openSUSE is IMO relatively close to that, due to their superior packaging system (it's best one I know).
So if you use normal release (not tumbleweed) you are fixed to the package versions when suse was released, but you can go to OBS[1] where you can obtain latest version of software. Their 3sat dependency solver makes sure that dependencies are resolved correctly. Another interesting thing is that they group package upgrades into patches, with description and other details. You can for example issue zypper patch --have <cve> and instead everything that resolved specific vulnerability. I also love zypper ps showing which processes need to be restarted after the upgrade.
[1] http://software.opensuse.org which is like github for packages (it supports other distros as well) most packages are there in latest versions.
The wonderful thing about OBS is you can branch a package, make modifications to your personal version, and add that new repo as a source for zypper to pull from, incredibly easily. PPA's and Launchpad are orders of magnitude more complicated to do the same task.
So if you use normal release (not tumbleweed) you are fixed to the package versions when suse was released, but you can go to OBS[1] where you can obtain latest version of software. Their 3sat dependency solver makes sure that dependencies are resolved correctly. Another interesting thing is that they group package upgrades into patches, with description and other details. You can for example issue zypper patch --have <cve> and instead everything that resolved specific vulnerability. I also love zypper ps showing which processes need to be restarted after the upgrade.
[1] http://software.opensuse.org which is like github for packages (it supports other distros as well) most packages are there in latest versions.