It's funny that you think proprietary code is audited.

Well, I suppose there is a tighter control on who is allowed to commit.

No there isn't. In fact proprietary projects are very happy to run "npm" or "pip install" or the java/go equivalents and install whatever.

I expect most projects don't even check they're not violating licenses or ever audit any dependency… let alone do a security check on who the authors are.

Also just FYI, russians are not stupid. If they want to contribute malware they won't do it from their kgb email address. They will create a fake identity with a very standard WASP name.

I don't think that's true. Accountability will give proprietary projects an extra edge in terms of security.

Plenty of people think the earth is flat. Unfortunately beliefs' power to shape reality is rather limited.

Is this your standard analogy when you disagree with someone?

Yes, but you have less people that can look at such commits. It's not so easy to claim that one is intrinsically more secure than the other. As someone in the cybersecurity field, I prefer FOSS software. But the situation is more nuanced than how you present it.

That is also why I wrote people who study and work.

Security is generally better in linux based ecosystems than windows.

Microsoft also don't do sec audits - if you want a sec audit on your stack then you buy it.

It just turns out that it is much easier to audit a Linux based stack that a Windows based one