Comment by chowells
2 hours ago
A large portion of the time, the maintainer notices what happened a few hours later. Maybe they were asleep or off doing other things for a while, but they eventually come back. And these kinds of takeovers frequently aren't complete enough to cover their tracks.
So at the very least, adding a cooldown raises the difficulty of these attacks above that threshold.
Would be bad for software/progress I guess but, got me thinking of if we had an expectation a dev would post an update checksum/hash, then follow it up a day later with the update itself...
(well maybe that leads to kidnappings idk)
edit - heh, sibling comment on package manager-level must be much smarter
I fail to see how this isn't a simple cool down with more steps. It doesn't seem to add anything to the security posture of the package/update
> large portion of the time, the maintainer notices what happened a few hours later.
So add it at the package manager level instead of the user level then?