Well, there's an option during installation to either choose it or not. However, it seems those CVE details is nothing, but bullshit. It seems it counts many non default packages as well. Debian:

https://www.cvedetails.com/vulnerabi...ian-Linux.html

wireshark, nginx, apache and so on are counted as Debian bugs! Similar thing when comes to Ubuntu where old versions of Firefox are counted as well. Good job moronix.

- but the packages themselve are from official repo, not from some 3rd party repository?
- if you don't like it, don't visit it. It's not like somebody is pointing a gun at you... ˇˇ

EDIT:
I did check BSD CVE bugs. Despite existance of binary packages, only OS specific stuff seems to be listed, well except for 1 PHP vulnerability.. I am pretty sure desktop-related packages would have provided plenty of bugs for listing.

This "DB" does not seem to be "complete" and/or is really haphazardly managed.
https://www.cvedetails.com/vulnerabi...6/Freebsd.html

No I never said that. read again.
I said it was an upstream security flaw and not a distributor security flaw.

If you buy a Samsung Note 7 with a non-reliable battery, do you blame the retailer or Samsung?

For the record, I really wish things operated the way you are describing. But the reality is that they don't. Distributions only hold themselves responsible for their own code.

(1)Subcontractor who manufactured the batteries. Samsung just takes all the blame. You would not believe how hard is to find quality aftermarket batteries which are not dangerous for yourself. 99% are just fake or recycled junk. Mentality that it's okay seems to creep among sub-contractors as well recently. Samsung was just stupid trying to engineer it's hardware to "the limits" of battery specs, which were as far from reality as random porn star from virginity. Samsung's first "fix" was to try to limit the battery capacity to 60% or so If I recall it right. It shows the battery being used in it was much crappier than it should have been.

(2)in BSD they do. It probably has also affected how I think about it. Port maintainer is responsible for the currency of his chosen piece of software. Also he/they is/are responsible for providing tech support for it. Never mind, it's not actually important here.

I just hate when Phoronix spreads his FUD from time to time (for clickbait and google popularity).* It's not always that bad.

Glad you see this. For one OS they're listing only core CVE bugs and for other they're listing many more, so it's not comparable. However, it didn't stop Phoronix from making stupid claims, but *