Bug #91836 for App-cpanminus-reporter: Check if the dist really exists on cpan

Fri Jan 03 13:26:43 2014 ether [...] cpan.org - Ticket created

Subject:

Check if the dist really exists on cpan

See the problem (and potential solution) described in this thread: http://www.nntp.perl.org/group/perl.cpan.testers.discuss/2014/01/msg3293.html Since one needs to be connected to the internet to send off the report, I think sending a HEAD request to www.cpan.org is fairly reasonable.

Mon Mar 17 02:36:35 2014 garu [...] cpan.org - Correspondence added

On Fri Jan 03 13:26:43 2014, ETHER wrote: Show quoted text

> See the problem (and potential solution) described in this thread: > http://www.nntp.perl.org/group/perl.cpan.testers.discuss/2014/01/msg3293.html > > Since one needs to be connected to the internet to send off the > report, I think sending a HEAD request to www.cpan.org is fairly > reasonable.

Hi Karen! I see a few potential issues with this approach: 1) When installing previously downloaded dists locally, there's no way to know where it came from. Should we simply skip those? 2) cpanm allows you to fetch/install dists not just from CPAN, but also from (local|remote) personal mirrors, BackPAN and even Github. Should we query all of those? What guarantee do we have that the remote dist actually comes from CPAN with this approach? What do you think? My current approach is to offer the 'exclude' and 'only' parameters to the user, and handle the validation responsibility over to the cpantesters' server.

Mon Mar 17 02:36:35 2014 The RT System itself - Status changed from 'new' to 'open'

Mon Mar 17 16:50:46 2014 ether [...] cpan.org - Correspondence added

Would the exclude/only parameters be the best thing? What you (and cpantesters) really wants to know is that the source is from PAUSE, and not some local build from the repo that's between releases, etc. If the release had some sort of token or checksum that could be included in the report, it could be used to verify that it's a "real" release. I wonder if we could calculate a checksum from the .tar.gz and include that in the report for cpantesters to verify, or use that ourselves to verify the dist. Except, the cpan client would have to calculate that, as the reporting tool doesn't itself have access to the tarball anymore. (If it were included in the distribution metadata, we might be able to still find it though.) I'm still jetlagged, so I need to ponder more. And if only I'd thought of this sooner, we could have maybe done it in Lyon! :p

Wed Mar 19 11:42:26 2014 dolmen [...] cpan.org - Correspondence added

Le 2014-03-17 07:36:35, GARU a écrit : Show quoted text

> 1) When installing previously downloaded dists locally, there's no way > to know where it came from. Should we simply skip those?

Yes, skip if we can't map this dist strictly to a CPAN release. Show quoted text

> 2) cpanm allows you to fetch/install dists not just from CPAN, but > also from (local|remote) personal mirrors, BackPAN and even Github. > Should we query all of those? What guarantee do we have that the > remote dist actually comes from CPAN with this approach?

I like the checksum idea of ETHER. CPAN already has CHECKSUM files in author dirs. This could only apply if we are installing from an archive file, not from a local dir or Github. Until we can compare the the local distribution with some official release on CPAN, it would be safer to avoid sending the report somewhere. -- Olivier Mengué - http://perlresume.org/DOLMEN

Sat Apr 23 15:55:51 2016 garu [...] cpan.org - Correspondence added

Ok! Version 0.14 should correctly skip all local distributions, while still sending remote ones from that same build.log. Patches are most welcome for a proper way to make sure a given local installation is the exact same from whatever is on CPAN :) Cheers!

Sat Apr 23 15:55:52 2016 garu [...] cpan.org - Status changed from 'open' to 'resolved'

Sun Apr 24 04:27:26 2016 ether [...] cpan.org - Fixed in 0.14 added