Efforts to introduce malicious code into the open-source supply
chain have been on the rise in recent years, and there is no indication that they
will abate anytime soon. These attacks are often found quickly, but not quickly enough to prevent the compromised code from being automatically injected into other
projects or code deployed by users where it can wreak havoc. One method of avoiding
supply-chain attacks is to add a delay of a few days before pulling upates in what
is known as a "dependency cooldown". That tactic is starting to find favor with users and some language ecosystem package managers. While this practice is considered a reasonable response by many, others are complaining that those employing dependency cooldowns are free-riding on the larger community by letting
others take the risk.
https://lwn.net/Articles/1068692/
--- SBBSecho 3.37-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (86:200/23)