Comment by moebrowne

4 days ago

The point of the cooldown is to allow time for vendor scans to complete and for compromised packages to be pulled. It's not about waiting for an end user to notice they've been compromised.

> Meanwhile, the aforementioned vendors are scanning public indices as well as customer repositories for signs of compromise, and provide alerts upstream (e.g. to PyPI).

https://blog.yossarian.net/2025/11/21/We-should-all-be-using...

4 comments

moebrowne

loloquwowndueo 4 days ago

Depending on “security vendors” to do scans of every single update seems naive and over optimistic to me, but hey - everyone’s jumping on the bandwagon regardless of what I think so I guess we’ll see soon.

limaho 4 days ago
Don't "security venders" detect and report most of these types of attacks already today?
- loloquwowndueo 4 days ago
  
  Do they? :)
moebrowne 4 days ago

What's the alternative?