[goodpoint]

> So it's unlikely they're auditing the entire distro.

No, you are oversimplifying the complexity of tenths-of-million-dollar contracts by far.

You can go from a simple and cheap indemnification https://ubuntu.com/legal/ubuntu-advantage-assurance to guaranteeing long term backports for a small set of packages https://www.cip-project.org/ to much bigger efforts.

Some commercial distros and various internal-only distros have a legal team to do license review. That's just the first step.

You can easily find jobspecs for security analysts in tech companies, or system engineers hired to handle the software lifecycle.

I opened the bug reports you are mentioning myself, and security advisories. I cannot name companies and colleagues, obviously, otherwise I would have done it already. The companies I work[ed] for rebuild entire ecosystems of packages, do legal review but don't do security audit on things like games.