The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.
And the underlying reason for rejecting the distro model is that "You can't have the shiniest new thing, and not be part of the Cool Kids Club."
@niclas @eighthave maybe just use a rolling release distro then?
@jr @niclas A rolling release distro wouldn't change this issue. If each package includes its own copy of libwebp, each one of those still needs to be updated. With this #WebP vuln, it was first reported as only affecting some iOS framework, then only Chrome. So lots of developers are still not aware that they have to ship an update with the latest libwebp version. With the distro model, just the library maintainer needs to be aware of the update, then all the apps automatically get the update
