There are rolling release distros that are only days or weeks behind upstream, and they still don’t suffer that spam problem where random strangers are allowed to basically upload any crapware without human supervision.
Well, yeah, because they only provide an incredibly tiny subset of dependencies. Writing useful software with only those dependencies would probably take at least ten times as long, since you’d have to implement everything yourself.
And basically no user or customer actually cares about potential supply chain issues. They want feature-rich software for not so rich amounts of money. If you don’t implement that software for cheap, someone else will. And no one will ever hear about your oh-so-supply-chain-secured software.
Well, yeah, because they only provide an incredibly tiny subset of dependencies. Writing useful software with only those dependencies would probably take at least ten times as long, since you’d have to implement everything yourself.
And basically no user or customer actually cares about potential supply chain issues. They want feature-rich software for not so rich amounts of money. If you don’t implement that software for cheap, someone else will. And no one will ever hear about your oh-so-supply-chain-secured software.