mhoyeAll of them have declined.
Look, the question is not “will forcing this on everyone make everything perfect”, it’s “does a reasonable default improve safety on average for most people most of the time”. If you’re going to reply to this with “this won’t work because of this unquantifiable edge case I just imagined”, take that amateur hour shit to hackernews where it belongs.
Nitin Khanna@mhoye dependency cooldown in this case would be “don’t install the latest version for 7 days”?
@nitinkhanna “do not install packages or their updates if they’ve been available less than 7 days”, yeah.
@mhoye the problem with that being if someone is trying to ship an important feature or bug fix or even vuln fix. Each scenario would need special consideration from the package registry.
@nitinkhanna we can imagine a world where there are or of band patch cycles in urgent cases, because we live in that world today.
@mhoye but that's not the standard - it's the exception. In the sense that, if there's a big enough urgent case, people reach out to people on the registry side and get priority. You're asking that to be the case for everyone who wants priority. Once you open that can of worms, everyone wants priority. Who wouldn't?
It's not ideal, but putting the impetus of not downloading the latest version on the users makes sense when the standard is and should be version pinning.
@mhoye here's the thing - I used to work at JFrog. One of their core security offerings for customers is "don't run anything less than 7/24/60 days old". I get that that makes sense. But to make that the default for everyone everywhere does not make sense to me.
Hubert Figuière@mhoye wasn't `uv` just bought by one of the slop machine vendors?
Cliff Barbier@mhoye
Of course they declined.
Developers overwhelmingly hate security. And the ones who don't, overwhelmingly don't know how to secure things.
The remaining few are continuously employed.
Seth Larson@mhoye Do you have links to these issues? I have been thinking along similar lines, so would like to hear arguments against.
@mhoye I've found the issues for uv and pip, I'll be reading through these. Thanks for starting these discussions a few weeks ago.
