DigiNews

Summary

The article argues that dependency cooldowns are unfair and proposes phased, deterministic rollout windows to reduce supply-chain risk. It outlines how to map project identifiers, package names, versions, and digests to a rollout window, and compares to examples from antivirus, OS/firmware updates, and feature flags. It also discusses tradeoffs and emphasizes that security fixes would still use appropriate rollout policies.