Comment by forrestthewoods

> Programs should ship as many of their dependencies as is technically feasible.

Shipping in a container just is "ship[ping] as many [...] dependencies as is technically feasible". It's "all of them except the kernel". The "barest minimum of libraries" is none.

Someone who's using Docker is already doing what you're describing anyway. So why are you scolding them as if they aren't?

> False. The exact opposite of bad.

I don't mind stable base systems, I don't mind slow and well tested updates, I actively like holding stable ABIs, but if you haven't updated anything in 4 years, then you are missing bug and security fixes. Not everything needs to be Arch, but this opposite extreme is also bad.

> The “system” should provide the barest minimum of libraries. Programs should ship as many of their dependencies as is technically feasible.

And then application developers fail to update their vendored dependencies, and thereby leave their users exposed to vulnerabilities. (This isn't hypothetical, it's a thing that has happened.) No, thank you.

>Oh what’s that? Are crying about security updates? Yeah well unfortunately you shipped everything in a Docker container so you need to rebuild and redeploy all of your hierarchical images anyways.

So... are you arguing that we do need to ship everything vendored in so that it can't be updated, or that we need to actually break out packages to be managed independently (like every major Linux distribution does)? Because you appear to have advocated for vendoring everything, and then immediately turned around to criticize the situation where things get vendored in.