[Cyph0n]

Not sure I follow. Suppose you tore out a portion of libxml2 for use in your HTTP server. A CVE is filed against libxml2 that is related to the subset you tore out. Obviously, your server doesn't link against libxml2. How exactly would distro maintainers know to include your package in their list?

[saagarjha]

You’d list it in your attribution?

[Cyph0n]

I am unfamiliar with the details of distro packaging. Do they commonly use the attribution to route CVEs?

Regardless, the maintenance burden remains.

[BenjiWiebe]

I believe some distros require un-vendoring before accepting the package.

If the code you vendored was well hidden so the distro maintainer didn't notice, perhaps the bad guys would also fail to realize you were using (for instance) libxml2, and not consider your software a target for attack.