Quote:
Originally Posted by eschwartz
I hope it is safe to assume they get properly vetted the first time even if later they slack off due to overload
|
It actually isn't. It is simply impossible for spare time volunteers to review an entire decent sized codebase for malicious code. In the case of calibre, a potential reviewer would need to read over half a million lines of code. That would take man months of mind numbing effort. I simply do not believe distro maintainers do that. You could ostensibly hire someone to do that, but even that does not really work, witness all the malware in the mobile app stores despite <large companies> efforts to review submitted apps.
Instead what happens in the typical distro for a typical application is that some app becomes popular, a distro's users typically contribute a user created distro specific package, the distro's maintainers then decide to use that as a base to make an official package. Depending on the distro, some maintainers will then try to review the package for compliance with licensing terms and do a quick automated search for common security/stability red flags. And then pull the trigger. Nowhere in this process is there even a hint of an effort to actively search for malicious code, which would likely be well camouflaged in any case.
Of course I may be completely wrong and the distros might actually have access to an army of house elves to review hundreds of millions of lines of code, but, I would be very surprised if that were the case.