@tootai
Thanks for adding this link to Debian Bug 1031046: this is exactly what I was after.
On a general point of view, for many end users, current Asterisk feature set perfectly match their needs and this has been the case for several years. These users don’t mind to be several Asterisk versions behind at the moment their system remains secure.
For them, the question is: what is the cheapest way to keep a system secure ? Compiling from source doesn’t help unless the source code (and various tools to built the binaries) is also kept up to date.
From Debian package maintainers point of view, the question is:
“How many CVE impacting Asterisk 20.2 will be discovered within the next 3 years ?
Who will check corresponding patches cleanly apply to Debian’s( lightly-adapted ?) Asterisk 20.2 and if necessary will modify these patches so that the can apply afterwards to Debian’s Asterisk 20.2 ?”
In 1031046 bug report, reporter mentioned 37 CVE during 2021-2022. During this period, Debian repo provided Asterisk 16.
So if I had to keep up, compiling from source for instance, I should have updated my Asterisk 16 source code at least 30 times (if case one new Asterisk 16.X.Y version corrects several CVE).
That is certainly not a light task or a light commitment.