This is why I'm not a fan of debian. (I assume OP got that version from debian because I can't think of any other reason they wouldn't have used latest.) They packaged Caddy, but they never update at the rate we would reasonably expect. So users who don't pay attention to the version number have a significantly worse product than is currently available.
Stable/tested but not latest version. Or unstable/untested but latest version. Chose one.
The distribution you chose, also makes you make that choice. If you're using Debian Stable, it's because your prefer stable in favor of latest. If you use Debian Testing/Unstable, you favor latest versions before stable ones.
Can't really blame Debian as they even have two different versions, for the folks who want to make the explicit decision.
I don't call an old version with known bugs to be "stable/tested". No actual fixes from upstream are being applied to the debian version. There are known CVEs that are unpatched in that version, and it performs worse. There's really no reason at all to use such an old version. The only patches debian applied are the removal of features they decided they don't like and don't want packaged. That's it.
By that definition, almost no software in Debian could be called "stable", as most software has at least one known bug.
When people talk about "stableness" and distributions, we're usually referring to the stableness of interfaces offered by the distribution together with the package.
> There's really no reason at all to use such an old version
Sometimes though, there is. And for those people, they can use the distribution they wish. If you want to get the latest versions via a package repository, use a package repository that fits with what you want.
But you cannot dictate what others need or want. That's why there is a choice in the first place.
Stableness of interfaces is supposed to imply the software version is still maintained though. E.g. how stable kernel versions get backports of fixes from newer versions without introducing major changes from the newer versions. It's not meant to mean you e.g. get an old version of the kernel which accumulates known bugs and security issues. If you want the latter you can get that on any distro, just disable updates.
But you're right people are free to choose. Every version is still available on the Caddy GitHub releases page for example. What's being talked about here is the default behavior not aligning with the promise of being a maintained release, instead being full of security holes and known major bugs. It's unrelated to whether Debian is a stable or rolling distro rather about the lack of patches they carry for their version.
> Stableness of interfaces is supposed to imply the software version is still maintained though. E.g. how stable kernel versions get backports of fixes from newer versions without introducing major changes from the newer versions. It's not meant to mean you e.g. get an old version of the kernel which accumulates known bugs and security issues. If you want the latter you can get that on any distro, just disable updates.
I'm sure the volunteers working on this stuff is doing the best they can, but stuff like this isn't usually "sexy" enough to attract a ton of attention and care, compared to other "fun" FOSS work.
Do you have an example of a CVE affecting Caddy that's not patched in Debian? In my experience they've been pretty responsive to security reports, including in the "long tail" of obscure / buggy packages.
We have our own apt repo which always has the latest version: https://caddyserver.com/docs/install#debian-ubuntu-raspbian