[Macha]

Desktop Linux is on the relatively safer side, just because so much of the open source ecosystem still uses dynamic linking so it just needs your distro to package a new version of libwebp.

All the proprietary software with their own bundled versions of electron or vendored libraries, etc. on the other hand...

[josefx]

> so it just needs your distro to package a new version of libwebp.

That and every snap/flatpack/etc. package, every container image you are using and possibly pip packages that can come with and compile all kinds of dependencies and haven't been maintained for ten years...

The security benefit a well maintained Linux distro provides has been eroding for years now.

[graemep]

However, you can choose to largely avoid these. Yes, people are pushing the other way, but you can not use snap and flatpack of you use a distro with large repos. You can use Python virtualenvs with --system-site packages and put just pure python packages in your requirements.txt. You can run things in containers for security without using images.

I think there are two problems:

1. people running single/small numbers of servers copying practices that are used by people running fleets of containers who can have someone promptly updating everything has needed. 2. As always, convenience. The easiest and best supported way to pip install things is without --system-site-packages.

I have always felt we were going the wrong way with this. I thought I was the only one!