"unauthorised releases" aren't flagged by MetaCPAN

[neilb]

If you upload a dist which contains a module for which you don't have permissions (i.e. the module is listed in $CPAN/modules/06perms.txt with someone else having permissions, but not you), then the upload will succeed, but the indexing will not.

search.cpan.org flags such releases. For example, see http://search.cpan.org/~neilb/Acme-Experiment-NEILB-0.01/ which contains two modules:

• Acme::Experiment::NEILB, for which I have permissions
• Acme::Experiment::OALDERS, for which OALDERS had permission, but I didn't.

If you look at the equivalent dist page on MetaCPAN (https://metacpan.org/release/Acme-Experiment-NEILB), there is no indication that anything is wrong. Note as well that on that on this page, it lists Acme::Experiment::OALDERS, but the link is going to Olaf's version, not mine. I understand why that is happening, but it still feels wrong.

I've raised the underlying issue (that such a "bad" dist gets indexed at all) to ANDK, with a proposal for change in behaviour. He's said this will need discussing amongst the PAUSE admins, so even if it does change, it won't be in the near future.

[ranguard]

Moving to wishlist: https://github.com/CPAN-API/cpan-api/wiki/Wishlist