|Keep It Simple, Stupid|
Yes, you read that right. I'm violating my own advice here.
S'funny how things are okay for 'special cases', when those special cases are close to our own hearts.
The people who have set up CPAN mirrors are donating their bandwidth and storage.
Some interesting numbers. Template::Toolkitv2.15.zip PPM is 494 Kb.
Template::Toolkitv2.15 .tar.gz is 761 Kb.
There are currently no less than 15 versions of the latter being mirrored. Loosing two of those old versions (to say backpan) would allow 3 versions of the PPM to be held without creating any extra demand on the mirrors.
the distribution of binaries from untrusted sources is a major security issue.
Do you inspect every line of every source file in each package you install? What about all the .t files? Does anyone?
Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.
There is a pervasive logical disconnect here that says source is safe and binary not. But pervasive does not mean correct. Any and all software sourced from outside your organisation is potentially dangerous. And the idea that all the risks are negated by the potential for visual inspection, even if anyone actually did that--which they don't--is so profoundly wrong, that the idea itself, and those that expound it, should be actively and vigorously countered at every opportunity.
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.