I agree that there's a distinction to be made between core/base and user-applications/ports (as mentioned elsewhere in this thread)...
Ultimately it's all softare, and the only distinction is fuzzy: e.g. the kernel won't easily break backwards compatibility, while databases, interpreters, etc. will... but it's not something you can easily measure without being vigilant for every change.
I think that an important distinction (at least for Ubuntu) are the main and universe repositories: I'd expect these problems to happen in universe and to be mostly absent in main.
From this point of view, a good choice would be to completely rely on main, and to weights pro and cons when deciding if using the repositories to manage your user applications/libraries/dependencies for your actual service. (I'd probably define all of them with Nix, but that's not a panacea)
The problem is that even main is guaranteed to keep up with all the security updates: In some cases updates aren't prepared and shipped because the default configuration is not vulnerable (but obviously a sysadmin could change that) and it's not worth the effort.. or just like in the Python2.7.9 case: A security update most often can be applied as a standalone patch, but if the changes are overarching and not easily distilled into a patch, the update will be too expensive/risky and won't be done.
http://security.stackexchange.com/questions/109026/security-...
I agree that there's a distinction to be made between core/base and user-applications/ports (as mentioned elsewhere in this thread)...
Ultimately it's all softare, and the only distinction is fuzzy: e.g. the kernel won't easily break backwards compatibility, while databases, interpreters, etc. will... but it's not something you can easily measure without being vigilant for every change.
I think that an important distinction (at least for Ubuntu) are the main and universe repositories: I'd expect these problems to happen in universe and to be mostly absent in main.
From this point of view, a good choice would be to completely rely on main, and to weights pro and cons when deciding if using the repositories to manage your user applications/libraries/dependencies for your actual service. (I'd probably define all of them with Nix, but that's not a panacea)
The problem is that even main is guaranteed to keep up with all the security updates: In some cases updates aren't prepared and shipped because the default configuration is not vulnerable (but obviously a sysadmin could change that) and it's not worth the effort.. or just like in the Python2.7.9 case: A security update most often can be applied as a standalone patch, but if the changes are overarching and not easily distilled into a patch, the update will be too expensive/risky and won't be done.