>And if you're using Ubuntu, you're trusting package managers, and if you're using Gentoo, you're trusting original developers
This is correct. Consider, however, the motivations of the people involved. Apple's motivations are to make money from you. Debian's motiviations (intentionally avoiding Ubuntu here) are to make a good user-centric system. Packages are signed by named individuals that I can personally get to know and trust, and with an accessible process - I can download their package sources and build or verify or tweak them the same way that the maintainer can, report bugs and ask questions directly to them, etc. I trust this model much more than I trust the model of a company who, at the end of the day, has a bottom line and will make compromises to ensure it remains where they need it.
Apple is very well known for using proprietary formats, adapters, you name it. Apple's cloud is also write-only, they intentionally make it difficult for you to pull data out of it and interop with other services. These decisions serve the company's interests, not yours.
Who do you think employs vast majority of Linux developers? Who do you think writes they paychecks? Ever looked into who the biggest Red Hat customer is? Hint, it's the DoD.
It doesn't really matter if you do. OpenSSL is one example showing there are critical mistakes of grand level everywhere, same as there might be cleverly hidden backdoor in that multi-100k source tree (or any of the myriad of dependencies) you "audited".
This is correct. Consider, however, the motivations of the people involved. Apple's motivations are to make money from you. Debian's motiviations (intentionally avoiding Ubuntu here) are to make a good user-centric system. Packages are signed by named individuals that I can personally get to know and trust, and with an accessible process - I can download their package sources and build or verify or tweak them the same way that the maintainer can, report bugs and ask questions directly to them, etc. I trust this model much more than I trust the model of a company who, at the end of the day, has a bottom line and will make compromises to ensure it remains where they need it.
Apple is very well known for using proprietary formats, adapters, you name it. Apple's cloud is also write-only, they intentionally make it difficult for you to pull data out of it and interop with other services. These decisions serve the company's interests, not yours.
>how often do you audit source code?
You would be surprised!