[riknos314]

Sure, but the alternative the author proposes not only allows for time for those scanners to run but explicitly models that time as a formal part of the release process.

Status quo (at least in most language's package managers) + cooldowns basically means that running those checks happens in parallel with the new version becoming the implicit default version shipped to the public. Isn't it better to run the safety and security checks before making it the default?

[Ozzie_osman]

Agreed that the upload queue solves this problem, but, one thing about the current system is it lets people choose where on the continuum they want to be depending on their risk/reward profile.

[crabmusket]

FTA, "even make the queued releases available for intentional, explicitly volunteering beta testers to try out." Under the proposed system, you have to opt in to the insecure early releases. Rather than opting out of them. Which seems like a more secure default!

[kibwen]

> insecure early releases

This is the wrong framing.

There's no free lunch here. Delays in publishing not only slow down attacks, they also slow down critical security patches. There's no one-size-fits-all policy here, you're at risk either way.

[aragilar]

I would suggest the current system fails to efficiently choose (as you have to align multiple pathways, like updates, "manual" installs, adding new packages), and so effectively there's only the illusion of choice. Switching instead to a queue not only means that there's time for QA/security scans, but it's much easier to make the choice to speed up than slow down.

[Zababa]

>Sure, but the alternative the author proposes not only allows for time for those scanners to run but explicitly models that time as a formal part of the release process.

This is true but that doesn't make "Dependency cooldowns turn you into a free-rider", the title of the article and the subject of the first part, true.

[kstenerud]

Or: make the client side automatically pick the previous version if the latest is too new.

That's a lot less work than putting an extra validation step into the publishing pipeline. And with sane defaults it lets the user make an informed decision when special circumstances arise.

[amake]

That's exactly the "dependency cooldowns" we have right now that the author argues against.

[ghighi7878]

Linux distributions have done this in the past. It can work and can provide a good revenue source.