[kilburn]

> his other major gripe is that the security updates for non-official flatpaks

I don't know whether it is true or not, but the author explicitly states that it is the official applications AND runtimes that aren't properly maintained.

> I have the same problem when I run applications that have an official RPM repo, and a volunteer packages the deb and pushes it to the official Ubuntu/debian repos

No you don't, because either (a) the package was not uploaded to the official (main) debian repository or (b) the debian security team is in charge of fixing it if the maintainer is no longer available.

[geofft]

The Debian security team being responsible may help you figure out who to blame, but it doesn't magically help the update actually happen. The Debian security team is a volunteer team, and it's entirely realistic that someone may actually have seen delays in the packages they care about getting security updates. "No you don't" is arrogant - you have no way of knowing that.

[viraptor]

> The Debian security team being responsible may help you figure out who to blame, but it doesn't magically help the update actually happen.

Actually they do. Debian does carry local patches when necessary. It will also backport patches to release in older versions which may not be updated upstream. They literally make the updates happen.

In this case, it's valid to ask - where/when did you see the issue with this working.

[mcguire]

...and, as I recall, that got them in trouble with openssl.

[bananadonkey]

Parent was talking about Debian upstream patches making it into his platform of choice; in this case RHEL/CentOS.

That requires paid/volunteer package maintainers.