A growing trend of implementing dependency cooldowns to prevent supply chain attacks is fundamentally flawed because it relies on the 'pain and suffering' of other developers, according to calpaterson.com.
As package managers increasingly adopt delays in adopting new software versions, critics argue the practice creates a 'free-rider' problem. The strategy relies on the hope that malicious updates will be caught by users who do not use cooldowns before the bad release is yanked.
'Dependency cooldowns work by free-riding on the pain and suffering of others,' the outlet reported. 'Fundamental in the dependency cooldown plan is the hope that other people—those who weren't smart enough to configure a cooldown—serve as unpaid, inadvertent beta testers for newly released packages.'
Beyond the ethical concerns, the practice is difficult to implement across the fragmented Python ecosystem, which currently utilizes at least eight different package managers. Each manager and project requires individual, manual configuration to be effective.
Even properly configured projects remain vulnerable. A single command run outside of a specific project configuration, such as a manual 'pip install,' can bypass established protections and expose developers to hacks.
The case for central upload queues
Rather than relying on decentralized cooldowns, experts suggest moving the delay to the central dependency server through an 'upload queue.' This would separate the publication of a package from its distribution.
An upload queue would allow central indexes like npm or PyPI to run automated security scanners, display public diffs of changes, and host intentional beta testing periods before any code reaches the public.
This model, already used by the Debian project, removes the burden from individual developers and package managers. It also reduces the power of stolen release credentials by ensuring that unauthorized changes sit in a queue where they can be inspected before widespread distribution.
