[wvh]

Does that not apply to anything in life? How difficult is it to get code into any open-source software package or distribution really? I work in high-security environments, and I'm always wondering how you can really guarantee that any Debian, Ubuntu or Arch developer is honest and not compromised themselves, any software package installed is 100% clean, and any software library module and container image is fully checked. And that's not getting into tin foil hat assumptions about a shady government agency having access to the major app stores, Github, common distributions or email hosters.

There simply is no way anymore to check the several million lines of code even a minimal setup requires somewhere in the stack. Even an in-depth code review of a medium sized web application – with deps – has already become a gargantuan task most companies simply can't afford.