Rethinking Dependency Cooldowns: Advocating for Centralized Upload Queues

Dependency cooldowns have gained popularity as a method to mitigate supply chain attacks by delaying the adoption of new software versions. The idea is to wait a few days before using a new release, hoping that any malicious code will be discovered by others in the meantime. While this approach seems effective at first glance, it relies on others inadvertently acting as beta testers, which is neither a sustainable nor ethical solution for the broader ecosystem.

Implementing cooldowns across various package managers is complex and prone to errors. Even those who configure cooldowns can accidentally bypass them, as seen with Python's pip install. This leads to a fragmented and inefficient system, akin to an ad-hoc upload queue.

A more effective solution is the use of centralized upload queues, where new packages are held for a period before distribution. This allows for thorough security checks and testing without burdening individual developers. Debian's model, which separates package publication from distribution, serves as a successful precedent.

Upload queues eliminate the free-rider problem and reduce the risk of unauthorized releases. They provide advance notice of new releases, benefiting both users and maintainers. This approach is particularly crucial for AI systems, where markdown files can introduce vulnerabilities.

Funding for upload queues is feasible, as many package indexes are not financially constrained. Options include corporate sponsorships or charging for expedited security reviews, which would support the necessary security infrastructure.

Ultimately, while dependency cooldowns may offer some individual benefits, they are not a viable community-wide practice. Centralized upload queues provide a more robust and equitable solution to enhance supply chain security.