Bug#676164: UUID-0.04 marked "UNAUTHORIZED RELEASE" on CPAN

Jonathan Yu jawnsy at cpan.org
Mon Jun 18 02:40:21 UTC 2012 

Hi Florian,

(Cc'ing debian-perl list - hopefully some of the current active members can
chime in)

I spent a few spare cycles to do a quick investigation. The good news is
that it looks like your instincts were correct. However, in summary, I
would suggest a removal of the UUID module from Debian if possible. The
full diff between UUID-0.02/UUID-0.04 is small, so it is pasted at the
bottom of this message.

1. I checked on PAUSE and the current permissions set for UUID do not
mention either of the names that have been added to UUID 0.04 from UUID
0.02:

*module**userid**fullname**type**owner*UUID<https://pause.perl.org/pause/authenquery?pause99_peek_perms_by=me&pause99_peek_perms_query=UUID&pause99_peek_perms_sub=1>
BRAAM<https://pause.perl.org/pause/authenquery?pause99_peek_perms_by=a&pause99_peek_perms_query=BRAAM&pause99_peek_perms_sub=1>
Peter
J. Braam first-come LZAP
UUID<https://pause.perl.org/pause/authenquery?pause99_peek_perms_by=me&pause99_peek_perms_query=UUID&pause99_peek_perms_sub=1>
LZAP<https://pause.perl.org/pause/authenquery?pause99_peek_perms_by=a&pause99_peek_perms_query=LZAP&pause99_peek_perms_sub=1>
Lukáš
Zapletal modulelist LZAP
2. No license or copyright information exists in UUID 0.02:

>From UUID-0.02/:
$ grep -ir copyright .
$ grep -ir license .

(both blank)

So it is questionable whether we are actually allowed to distribute this in
Debian or not, unless I've missed something...

3. Last upload of the UUID module (version 0.02) was in 2001; the packaging
style seems to be of quite an old vintage. There are serious outstanding
bugs on the RT (not installable on CentOS) that do not have replies from
the package maintainer. This means that Debian is effectively the
maintainer (there is no upstream), which would certainly put greater load
on the pkg-perl team than desired.

4. The removal won't be easy since the reverse depends are doc-base and
linux-base (though perhaps they can be retooled to use a different Perl
UUID library without too much effort):

$ apt-cache rdepends libuuid-perl
libuuid-perl
Reverse Depends:
  linux-base
  doc-base

5. The UUID 0.04 doesn't add much over UUID 0.02 - it seems the only
notable change is the addition of licensing information which isn't
actually legal (since the authors that added that license do not appear to
be copyright holders).

Diff between the UUID 0.02 and UUID 0.04 versions:

diff '--unified=3' UUID-0.02/Changes UUID-0.04/Changes
--- UUID-0.02/Changes   2001-02-08 09:07:59.000000000 -0500
+++ UUID-0.04/Changes   2009-07-22 23:18:11.000000000 -0400
@@ -1,5 +1,16 @@
 Revision history for Perl extension UUID.

+0.04 Wed Jul 22 20:17:26 PDT 2009
+      - Seems to be abandoned (again)
+      - Bump version number and upload to PAUSE
+
+0.03  Fri Jan 12 15:24:24 MST 2007
+      - Added Artistic license
+      - Took over maintaining (Colin Faber - CFABER)
+
+0.02  Unknown
+       - unknown changes
+
 0.01  Thu Feb  8 06:07:59 2001
        - original version; created by h2xs 1.20 with options
                -A -n UUID
Only in UUID-0.04: License
diff '--unified=3' UUID-0.02/MANIFEST UUID-0.04/MANIFEST
--- UUID-0.02/MANIFEST  2001-02-08 09:07:59.000000000 -0500
+++ UUID-0.04/MANIFEST  2007-01-12 17:29:53.000000000 -0500
@@ -1,6 +1,8 @@
 Changes
+License
 MANIFEST
 Makefile.PL
 UUID.pm
 UUID.xs
 test.pl
+META.yml                                 Module meta-data (added by
MakeMaker)
Only in UUID-0.04: META.yml
diff '--unified=3' UUID-0.02/UUID.pm UUID-0.04/UUID.pm
--- UUID-0.02/UUID.pm   2001-03-01 11:25:57.000000000 -0500
+++ UUID-0.04/UUID.pm   2009-07-22 23:16:39.000000000 -0400
@@ -18,7 +18,7 @@

 @EXPORT_OK = ( @{$EXPORT_TAGS{'all'}} );

-$VERSION = '0.02';
+$VERSION = '0.04';

 bootstrap UUID $VERSION;

@@ -46,8 +46,16 @@

 UUID::{generate, parse, unparse}

+=head1 LICENSE
+
+This library is licensed under the Perl Artistic License. Details of this
license can be found within the 'License' text file
+
 =head1 AUTHOR

+Joseph N. Hall <joseph.nathan.hall at gmail.com>
+
+Colin Faber <cfaber at clusterfs.com>
+
 Peter J. Braam <braam at mountainviewdata.com>

 =head1 SEE ALSO

On Fri, Jun 15, 2012 at 8:54 AM, Florian Schlichting <
fschlich at zedat.fu-berlin.de> wrote:

> Hi Jonathan,
>
> > What stops you from downloading directly instead of using uscan?
>
> the fact that it's a big red "** UNAUTHORIZED RELEASE **" warning, and I
> am in no position to judge whether that's a false alarm and it is in
> fact a perfectly authorized release or not (I note the two authors are
> not the same, so this may well be a hostile takeover that I wouldn't
> want to get involved in). I've been emailing cpan authors about this
> before, and they have been able to fix it within a day or so.
>
> This shouldn't stop you from taking the initiative and uploading a new
> version, if you happen to know more and/or feel comfortable making such
> a decision :-)
>
> Florian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120617/0dfb03e3/attachment.html>

More information about the pkg-perl-maintainers mailing list