> So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.
There's lots of latent checking. When people look at the code for any reason, they might spot the spyware (if there is spyware).
And there are spot checks when there's a suspicion. Someone accused me last year of running a site which sent info to a third-party server. I checked the code (it was WordPress) and found that the person was wrong.
The risks are pretty high since one person can remove the spyware and distribute a spyware-free version, so the original developer will lose face and will cease to be the upstream source of the software. With risks that high, latent checking and spot checks are generally enough to dissuade developers from putting in spyware in the first place.