[richardwhiuk]

Compatibility with other libraries and testing effort. You end up back porting everything.

Ubuntu backports the fixes them instead (i.e. Ubuntu's 1.0.2 will be patch with CVE fixes going forward instead of backporting 1.1 wholesale).

[kakwa_]

Also stability of APIs/ABIs: within a major Ubuntu/Debian version, there is an implicit contract in most cases that if you build something against a library/software provided by the distribution, it will not break after an upgrade of said library/software.

To enforce that, a policy of version freeze+backport of bug/security fixes is almost always necessary as very few upstream projects will maintain separate branches and have a clear policy about API/ABI breakages.

(OpenSSL is actually somewhat of an exception in that regard).

[ymse]

OpenSSL actually did a breaking API change as recent as 1.1.1e (reverted in 1.1.1f to be fair):

https://bugs.python.org/issue40018

And broke the ABI in 1.0.2g:

https://bugzilla.redhat.com/show_bug.cgi?id=1313509

I don't mean to bash on OpenSSL here and agree they generally do an exceptional job at keeping the public interface stable. Just offering some context. These things are difficult.

[tialaramex]

To be fair "these things are difficult" if your ABI is terribly designed.

If you've used modern libpng you can thank people like me for the fact you don't need to recompile or even sometimes rewrite code after every micro version release.

Example of something libpng did before we "gently" explained that it's stupid: re-order the public data structures in a "bug fix" release. Because the old order looked untidy see, and so long as every program is recompiled with the new version of the library it won't break...