| ▲ | xg15 6 hours ago | ||||||||||||||||
It's a good idea, but not without weak points, I think. One of the classic scammer techniques is to introduce artificial urgency to prevent the victim from thinking clearly about a proposal. I think this would be a weakness here as well: If enough projects adopt a "cooldown" policy, the focus of attackers would shift to manipulate projects into making an exception for "their" dependency and install it before the regular cooldown period elapsed. How to do that? By playing the security angle once again: An attacker could make a lot of noise how a new critical vulnerability was discovered in their project and every dependant should upgrade to the emergency release as quickly as possible, or else - with the "emergency release" then being the actually compromised version. I think a lot of projects would could come under pressure to upgrade, if the perceived vulnerability seems imminent and the only point for not upgrading is some generic cooldown policy. | |||||||||||||||||
| ▲ | __MatrixMan__ 6 hours ago | parent | next [-] | ||||||||||||||||
Along those lines: If you're packaging an exploit, it's probably best to fix a bug while you're at it. That way people who want to remove their ugly workarounds will be motivated to violate the dependency cooldown. | |||||||||||||||||
| ▲ | mewpmewp2 5 hours ago | parent | prev [-] | ||||||||||||||||
How would they create that noise? | |||||||||||||||||
| |||||||||||||||||