Dependency cooldowns are increasingly viewed as a standard security practice, but experts argue that centralized upload queues offer a more effective and equitable solution for supply-chain protection.

Key Points

• Dependency cooldowns rely on "free-riding," where users wait for others to be hacked before adopting new software versions.
• Implementing cooldowns across various package managers is complex, prone to configuration errors, and difficult to maintain consistently.
• Upload queues separate package publication from distribution, allowing time for automated security scanning and manual review before public release.
• The Debian project serves as a successful model for using upload queues to ensure software stability and security.
• Centralized queues eliminate the need for individual developers to manage complex security configurations on their own machines.
• Funding for these systems could be supported by corporate sponsors or by charging commercial entities for expedited security reviews.

Why it Matters

Dependency cooldowns create a fragmented security landscape that relies on the misfortune of others to identify malicious code. Moving to centralized upload queues would standardize security protocols, reduce the risk of supply-chain attacks, and provide a more robust defense for the entire software ecosystem.