[jhkaghjkga]

Because any (possibly security-relevant) update to a library would mean that all software linking it statically has to be rebuilt.

In reality that of course doesn't happen, so programs linking statically or including their own versions of shared libraries never get security updates for the included libraries.

[digi_owl]

If you want the perfect example of that problem, look to Windows.

A couple of years back Microsoft discovered some kind of issue with their redistributable dlls.

They patched Office etc, but could only offer a scanner that would check each and every dll to see if it was of a vulnerable version. And asked users to pester third party software providers for updates if the scanner found any.

[sanbor]

I wouldn't move from a package system to an "everything has to be statically compiled" system. But it would be a nice option to have when most of the software in your distro it's ok but you want to run some app without upgrading your whole distro/OS.

[haddr]

In the same way as you upgrade library you can just upgrade your software...