Thanks for the reply. With regards to being able to start a quality control mechanism now, are you just referring to signing the modules? If so, how would you deal with other CPAN mirrors not following the practice? Any other suggestions how to go about creating a quality-control mechanism?

The idea for some kind of quality contol of CPAN modules is actually quite old, but I've never done anything with it. Many people have had ideas, but it all turned out to be harder than you would think.

But this has nothing to do with signing modules. Or CPAN mirrors following some practise. Quality control is saying "this module rocks" and "that module sucks", but then in a polite and useful way.

Signing modules have all to do with authentication. There's no real signing going on right now, but for all modules, a MD5 hash is stored in the CHECKSUMS file in the authors CPAN directory. You could always check the MD5 hash from a module you downloaded against the MD5 hash stored on a CPAN mirror you trust.

And of course, module authors could always leave a PGP signature of the files containing code in their module distribution.

Abigail

But this has nothing to do with signing modules. Or CPAN mirrors following some practise. Quality control is saying "this module rocks" and "that module sucks", but then in a polite and useful way.

That doesn't deal with the problem of authors uploading Foo::Bar version 1.0, getting great reviews, then creating many very subtle bugs in version 2.0. It also doesn't deal with mirrors that distribute sabotaged modules (matching the modules with a trusted site's MD5's does address it though).

I'm probably overanalyzing this though. I think a large part of CPAN's success has been its simplicity and open structure. Thanks for the replies :).