Re: But.. you have the sourcecode right ?
Who rang their hands and says you should read the source code?
The point is that people can read the source code, and someone should read it. Even more, people should check what they are installing - a lot of issues come from automatic installation of a tree of dependencies.
Its very rare for this to happen with things like Linux respositories and similar because packages can only be created by trusted maintainers (not anyone who registers an account), and that also means the dependencies are also only available if packaged by someone from that trusted pool. When was the last time someone got malicious code into Debian or Red Hat official repos? Or OpenBSD?
Using proprietary software will not help because it now incporates vast amounts of open source.
Obligatory XKCD: https://xkcd.com/2347/
You are right insofar as someone should be checking. The language repos are too large and too focused on having as much available as possible to do that.
What developes can do is to minimise dependencies (so do not use a library for something you could implment your self - leftpad), use only trusted dependencies, and to check what their idirect dependencies are (there are tools to do this).
I also think there are some bad practices among developers. For example, it is regarded as best practice with python virtualenvs to install everything in the env and block access to system packages (not use --system-site-packages). I prefer to use system packages where possile and get the automatic updates from the OS and scrutiny from OS package maintainers.
Biting the hand that feeds IT
