Debian discusses vendoring—again

1. Many upstream's idea of "LTS" is far shorter than Debian's idea of regular support.
2. While some projects may be on top of security issues in their dependencies I would wager the majority are not.

For Firefox they have resorted to moving to new upstream "LTS" release series within stable releases of the distro, that it just about tolerable for an end-user app like Firefox but it's really not reasonble for things that are key infrastructure components (and even for firefox it's problematic because firefox updates force rustc updates...........)