alt Hacker NewsSure, but the alternative the author proposes not only allows for time for those scanners to run but explicitly models that time as a formal part of the release process.
Status quo (at least in most language's package managers) + cooldowns basically means that running those checks happens in parallel with the new version becoming the implicit default version shipped to the public. Isn't it better to run the safety and security checks before making it the default?
Replies
Or: make the client side automatically pick the previous version if the latest is too new.
That's a lot less work than putting an extra validation step into the publishing pipeline. And with sane defaults it lets the user make an informed decision when special circumstances arise.
>Sure, but the alternative the author proposes not only allows for time for those scanners to run but explicitly models that time as a formal part of the release process.
This is true but that doesn't make "Dependency cooldowns turn you into a free-rider", the title of the article and the subject of the first part, true.
Agreed that the upload queue solves this problem, but, one thing about the current system is it lets people choose where on the continuum they want to be depending on their risk/reward profile.