Dependency cooldowns turn you into a free-rider
8 hours ago
- #package-management
- #supply-chain-security
- #open-source
- Dependency cooldowns delay adoption of new package versions, relying on others to detect supply-chain attacks, making users free-riders.
- Cooldowns impose costs on others, require implementation across multiple package managers, and are easily circumvented, offering incomplete safety.
- Upload queues centralize waiting periods at the dependency server, separating publication and distribution, eliminating free-rider issues and simplifying security.
- Upload queues reduce surprise, provide advance notice of releases, allow time for security scans and maintainer notifications, and can deter unauthorized releases.
- For AI systems like LLMs using markdown files, upload queues with moderation and owner reviews are crucial to prevent supply-chain attacks and data leaks.
- Funding for upload queues can come from existing resources, corporate sponsors, or paid expedited review services, cross-funding ecosystem security.