bityard a day ago

Do you believe new releases don't introduce new bugs?

Reply View 1 reply
  • jcalvinowens a day ago

    Obviously. Every release introduces bugs. There's an inevitable positive correlation between the amount of code we write and the number of bugs we introduce, we just try to minimize it.

    The probability of introducing bugs is a function of the amount of development being done. Releasing less often doesn't change that. In fact, under that assumption, delaying releases strictly increases the amount of time users are affected by the average bug.

    People who do this tell themselves the extra time allows them to catch more bugs. But in my experience that's a bedtime story, most bugs aren't noticed until after deployment anyway.

    That's completely orthogonal to slowly rolling out changes, btw.

    Reply View 0 replies
woodruffw a day ago

To be clear, there's no reason why you can't update dependencies in advance of a cooldown period. The cooldown is an enforced policy that you can choose to override as needed.

(This also doesn't apply to vulnerabilities per se, since known vulnerabilities typically aren't evaluated against cooldowns by tools like Dependabot.)

Reply View 9 replies
  • jcalvinowens a day ago

    No you can't, the cooldown period is started by the new upstream release. So if you follow this "rule" you're guaranteed to be behind the latest upstream release.

    Reply View 8 replies
    • woodruffw a day ago

      I don't understand what you mean. The cooldown period is something you decide to enforce; you can always override it. It's your prerogative as a responsible engineer to decide the boundaries of policy enforcement.

      Reply View 7 replies
      • jcalvinowens a day ago

        I mean, you can do anything you want. But you're inventing a new definition of "cooldown" different than TFA...

        Reply View 6 replies