Comment by tomtomtom777
2 days ago
I understand that this is a good idea but it does feel really weird. Add a min-release-age to see if anyone who doesn't gets bitten.
Next up, we're going to advise a minimum-release-age of 14 days, cause most other projects use 7 days.
The minimum-release-age heuristic is certainly helpful as it theoretically gives the community a chance to identify the issue. Of course, in practice, these things aren't scanned or analyzed the way they should ideally be, which is a deeper issue. Pinning has definitely saved me on more than one occasion, but it doesn't strike at the root of the issue.
You don't have to outrun the bear, just the other guy.
Wouldn't this just be a case of the bear catching one guy and then catching the other guy (especially if the issue was unnoticed altogether after the set number of days)?
There will always be early adopters.
And maybe more importantly: security tools and researchers.