as an Alpine contributor: while in this case it's true (sshd linking to libsystemd in Ubuntu is a result of a patch applied by Debian), `ldd` is not a good indicator for this. it does not say whether these dependencies are not there or get vendored and statically linked instead.<p>in other packages, we've sometimes specifically put work into making the ldd output <i>longer</i>, because a dependency not being statically compiled into the binaries means that we can effectively ship updates to it. as of now, running ldd on our binary of chromium returns 141 lines of output, or 157 for electron. when CVE-2023-4863 happened, we just quickly shipped a fix to libwebp, and that was the fix for our chromium and electron packages as well. a typical electron app you download (outside alpine repos) ships its own copy of electron with all these dependencies inside. ldd on that binary will output just 2 lines. it doesn't mean that it doesn't use all these dependencies, it means a much longer dependency chain in which your Electron chat app's developer might not realize they're vulnerable for 3 days until someone tells them, or "beta test" the update for half a month (both real examples from real chat apps)