> The problem is that there's no overt way to tell whether the "car" (code) you're looking at is someone's experimental go-kart made by lashing a motor to a few boards, or a well tested and security analyzed commercial product, without explicitly doing those processes on your own.
Yes you can, companies just don't like the answer.
To run with that analogy, if you are setting up that taxi company, will you build your fleet by picking up free gokarts around the neighborhood, or by purchasing cars from a known manufacturer who has gone through crash testing etc?
Not particularly different for software. If you need certified quality, you need to pay the providers fairly substantial amounts of money for that.
You would note that known manufacturers only sell non-repairable insecure spyware on wheels and instead pick up the libre gokart designs the groups of neighborhood kids made, build a few of them, try them out, figure out all the safety/repairability/design flaws, fix those, publish your fixes (either back to the kids or in forks), hire some of the kids, start selling services, share some of your profits to the kids whose designs you chose, and otherwise help the community around the original designs etc.
Yes you can, companies just don't like the answer.
To run with that analogy, if you are setting up that taxi company, will you build your fleet by picking up free gokarts around the neighborhood, or by purchasing cars from a known manufacturer who has gone through crash testing etc?
Not particularly different for software. If you need certified quality, you need to pay the providers fairly substantial amounts of money for that.