> > IOW, if you don't want changes in your dependencies, then just don't > update them. > > This does not work. > > You often have to update dependencies for security reasons. Got a new > gnutls or openssl or openssh with new cyphers you need to have a working > program — will Guile 3 get updated to support them or will you be forced > to migrate to Guile 4 to keep your tool working?
fork off guile 3 into a branch, and backport those precious few security issues that you are suggesting will pop up. and if backporting any of the fixes is too much burden, then add a warning and leave it unpatched. it's not about destroying anything. it's about keeping engineering debt low, so that the invested human effort continues to give good yields. or in short: it's possible to end up in an inadequate state by erring in both directions (i.e. too much reluctance for cleanup, and too much egerness for cleanup).
