This is a good thing to consider when picking Linux distros. Who are the maintainers, is maintenance done in the open, do they enforce reproducible builds, how is review process done, what are requirements for mainters/packages/releases?
You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.
This is BTW the main reason I wouldn't use derivate distros for anything serious.
Debian's generally trusted in the community - their slow pace come from risk-aversiveness.
> The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?
Pretty much, packaging is not a brainless process. One of the effort that specifically target this is the Reproducible builds project [0], along with many other security measures set by each distro.
There are also usually multiple testing and updates rolling stages.
The best evidence of how effective these measures is its actual reputation and record on the ground.
You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.
This is BTW the main reason I wouldn't use derivate distros for anything serious.
Debian's generally trusted in the community - their slow pace come from risk-aversiveness.