[throwaway08320]

While full auditing is impossible for any distribution, Debian has a multiple people eyeballing code.

Apart the package maintainers and contributors, the Security Team can also review critical packages and step in if something looks suspicious.

But, most importantly, the release cycle and the long freeze before releases is all about STABILITY and SECURITY.

Anybody can upload backdoored code on npm/PyPI etc, infect someone and then remove the malicious release without being detected.

Releasing something malicious or with serious bugs before a freeze cycle and going undetected for months is not impossible but much more difficult.