| ▲ | jcalvinowens 9 hours ago | |||||||||||||||||||||||||
> A “cooldown” is exactly what it sounds like: a window of time between when a dependency is published and when it’s considered suitable for use. ^ This is what you wrote. I don't understand how that could possibly be interpreted any other way than I wrote above: an enforced delay on deploying the new code after upstream releases it. > The post definitely does not say "thou shall not update before the cooldown," the argument was that cooldowns are a great default Sorry, that is such a cop out. "I didn't actually mean you should do this, I mean you should consider if you should maybe do this and you are free to decide not to and don't argue with me if you disagree every case is different". Either take a stand or don't. | ||||||||||||||||||||||||||
| ▲ | woodruffw 8 hours ago | parent [-] | |||||||||||||||||||||||||
I think this is an overly tendentious reading. Nobody else seems to have gotten hung up on this, because they understand that it's a policy, not an immutable law of nature. The argument advanced in the post is IMO clear: cooldowns are a sensible default to have, and empirically seem to be effective at mitigating the risk of compromised dependencies. I thought I took sufficient pains to be clear that they're not a panacea. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||