[saagarjha]

You’d list it in your attribution?

[Cyph0n]

I am unfamiliar with the details of distro packaging. Do they commonly use the attribution to route CVEs?

Regardless, the maintenance burden remains.

[BenjiWiebe]

I believe some distros require un-vendoring before accepting the package.

If the code you vendored was well hidden so the distro maintainer didn't notice, perhaps the bad guys would also fail to realize you were using (for instance) libxml2, and not consider your software a target for attack.