[yjftsjthsd-h]

That particular principle is bourne of pragmatism; Debian long ago learned the lesson that other distros are determined to relearn ( https://thenewstack.io/vendoring-why-you-still-have-overlook...) - vendoring is not good for security. In fact, I have come to view Debian's commitment to principles as almost always a practical matter, because those principles (almost?) always trade short-term pain for long-term quality and stability.

[aragilar]

It's also effectively what the big cloud vendors do with their monorepos. This makes sense when you have upstreams which are slow at upgrading (e.g. it looks like Debian is upgrading packages packages using older bootstrap to bootstrap v5 across the board, and such fixes get pushed upstream; there's also tooling to watch new releases, so Debian's tooling effectively acts like a system-wide dependabot).