logoalt Hacker News

Dependency cooldowns turn you into a free-rider

149 pointsby pabs3today at 2:03 AM104 commentsview on HN

Comments

vascotoday at 6:36 AM

If lawmakers understood even an iota of technology they'd be trying to legislate using your ID card to upload npm dependencies with more than 10k downloads instead of for watching porn.

But alas.

BrenBarntoday at 6:01 AM

Or you could just, like, not update things immediately just because you can. It's wild that we now refer to it as a "cooldown" to not immediately update something. The sane way would be each user upgrades when they feel they need to, and then updates would naturally be staggered. The security risks of vulnerabilities are magnified by everyone rushing to upgrade constantly.

renewiltordtoday at 5:38 AM

Sure, in the way that people who only use Debian stable are free riding or using Rust are free riding nightly users.

charcircuittoday at 5:22 AM

One thing not addressed is the incentive for large software packages to make their own repositories that bypass this queue in order to have instant updates.

agent-kaytoday at 12:49 PM

[dead]

Egonextoday at 10:01 AM

[dead]

moron4hiretoday at 6:03 AM

Frankly, this reads as sometime going way too far to be contrary. Yeah, sure, Act Utilitarianism is different than Rule Utilitarianism. News at 11. But most developers don't get the luxury of fighting for the greater good. Most are fighting to keep their paycheck flowing so they can eat. What I'm saying is, insecure software comes from organizational dysfunction, not "bad developers adopting software too quickly." It's a corporate political problem to which you're attempting to apply technical management to solve.

Dedimetoday at 6:58 AM

The brilliance of the implementation of cooldowns: For someone to go download and run it, automated or otherwise, they simply follow the standard installation process.

Users who want take the extra precaution of waiting an additional period of time must decide to manually configure this with their tooling.

This practice has been a thing in the sysadmin community for years and years - most sysadmins know that you never install Windows updates on the day they release.

Having a step before publication means that's it's essentially opt-in pre-release software, and that comes with baggage - I have zero doubts that many entities who download packages to scan for malware explicitly exclude pre-release software, or don't discover it at all until it's released through normal channels.