stvn has asked for the wisdom of the Perl Monks concerning the following question:

After reading some recent stuff about CPANTS, I have decided to include a META.yml and a SIGNATURE file in my CPAN modules. I am looking for guidance from the monastery on the best way to go about this.

For SIGNATURE files, I found Module::Signature on CPAN, and it seems to be the easiest way to do SIGNATURE files. I am concerned though that in the recommended test, it seems to want to connect to an outside key-server. Not being very familiar with this, I am not sure how much of a standard practice this is. I know merlyn has been critical of modules that 'phone home', I am not sure this counts as the same thing.

As for META.yml files, I have found very little (I am sure I am looking in all the wrong places though). I have found the old META.yml spec and a newer META.yml spec on the Module::Build sourceforge page. But perl being perl, I would assume that someone has created some kind of automation tool for this and its location is just eluding me. Also, the new spec has a LOT of fields in it, most of which I am sure are not necessary in many cases. Does anyone have any opinion on what is the best compromise between not-enough-info and too-much-info in the META.yml file?

-stvn
  • Comment on How to create/generate META.yml and SIGNATURE files for CPAN

Replies are listed 'Best First'.
Re: How to create/generate META.yml and SIGNATURE files for CPAN
by hardburn (Abbot) on Jul 26, 2004 at 16:05 UTC

    For the signature tests, I am not convinced that it is useful for anything more than an MD5 signature would be. By the time the test runs, you're already running code that could have been tampered with. It's really only useful for checking for accidental errors in the files (i.e., transmission problems). MD5 already does that just fine (even taking into account the general cryptographic issues with MD5).

    SIGNATURE itself is still useful since you could check the signature yourself without the use of a test. Better yet, it should be integrated into CPAN(PLUS).pm (I belive CPANPLUS.pm already does, or plans to, but I'll have to check).

    ----
    send money to your kernel via the boot loader.. This and more wisdom available from Markov Hardburn.

[reply]
      Module::Signature includes a cpansign program which can be used to verify a signature prior to executing any code. I generally do (in CPANPLUS) a z Modulename before testing a module just so I can verify a signature if one exists.

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
      It's really only useful for checking for accidental errors in the files

      It also acts as a sanity check for the developer doing a disttest - checking that you've generated an appropriate SIGNATURE.

[reply]
Re: How to create/generate META.yml and SIGNATURE files for CPAN
by valdez (Monsignor) on Jul 27, 2004 at 07:19 UTC
[reply]
[d/l]
      Its important to note that you need a new enough MakeMaker to have it generate a META.yml file and that this generally happens upon make dist*

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
Re: How to create/generate META.yml and SIGNATURE files for CPAN
by PodMaster (Abbot) on Jul 27, 2004 at 08:24 UTC
    The signature test isn't exactly phoning home, but it isn't letting the user choose to whether to allow the test to connect to some website. This is always bad. The Module::Build signature test contains 
    skip_test("Skipping unless \$ENV{TEST_SIGNATURE} is true") unless $ENV
+{TEST_SIGNATURE};

    [download]
    which is the way it should be done. libwww-perl's Makefile.PL opens a socket to google.com (as a way of detecting a live connection), and if successful, prompts the user to run some tests that tries to access some sites , which while not ideal, is better than blindly connecting to whatever server to do anything without letting the user choose.

    The user should always be prompted, and the default should always be to not connect, even if the entire purpose of a distribution is to interface to a specific remote server (like WWW-Yahoo-Groups ...).

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
Re: How to create/generate META.yml and SIGNATURE files for CPAN
by adrianh (Chancellor) on Jul 27, 2004 at 22:58 UTC
    After reading some recent stuff about CPANTS, I have decided to include a META.yml and a SIGNATURE file in my CPAN modules. I am looking for guidance from the monastery on the best way to go about this.

    The current versions of Module::Build and ExtUtils::MakeMaker will generate a META.yml file for you automatically when you create a distribution. Personally I wouldn't yet worry about any of the features in the META spec that aren't automatically generated.

    For SIGNATURE files use Module::Signature as you've already discovered. If you're using Module::Build you can automate the signature generation with the sign argument.

[reply]
[d/l]

Back to Seekers of Perl Wisdom