I generally advise my clients to mostly trust open source with lots of well known and documented professional eyes on it like reproducible builds of programming language compilers, standard libraries, and well maintained OS kernels.
Where I normally have them focus their resources is on the often thousands of dependencies that are, mostly, written has hobby projects by randos.
Where I normally have them focus their resources is on the often thousands of dependencies that are, mostly, written has hobby projects by randos.