A central package cooldown is not really any different to individual cooldowns.

The main reason for the cooldown is so security companies can find the issues, not that unwitting victims will find them.

One problem of the central cooldown is that it restricts the choice to be able to consume a package immediately, and some people might think that a problem.

They are categorically different.

I can implement a dependency cooldown for my org and benefit from it immediately. An upload queue gets its value from being done centrally and allowing security researchers early access and the ability to coordinate.

I can't help but wonder why security reviews aren't standard practice. Surely enterprises would be willing to pay for that? You get the default releases as they are today, then a second line that get a "security reviewed" certification released at most a few weeks later.

Of course the problem there is that security audits are fallible. Some issues are so subtle that they are only revealed years after they're introduced, despite them being open source and subject to potentially all the tools and eyes.

> One problem of the central cooldown is that it restricts the choice to be able to consume a package immediately

Huh? The article specifically suggests there could be an opt-in to early releases, and that the published revisions are available (e.g. for researchers) just not distributed by default.

I have cut myself once, and only once with a sharp knife. I was about 7 years old, and my grandfather gave me a new (sharp!) Swiss army knife.

> It's basically rabid conservation and tragedy of the commons writ large

How is this like "tragedy of the commons"?

Call it what you want, but a new life stage begins when we have serious responsibility for another human.

For some this comes early, like a "child" looking after a sick parent. For others (like me) this comes with having children.

My wife and I look back on the years we thought we were adults, because we lived on our own, had jobs and a cat, and chuckle to ourselves at how grown up we thought we were. This type of pretending to be an adult we call "adulting".

AWS Graviton and Microsoft Cobalt are arm-based.

They use ARM cores designed by the Arm company, but the complete chips are designed by AWS/Microsoft.

Ampere had previously used cores designed by Arm, but their latest CPUs (which do not impress much) use a custom core, like the Apple and Qualcomm CPUs.

I know, but I can't buy a Cobalt or Graviton workstation. Ampere has been the only way I could lay my hands on a nice workstation-grade ARM chip (unless you count Apple, but they also don't sell chips)

> if I had my way, job interviews would be exclusively audio only.

The problem just shifts. People with attractive voices would then have an advantage.

At least voice coaching / training is relatively accessible? A lot easier than some physical features imo.

And you could argue having a clear easy to understand voice is a job skill for most positions, I think.

Indeed, but more tractable for a person to address.

Something people often don't consider is the limited resources for doing science - time, money, etc.

The positive side to "bias" is intuition. This is where a bias ("I'm pretty sure it'll turn out to work like XYZ, so I'll do this experiment next, rather than getting bogged down in some other area.") massively shortcuts the amount of resources required to come to a scientific conclusion.

During my PhD, I made many such shortcuts, following my nose. If I didn't, and tried to do everything objectively, I'd still be optimising buffers, and other such things.

This would just be impractical. Nothing would ever get done. Too many potential experiments.

I buy 95% of my books second hand.

Secondhand book stores are also usually much more interesting than even good new stores.

Hopefully this wouldn't trigger autoimmune conditions.