Follow-up from #877 (comment) — deferred from Phase 1 (#1018).
Summary
When a top-level requirements file uses == version pins, those packages should bypass min_release_age cooldown enforcement. The operator has explicitly chosen that exact version, so the cooldown guard adds friction without security benefit.
Scope
Per Doug's original comment, this exemption applies to == specifiers in top-level requirements files only — not == specifiers in transitive dependency metadata further down the build graph.
Context
- The per-package
resolver_dist.min_release_age: 0 override already provides an explicit opt-out, but requires a settings file change per package rather than honoring existing == pins automatically.
- The release cooldown proposal initially scoped this to constraints files specifically, but the discussion settled on top-level requirements files as the right boundary.
Part of the release cooldown feature: #877, #1078, #1079, #1080
Follow-up from #877 (comment) — deferred from Phase 1 (#1018).
Summary
When a top-level requirements file uses
==version pins, those packages should bypassmin_release_agecooldown enforcement. The operator has explicitly chosen that exact version, so the cooldown guard adds friction without security benefit.Scope
Per Doug's original comment, this exemption applies to
==specifiers in top-level requirements files only — not==specifiers in transitive dependency metadata further down the build graph.Context
resolver_dist.min_release_age: 0override already provides an explicit opt-out, but requires a settings file change per package rather than honoring existing==pins automatically.Part of the release cooldown feature: #877, #1078, #1079, #1080