They even call themselves "next generation" while encouraging the 1990s "setup.exe" deployment model: no centralized management of security updates, no vetting process from a trusted 3rd party, large applications.
To be fair, that's true for all new-fangled package managers including Docker, and exactly what's painful about them: that they're trying to solve a problem (that of mixed libaries on Linux distros) by bypassing shared lib loading, thereby defeating the purpose of shared library loading (that of preventing stale/insecure libs) in the first place.
If that was the goal, why not just distribute statically-linked binaries or distribute into /opt package prefixes, which would be the natural solution? I guess there's no problem that can't be solved by another layer of abstraction, except the problem of too many layers of abstractions. Again, https://xkcd.com/927/ comes to mind.
