Does the timer start at upload, or does the timer start at mass exploitation? Not a bad idea, but ...

jvanderbot • yesterday at 11:00 PM • 1 reply • view on HN

Does the timer start at upload, or does the timer start at mass exploitation?

Not a bad idea, but we'd need to have evidence of the former case to make it mandatory and widespread.

IIRC, many times it's compromised credentials of maintainers, which are caught very quickly, so that's evidence of the former case.

Replies

kenperkins • yesterday at 11:07 PM

I think the premise is that modern scanners are really good at finding malicious code (and are run by dozens of companies in the industry), but when it gets pushed and installed inside of that 7 day window, the spread is uncontrolled. This basically gives you opportunity to let the machinery in the package ecosystem do it's job.

alt Hacker News

Replies