This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id:
69694
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
SREZIC [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Critical
Broken in:
1.9600
Fixed in:
2.27



Subject: "upgrade" is dangerous
The "upgrade" command may install outdated distributions. This usually can happen if modules vanish from distributions (which happens quite often nowadays). A user who runs "upgrade" could see output like this: ... CHI 0.47 0.49 JSWARTZ/CHI-0.49.tar.gz CHI::Serializer::JSON undef 0.43 JSWARTZ/CHI-0.43.tar.gz CHI::Test::Class undef 0.39 JSWARTZ/CHI-0.39.tar.gz ... I assume that CPAN.pm would install the distributions in order, so it would install the newest 0.49, than the older 0.43, and then the even older 0.39. So a user would get a quite old CHI distribution, and it could happen that distributions depending on a newer version are broken now. The "autobundle" command has a similar problem --- such a bundle must not be reinstalled without removing the "dangerous" old distributions. I have a script which uses some heuristics to find such dangerous distributions: https://github.com/eserte/cpan-testers-parallelsmoker/blob/master/utils/find_dangerous_cpan_distributions.pl But I don't know what's the right approach to fix this. A possibility would be that CPAN.pm includes similar code like in find_dangerous_cpan_distributions. Or "dangerous" distributions could be removed from the PAUSE index. Regards, Slaven
Subject: Re: [rt.cpan.org #69694] "upgrade" is dangerous
Date: Fri, 22 Jul 2011 17:29:23 +0200
To: bug-CPAN@rt.cpan.org
From: Florian Ragwitz <rafl@debian.org>
"Slaven_Rezic via RT" <bug-CPAN@rt.cpan.org> writes:
Show quoted text
> The "upgrade" command may install outdated distributions. This usually > can happen if modules vanish from distributions (which happens quite > often nowadays).
FWIW, cpan-outdated, from the App::cpanoutdated distribution, which was initially extracted from CPAN.pm's "r" command, doesn't have this problem. Porting changes back from there to CPAN might just solve this issue.

Message body not shown because it is not plain text.

This will be fixed in 2.27 (currently available as ANDK/CPAN-2.27-TRIAL2.tar.gz) by offering the option allow_installing_outdated_dists=... Thanks a lot for writing this issue. Setting status to 'patched' until 2.27 is released as stable version.
Fixed in 2.27. Thanks again,


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.