urbit won't necessarily solve the personal web server costs too much to run piece of this although with the right specialized for urbit hosting provider it is solvable.
urbit does help solve some of the mailserver woes though. Since identity is a first class citizen spam is theoretically more controllable. No one can spoof an address in urbit because your address is cryptographically verifiable. If your urbit get's blacklisted you lose a real investment so it's in your economic interest to not be a bad citizen.
urbit in theory will make distributed true peer2peer social networks possible in a way that the traditional attempts have not. Mostly because they move identity ownership out of the application and into the networking stack itself. In urbit you own both your identity and your data and can run any application you want against them without having to give up your control over either of them. No one can pretend to be you. No one can remove your ability to login or access your data. The most anyone can do is refuse to accept networking traffic that comes from you. They can ignore you and that's it.
In urbit a social network can have automatically sharded data by user since allowing each urbit ship to store that data but still use the same social networking application to operate on it really is trivial.
Keeping the software updated on your urbit is automatic and done without interrupting service. Maintenance is almost non-existent.
No more scary than when you use apt on a debian machine to keep things up to date. However this time you have the added benefit of being able to rollback to a previous version of the software with the same ease and also of being able to trace the source of your software to a cryptographically verifiable entity.
1. Has a limited subset of people who can upload packages. Becoming one of these people is hard.
2. Has strict rules about package quality. A detected attempt to upload malicious package will cause uploader's privileges to be removed.
3. There a is trusted group of people who have the authority over all packages and who can remove the bad ones. Anyone can contact them and point out that the change is malicious, and they will listen.
4. There are enough people who look at the package changes who will detect malicious packages.
None of them are true for Chrome extensions / urbit code (unless there is something I have not noticed):
1. Anyone with (google account | urbit identity) can upload packages.
2. There are no rules about package quality (until recently, google support did not care about ad injectors for example).
3. There is no trusted third party to deal with bad packages (again, until recently google support did not care except for most obvious cases)
4. Since number of packages is so high, and it is for "everyone", most package changes will never be looked at.
All of your points in favor of debian's system really only apply if only use Debian's official package repositories. Something that you can absolutely do in Urbit as well. Nothing says you have to pull packages from every possible location out there. Urbit can absolutely have it's share of official repositories of applications with the same quality and safety guarantees that Debian has. And indeed many of the apps you get already come from a default official source. The star or galaxy you got your ship from.
urbit does help solve some of the mailserver woes though. Since identity is a first class citizen spam is theoretically more controllable. No one can spoof an address in urbit because your address is cryptographically verifiable. If your urbit get's blacklisted you lose a real investment so it's in your economic interest to not be a bad citizen.
urbit in theory will make distributed true peer2peer social networks possible in a way that the traditional attempts have not. Mostly because they move identity ownership out of the application and into the networking stack itself. In urbit you own both your identity and your data and can run any application you want against them without having to give up your control over either of them. No one can pretend to be you. No one can remove your ability to login or access your data. The most anyone can do is refuse to accept networking traffic that comes from you. They can ignore you and that's it.
In urbit a social network can have automatically sharded data by user since allowing each urbit ship to store that data but still use the same social networking application to operate on it really is trivial.
Keeping the software updated on your urbit is automatic and done without interrupting service. Maintenance is almost non-existent.