> That's like saying upstream doesn't make mistakes and all bugs are
> introduced by distributors.
It's not like that at all. Each person who modifies the code increases the chance of introducing errors. I'd prefer that the developers of the software review the patches that go into a program I use. Mistakes will still happen, but at least a process is in place where the people who know the program best can review what goes into it.
The Debian SSH problem is a great example. The packager did seek feedback from the OpenSSH team about their change and was told it was okay. But they continued to make further changes to a similar piece of code that introduced a security issue. Had that additional change been reviewed by the original developers, the chance of it being caught would have been increased.
> Just think of all the security holes distributors patch before any
> upstream developer even takes notice of them.
That sounds like a communication problem.
* Why did the distro packager not notify the upstream developer of the problem and coordinate a fix?
* Do other distro packagers know about this problem?
* Will this one distro have the fix while other distros and the official source will be vulnerable?
* How does the distro packager know that their fix doesn't introduce another bug, security hole, or damage functionality?
If multiple distro packagers know about the problem and are applying the patch, you are then duplicating work among distros. See drag's comment above about all of the effort that is duplicated and wasted between distro packagers doing the same task over and over.
> Also, I wouldn't trust upstream developers to package software correctly
> for the distribution I use unless all distributions are the same - in
> which case there wouldn't be any.
I'd trust them to package things if we created standards and processes to make packaging easy for them. The Linux Standard Base is supposed to provide such a standard. Maybe we as a community need to revisit such standardization and bring pressure upon distros and application providers to properly conform to said standards.
> And just look at the state of software packaging on Windows. Same base
> for all, no package management that deserves the name.
Windows' package management may pale in comparison to what Linux-based package systems provide, but it's far from broken. From an end-user perspective, it may be simple but it works. For example, I can download Firefox or OpenOffice from the developer's web site and use the same package to install on a variety of Windows versions without issue. Removing a package is equally easy and problem free.
> Distributors only providing a base and upstream developers packaging the
> software themselves (which is a lot of work, btw!) would probably lead
> to something similar.
Plenty of open source and free software vendors successfully package and distribute working install packages of their software for Windows and they install, work, and can remove flawlessly.