PyTorch and the PyPI supply chain

Exactly this. I choose to use NixOS, both at home, at work, and on some of my servers. I have zero belief anyone in that project is reviewing upstream code changes. The prevailing attitude is very much "if it compiles, that'll do". Tbqh, I wouldn't be at all surprised if that's pretty much the same right across most distros, with the exception of some of the bigger commercial distros. And even then, I fully expect focus would be on the most critical packages - the kernel, libc, security libraries, xorg/wayland, mutt... - for obvious economic reasons.

I think everything really does just boil down to "you just have to trust other people". Yep, checksums, and version numbers, and all that goodness is great for verifying things don't change that you don't want to. I wouldn't want to be without that. But when I'm looking for a library to solve a particular problem, I look at the number of stars and forks, the rate of commits and who they're from, and the issue tracker, and that's my starting point for establishing trust. And I think it's a good thing: a society where the default behaviour is not to trust, not to give the benefit of the doubt, not to assume good, is not worth having.