 01:35:19 2015 ZARABOZO [...] cpan.org - Fixed in 1.0000 deleted

Sat Oct 10 01:35:22 2015 ZARABOZO [...] cpan.org - Fixed in 1.0002 deleted

Sat Oct 10 01:35:23 2015 ZARABOZO [...] cpan.org - Fixed in 1.0004 deleted