Revise the "Your duties, the basics, traps" section of 04pause.html

[robrwo]

The current page reads from a different time when we believed there were less malign or careless people on the internet.

From conversations with various people in CPANSec, we think may be time to revise this document with more modern rules, explicitly covering security and ownership, roughly:

• The source code should be visible, not be encrypted or obfuscated.
• No compiled binaries
• No malware
• No blatant copying of copyright-restricted software or text
• No spam modules (fake modules or copies of other modules with embedded adverts)
• No communication with other servers except as documented. And no communication during build, testing, or installation unless enabled.
• No typo squatting or mixed unicode that attempts to impersonate another module
• No empty or non-functional modules used for the sole purpose of reserving namespaces
• AI-generated code should document that it was generated, and how
• Nothing (software name or content) intended to offend people based on their gender, sexuality, race, religion, disability etc.
• Nothing that doxxes or threatens safety of others etc

(Yes, these all largely fall under the the "respect for others" banner.)

Likewise, a list of rules for when moderators will delete modules or disable users.

I'm not a fan of creating a formal "Terms of Service" or adding legalese.

So before we write up something and create a pull request, what rules do we agree need to be spelled out?

[Grinnz]

No communication with other servers except as documented. And no communication during build, testing, or installation unless enabled.

I don't think this is practical; many modules depend on downloading things from the internet during build, in particular Aliens. Things like Net::FullAuto are a whole other matter but I don't know how to target that type of abuse specifically, or if we should.

No empty or non-functional modules used for the sole purpose of reserving namespaces

I think there are reasonable use cases for doing this. First come first serve does not require having functionality built.

AI-generated code should document that it was generated, and how

While I agree with this in principle, I am not sure it's the job of this document/mandate.

Along with the last couple I'm not sure how much this document needs to be a "code of conduct". But these are obviously good principles.

[robrwo]

No communication with other servers except as documented. And no communication during build, testing, or installation unless enabled.

I don't think this is practical; many modules depend on downloading things from the internet during build, in particular Aliens. Things like Net::FullAuto are a whole other matter but I don't know how to target that type of abuse specifically, or if we should.

Note that I said "except as documented".

No empty or non-functional modules used for the sole purpose of reserving namespaces

I think there are reasonable use cases for doing this. First come first serve does not require having functionality built.

When looking at repositories for other languages, e.g. npmjs they forbid squatting. "Package names are considered squatted if the package has no genuine function."

I agree with this policy. Perhaps as part of a distribution with a TODO feature, or as a deprecated module, a stub is reasonable. And obviously POD, Task and Bundle modules with have a function even if they have no code.

But how long can a stub module that does nothing but declare a namespace sit on CPAN?

...

Along with the last couple I'm not sure how much this document needs to be a "code of conduct". But these are obviously good principles.

I want to start the conversation. Do we need to spell out things?

[robrwo]

Any other feedback? @andk ?