Sadly we live in a world where distro maintainers don't just package software, they actively patch libraries. And sometimes do things like break OpenSSL's random number generation, thereby compromising every key generated by anyone who depended on the distro-provided OpenSSL instead of bundling their own. Using distro-provided software adds a requirement to trust the distro maintainers, it doesn't mean you only have to trust one entity, it means you still have to trust all the developers and the distro in addition to that!<p>They then bring up the argument that distros backport security patches to old unsupported versions of software, so that they don't have to upgrade the old unsupported versions to what upstream actively supports. That's a silly thing to do. Just package software. Don't patch it, unless you're forking it and fully maintaining the fork. Not every security vulnerability ends up with a CVE. Sometimes security issues get fixed without noticing that they're security issues, eg they show up as fixes for data corruption bugs. Maintainers only watching the CVE lists won't see these, and will leave users running unpatched outdated software.<p>I don't know that there are any easy answers here. Source-based distros like Gentoo have a possible way out: building from source means that the build files can be checked for what versions they're using. So things like Cargo which lists all the versions of every dependency for every package in the package's lockfile can be used to check if any package has a vulnerable version automatically. Then the user can be prompted to update. Cargo already has auditing tools to help with this, they just need to be used by the distro. Basically a "dependabot" type solution for installed packages on end user machines. But for languages that don't have such systems (C, C++, etc) the problem is much more difficult.