OK if you insist, let’s point out that just because people can look at the code and find vulnerabilities, this does not mean they automatically do. Just because it is open source it does not mean automatically it is secure nor private. I hope everybody reading this understands that. On the other hand, there are analyses on why the XZ thing happened, for example this one looking at bullying in the community and pressure for fixes. Without following the communities regularly and researching there is no point in being a passive consumer of open source products. Having said that, with proprietary software the opportunity to audit the code is not even there to start with, eg you have to take a provider’s like Microsoft’s or Telegram’s word for their encryption. Let’s not forget to address the misconception that viruses can’t be written for Linux. They can. Also persistent actors are willing and able to compromise open source and even air-gapped systems.

How so? What do you recommend then?