I trust that amongst thousands of people with different incentives at least one will raise their voice if something is not right. At least more so than I trust a corporation with, in this case, the the wrong incentives to self-regulate to my expectations.
Which is not to say that thats not a valid approach - but for it to work we need better tools to handle lots of git repos at once (for example, the ability to get notified about any new code on github that affects your project would be pretty cool, especially if its coming from people or organisations you haven't explicitly marked as trusted yet)
I would like to see someone try and sneak rogue commits into Linux. It would be quite the feat.
What? Who "injected" what and when?
As is tradition, just read "reflections on trusting trust":
If you can be confident that Project Alias does not have network access, then the worst possible scenario, even if the developers are literally Satan, is that Google Home would be doing exactly what it does without Project Alias attached.
Project Alias whispers to my Amazon Echo "Call Secret Project Alias Man in the Middle"
Project Alias requires no network connection to do nefarious things.
So yeah, this project turns the raspberry pi into an internet connected listening device.