I understand what you are saying and agree to most of it. One thing sticks out to me:
> Am 19.03.2018 um 19:07 schrieb Houser, Rick <rick.hou...@jackson.com>: > > Under RHEL6, I count 52 releases of openssl-1.0.1# in the changelog. That > is far from trivial, especially compared to httpd/apr/apr-util that seem to > only *need* around 1-2 updates rounds per year to deal with security issues, > etc. The OpenSSL project has not made that many releases of 1.0.1+. So where do the 52 package versions come from? I imagine they isolated and backported patches separately which appeared in a single openssl release? If so: from a global, net wide perspective this is completely nuts! Complexity is our worst enemy. By multiplying releases by a factor 5-10 of a common, shared software, the OS distributor makes everyones life more difficult. Apply that to all the libs on the common OS and you end up with a big number, because they multiply each other. Now, one can argue that the OS distributor is testing all this and therefore it is safe. Maybe that is true. But if you install a piece of software that is not part of your OS distribution tests, that software encounters versions of shared libraries it has never seen before. I remember my horror when I realized that my installed Apache httpd 2.4.n was a Frankenstein monster created by my distribution. How naive I was then... Back down to earth: I understand how we got here, but I still do not like it. Cheers, Stefan *rambling*