I don't think it'd necessarily be a good decision, sometimes CVE are actively exploited and need quick patching.

A better safety net would be to require active 2FA proof for every package update.

therealmarv 2 hours ago | parent | next [-]

As if supply chain attacks could have been prevented by 2fa or passkeys always.

You want delays by x days because supply chain attacks get caught very often within 1-2 days. And if you really really want to make an exception for a zero day then that's no problem and you can still quick patch by exclusion of that rule. They don't contradict in a unsolvable problem. You want both, you get both.

	▲	doctorpangloss 2 hours ago \| parent [-]
		How do you know what's a zero day fix? (You write something) So then you have to check every package's updates and decide if you update, yes?

▲

jnwatson 4 hours ago | parent | prev [-]

If you need a quick patch, you pass another parameter to turn off the 1 day. 1 day delay will prevent more problems than it makes.

▲

alexdns 3 hours ago | parent [-]

so this parameter can be passed by the attackers also thus making your point pointless

	▲	gbear605 3 hours ago \| parent \| next [-]
		The idea of the parameter is stopping the attackers from getting on your system in the first place
	▲	therealmarv 2 hours ago \| parent \| prev [-]
		that parameter cannot be set by a package, you only can set it