If I tell you that there's a remote code execution in libfoobar-1.03 through 1.15, how long does it take you to verify where libfoobar is installed, and what versions are in use? Remember, nobody ships an image layer of libfoobar, it's a common component, though not as common as openssl.
Is there one command, or one script, which can do that? You need that, basically daily.
Is there one command to rebuild with the new libfoobar-1.17, and at most one more to test for basic functionality? You need that, too.
I mean you're not gonna like the answer but in real life when herding cats the answer is setting up an image scanner and renovate, and calling it a day.
It's not like OS images are any better in this respect. I have bit my teeth long enough on software that depends on the base OS and not being able to infra upgrades. Bifurcating responsibility into app/platform is a breath of fresh air by comparison.
....I can tell you which ones are used by the current linker on the system in what order.
ldconfig -p | grep libfoobar
If you go and spread the linkers all over hither and yon and make it nigh impossible to get results out of them, or don't bother to keep track of where you put things... Welp. Can't help ya there. Shoulda been tracking that all along.
Oh, excuse me... That'll only work for dynamically built things in the abscence of statically linked stuff or clever LD_PRELOAD shenanigans.
Hope ya don't do that.
Fact is. You're really never going to get away from keeping track of all the moving pieces.
You're just shuffling complexity and layers of abstraction around.
Is there one command, or one script, which can do that? You need that, basically daily.
Is there one command to rebuild with the new libfoobar-1.17, and at most one more to test for basic functionality? You need that, too.