First:<p>xz vulnerability -- Thus happened because a patch was added by some Linux distros to add functionality for other packages. If openssh was not patched and kept as the OpenBSD people intended, the vulnerability would not have happend. The article seems to indicate it was caused due to other reasons. IIRC, this only affected systemd distros. *BSDs and Slackware did not have this vulnerability.<p>Yes, Linux and to a far lesser extent *BSD are living in dependency hell. Windows are worse off.<p>But UN*X systems were initially designed to be simple, but many people want to make these systems into M/S Windows Clones. Until UN*X Type Systems get back to their roots, I see no resolution.<p>FWIW, the way BSDs are designed, you can avoid a lot of this because they separate third party applications, these are installed outside the base system. People in the BSDs mostly know there are risks to using 3rd party applications, but unlike Linux, BSD users make that decision themselves. Linux distros tend to make these third party applications part of their base system, this forcing risks on the user. The user may not even understand these items have risks that exceed Linux itself.