Dependency cooldowns turn you into a free-rider

A critical analysis is challenging the rapid adoption of 'dependency cooldowns' as a response to software supply chain attacks. This practice involves configuring projects to wait a set number of days (N) before adopting newly published package versions, hoping that any malicious code inserted by attackers will be discovered and the release 'yanked' by other, less cautious users first. While most attacks are detected within days, making the approach superficially effective, the author argues it fundamentally relies on free-riding. It shifts the risk and cost of being an 'unpaid, inadvertent beta tester' onto those who update immediately, creating an unsustainable and arguably immoral system where safety for some depends on the exploitation of others.

Furthermore, dependency cooldowns are technically fragile and inefficient. They require every package manager (Python alone has multiple) and every project to implement and correctly configure the delay, a process prone to human error and accidental circumvention. The article contends that any sufficiently widespread cooldown becomes a 'slow implementation of an upload queue.' Instead, it advocates for a centralized 'upload queue' model, where new packages are published to a repository but face a mandatory waiting period before being distributed to the public. This decouples publication from distribution, allowing for security scanning and voluntary beta testing during the queue period, a model with precedent in systems like the Debian project's 2-10 day wait for packages entering its 'testing' distribution.