Cal Paterson has a problem with dependency cooldowns. In a new essay, he argues they're morally suspect. The logic is simple: cooldowns only work if someone else gets hacked first. You wait N days before updating, hoping the poor saps who updated immediately will catch the malicious code and get it yanked before you ever see it. It works for you. It sucks for them.
His alternative is an upload queue. Instead of every developer configuring cooldowns in their projects (which they'll forget, misconfigure, or accidentally bypass with a quick pip install), the central package repository just holds new releases for a few days before distributing them. Debian already does this. During the waiting period, automated scanners can check for problems, maintainers get notified that a release is coming, and volunteers can test packages intentionally rather than by accident. No free riders. No one gets sacrificed.
This hits AI agents especially hard. As Paterson points out, markdown is now effectively an executable file format. When an LLM downloads a markdown file to learn a new skill, that's a third-party dependency. The first supply chain attack on AI agents is probably coming. Someone will slip "Disregard that!" into a popular prompt file. Paterson is building a public memory system for AI agents called Soapstones, and he's implementing a double upload queue: moderators review uploads for attacks, and agent owners approve what their agents receive. You can't just tell an LLM to "be careful with recent downloads." That's madness.
Hacker News commenters pushed back on some details. Security companies with automated scanners might catch vulnerabilities before individual developers do, complicating the free-rider narrative. Emergency CVE patches create a dilemma: bypass the queue and risk exploitation, or wait and leave users vulnerable. Another commenter argued neither solution fixes the underlying confused deputy problem, suggesting capabilities-based security instead. That problem gets worse as more AI agents act on our behalf. Agents fail in production because codebases aren't built for them.