> My reason was to get a first order approximation of "vulnerability surface" based on the assumption that more packages would probably imply more things to have vulnerabilities.
Hmm, I'd think the opposite - DEs with a large number of dependencies are probably well factored and following good development practices, DEs that are a giant blob of undifferentiated C would seem much more likely to have vulnerabilities.
Hmm, I'd think the opposite - DEs with a large number of dependencies are probably well factored and following good development practices, DEs that are a giant blob of undifferentiated C would seem much more likely to have vulnerabilities.