[asdfghjhgfderty]

nonsense.

autoconf didn't have a core developer. But it had many distro package managers.

there's nobody adding code/fixing bugs, but there are plenty people reading and looking at diffs before packaging it in distros.

then the js libs have neither core maintainers nor anybody at npm corp that cares about security or reading anything.

the top comment is correct to care about those before system libraries.

[kelnos]

I don't agree. When there's a problem in OpenSSL, OpenSSH, or libc, nearly every company with an online presence has as freak-out and rushes to patch.

When there's a vulnerability or malware found in a python or npm package, 75% of the tech world does a quick audit (or not), shrugs, and goes on with their day.

[gsich]

Why the weak words? "reading", "looking" is not "understanding".

[pbhjpbhj]

IANADev, but surely if they were going as deep as understanding patches they'd practically be a project maintainer rather than a package maintainer. Expecting package maintainers to have even reviewed diffs seems like high expectations. I wouldn't expect them to do more than the actual packaging.

Weak words seem appropriate.

I've hacked together a couple of packages for personal use but didn't even go so far at to look what language the code was in. I'm assuming a lot of packages from ppa-s are produced in an automated way with no code review, and depending on your distro that might also be true of some principal libraries.