[eeereerews]

It can also cut the other way though. Bugs can be introduced, compatibility can be broken, users can not find the library in their package manager, or they may find too new of a version. The danger of this is smaller for popular libraries, but goes up as you move to the long tail.

[wahern]

But this also highlights the benefit of community packaging. Debian packagers often backport security fixes into older versions of libraries that are no longer maintained upstream. That's a big part of their job--not just to bang out a build and walk away, but to keep an eye on things. This is why it's important to only use distro-packaged libraries as much as you can, even when statically linking.

Getting off the treadmill of integrating interface-breaking upstream changes is one of the biggest practical reasons people prefer static linking and directly adding upstream source repositories into their build. It's at least as important, IME, as being able to use newer versions of libraries unavailable in an LTS distro. It can work well for large organizations, such as Google with their monolithic build, because they can and often do substitute the army of open source packers with their own army of people to curate and backport upstream changes. For everybody else it's quite risky, and if containerization provides any measure we're definitely worse off given the staleness problems with even the most popular containers.[1]

[1] I wouldn't be surprised if an open source project emerged to provide regularly rebuilt and possibly patched upstream containers, recapitulating the organizational evolution of the traditional FOSS distribution ecosystem.

[deathanatos]

Bugs & compatibility issues are still a problem with the statically-linked version, unless you want to stay on the version of the library with the security vulnerability, you have to upgrade. That means, for either static or dynamic, dealing with bugs and compatibility issues — which I'd argue is another form of bug; if you're practicing semantic versioning (which you should be, as it prevents exactly this issue), this indicates either someone accidentally broke compatibility (a bug in the library), or someone was relying on something outside the established API (a bug in the consumer). For major versions (i.e., where compatibility is intentionally broken), good package managers are able to manage side-by-side installation of well-behaved packaged. (E.g., Portage's "slots" concept.) I'd also mention Nix's design here; my understanding is that it allows you to upgrade the dependency for just some consumers, so you really can then choose between insecure & bugs.