@soller True, but it seems to me that without some sort of active auditing on every package included in a distro we sort of rely on luck as a general practice 🤷♂️.
Outside of distros taking all of this stuff in house and users deciding to trust them is there an alternative?