| ▲ | moebrowne 5 hours ago | ||||||||||||||||||||||
The point of the cooldown is to allow time for vendor scans to complete and for compromised packages to be pulled. It's not about waiting for an end user to notice they've been compromised. > Meanwhile, the aforementioned vendors are scanning public indices as well as customer repositories for signs of compromise, and provide alerts upstream (e.g. to PyPI). https://blog.yossarian.net/2025/11/21/We-should-all-be-using... | |||||||||||||||||||||||
| ▲ | loloquwowndueo 4 hours ago | parent [-] | ||||||||||||||||||||||
Depending on “security vendors” to do scans of every single update seems naive and over optimistic to me, but hey - everyone’s jumping on the bandwagon regardless of what I think so I guess we’ll see soon. | |||||||||||||||||||||||
| |||||||||||||||||||||||