Comment by anematode

This is really terrible advice.

> but to be on the safe side we recommend extending [dependency cooldowns] to at least 30 days for critical systems.

I'd say at least a year, no? The xz backdoor took a couple months to find, and that was only because we got lucky -- had it never been found, Jia Tan and his buddies probably would have gotten enough useful data after a year, so it'd be irrelevant at that point anyway.

> Prefer stable, low-activity packages

The authors didn't mention Rust in this section, which is a travesty and would have greatly strengthened their argument. Sooo many "abandoned" projects in cargo are just finished and need no maintenance.