Churn? On Debian?

It takes like 2 years to get up to date packages. This isn't NPM.

The xscreensaver dev managed to very easily slip a timebomb in to the debian repos. Wasn't obscured in any way, the repo maintainers just don't review the code. It would be physically impossible for them to review all the changes in all the programs.

No, they are extremely well vetted. Have you ever heard of a supply chain attack involving Red Hat, Debian or Ubuntu repos?

Yes, the XZ attack affected Fedora nightly and Debian testing and unstable. Yes, it got caught before it made it into a stable distribution (this time).

https://www.redhat.com/en/blog/understanding-red-hats-respon...

https://lists.debian.org/debian-security-announce/2024/msg00...

So the attack was successfully stopped and you complain about it?

I’m not complaining, I’m pointing out facts. If the facts offend you, that’s your problem. Ignore them if you wish.