[ihumanable]

Yea, all the new advice around using dependency cooldowns only works if _someone_ is installing these things before you and finding the vulnerabilities.

It seems like the advice right now is to become a freerider while there are still people installing closer to release that will do free work for you finding out there's something nasty in the release.

Once everyone is waiting 2 weeks to install an update, then the value of everyone waiting goes down dramatically.

[postalcoder]

Using dependency cooldowns is not a free-rider problem. There's a real tradeoff here – ppl are trading their time preference for security.

Just as users are incentivized to avoid malware, researchers and attackers are equally motivated to be the first to discover it.

The concern trolling around widespread dependency cooldowns doesn't make sense. Most people shouldn't be eager to download a release that hasn't made its way through at least some scans.

[kbenson]

This is how a chunk of people function anyway. There are plenty of people that choose to not install "point zero" release for software of a certain importance, assuming with any major changes there are often bugs that come along with it.

In this case, since the number of cool down days is configurable, even if everyone was using it we would still likely see a somewhat smooth curve for adoption, since not everyone will choose the same delay and the delay time will likely map closely to how people want to habdke risk.

It's all a trade off, just like it's always been. This just makes it simpler to act on what you want your risk/comfort level to be.