If Debian (or whatever org/group/project/initiative that) provides the images has a security policy, they can extend that to the images too.

Users don't run CVE checkers [0], at best they reluctantly click on the update button. Of course the authoritarian evergreen auto-update thing is what actually works in practice.

For example as much as snap's UX sucks it does auto update by default.

[0] Though they could, as files in container images are trivially accessible, after all it's their purpose. Plus there are metadata based approaches: https://github.com/TingPing/flatpak-cve-checker (plus the Flatpak project already spends some energy on ensuring that the base image is chechekd against CVEs https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/jobs/18... ) of course duplicating this effort, and building a parallel world besides packages is not ideal

No because that’s not the model of Flatpak. If that library is in a runtime then that runtime is patched and updated. If that library is is part of the application then the app is patched and updated.

Just pretend that all Flatpak apps were statically linked. Would you have the same complaints? Or would you say that version $x of this app is also affected by the CVE?

In one situation you run apt update and another you run flatpak update.

> Just pretend that all Flatpak apps were statically linked. Would you have the same complaints?

Yes. The work required to backport and test security fixes in any library or any other component in every stable release train of a flatpak (or a fat binary) is simply not being done.

Most upstreams barely handle vulnerabilities affecting #head.