[oak perl] A good read when loading tricky CPAN modules

Fri Jan 25 09:21:22 PST 2008

David Fetter <david at fetter.org> wrote:
> Joe Brenner wrote:

> > That's certainly a point, but the reason I'm inclined to use
> > CPANPLUS.pm (now a core module with perl 5.10) has more to do with
> > prefering the latest versions that exist out on CPAN, rather than
> > the versions that were fixed in place with my disto's release.
>
> You seem to be assuming a fixedness to these versions that is counter
> to my experience.  When you issue a "yum update" or equivalent in
> other packaging systems--a very good idea to do regularly, given that
> many upgrades fix known remote vulnerabilities--you get the latest.
>
> And again, if it isn't the latest, tools like cpanspec can get you a
> long way in the right direction to making the latest available to
> everybody :)

The package maintainers had better not just drop the latest version of
the code on you the moment it hits the streets, or else there isn't any
point in "playing it safe" and sticking with apt-get over CPAN.pm or
CPANPLUS.pm.

Admittedly, though, it's an exaggeration to say you're necessarily going
to be stuck with the version the distro was released with.

At random, I picked a perl/xml package to see how bad the version lag
is with ubuntu: libxml-sax-perl.  The version in the apt repositories
is 0.12, and the version on CPAN at the moment is 0.16.  This is true
for the dapper, edgy and feisty releases of ubuntu... version 0.16 was
added to the Debian unstable branch in 2007 (with urgency "low").

So, this is the Debian/Ubuntu lash-up performing as it's supposed to,
putting the code through a check-out period before unleashing it on the
world -- but if I were going to start playing with XML::SAX tommorrow,
I would definitely want to start with 0.16 rather than step back in
time a few versions, and if I were running XML::SAX in production, I
might be worried about bug fixes in 0.16 that I'm missing
(presumably there are no known *security* bug fixes in there, though,
else the urgency wouldn't be marked "low").

Myself, I would argue that the risk of breakage from upgrading a perl
module is rather low: backward-incompatibilities in interface changes
are rare (though unfortunately not unheard of) and the perl culture
places a lot of emphasis on automated testing (unlike, say, the linux
kernel) to reign in stupid mistakes.

But, ironically enough, I happened to turn up this comment from someone
complaining about Ubuntu breaking his system by upgrading his XML::SAX
to 0.12 when he didn't want it to:

  http://ubuntuforums.org/showthread.php?t=205236

(My take: this fellow is a whiner who needs to understand the way his
system works better... you can't expect apt and CPAN to work on top of
each other terribly well, the best you can do is to get them to work in
parallel, as two independant worlds.)