True, and the same is true for flatpak given that the author of the package controls the sandboxing.
The only solution is to have 1 or 2 trusted packagers to review the package, including its code - which is what some Linux distributions do.
Furthermore, Debian does a long release freeze for the stable release and a lot of users test it. A malicious package might well be spotted.
Contrast it with the very lightweight vetting that is done by others.
True, and the same is true for flatpak given that the author of the package controls the sandboxing.
The only solution is to have 1 or 2 trusted packagers to review the package, including its code - which is what some Linux distributions do.
Furthermore, Debian does a long release freeze for the stable release and a lot of users test it. A malicious package might well be spotted.
Contrast it with the very lightweight vetting that is done by others.