And because the Go package manager (like most language specific package managers) is developer-centric, you have to rely on the developer to keep an eye out for CVE announcements for all the libraries they use. The number of developers that actually do this consistently is very small.
Added irony: With pointer and memory allocation bugs, the problems are at least reproducible. Can't say that about threading bugs.
Sounds like you never had to debug a use-after-free bug.
We host an apt repository with a few packages for a bunch of debian and ubuntu releases. Of course you have to target the right dependency set, but that's true even when you target a specific version of either OS.
I was just miffed by the remark that Debian would not support PPAs, when in fact the whole technical groundwork is actually Debian's and all Ubuntu did was build a thin command interface over it and suddenly gets credited for the whole invention.
They also have extended the dpkg system with PPAs which (last time I checked) Debian did not support out of the box.
PPAs are basically just extra entries in
fortune: No such file or directory