You solve two unrelated problems (tracking library dependencies and security patching) with one complex interdependent solution and then you pretend no other solution can possibly exist. This is a trap.

In production you very often end up maintaining stuff not from distribution, you have to track and rebuild that anyway.

The solution may be "complex and interdependent" but it already exists, and has been used for 35+ years.

Sure, conceptually there may be a better solution to both problems, but it has not been deployed by any GNU/Linux distribution I know.

And I am not sure if dockerizing or building everything statically and hoping a solution will eventually show up one day is the path forward.

Its not,

At least when the distro updates its shared libraries it fixes it for all users, imagine how many rebuilds + time + effort it would take for every docker container that had the same shitty small bug.

> You solve two unrelated problems (tracking library dependencies and security patching) with one complex interdependent solution (...)

Linking to a library is not what I would describe as "complex", or have any meaningful challenge regarding "interdependence".

This issue makes no sense in Windows, which you are free to drop any DLL in the project folder, and for different reasons also does not make sense in UNIX-like distribution which already provide official maintained packages.

I'm sure that there are plenty of problems with distributing packages reliably, but dynamic libs ain't one of it.

It seems to me like the better way to solve this would be for distributions to publish which versions of dependencies each package uses, and provide an audit tool that can analyze this list and notify of any vulnerabilities.