Additionally, distribution packages are tested by a significant number of users before the release.
Nothing of this sort happens around any language-specific package manager. You just get whatever happens to be around all software forges.
Unsurprisingly, there has been many serious supply chain attacks in the last 5 years. None of which affected the usual big distros.
I guess we can argue about "big" but didn't both Arch (https://lists.archlinux.org/pipermail/aur-general/2018-July/...) and Gentoo (https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident... and older, https://bugs.gentoo.org/show_bug.cgi?id=323691) have actual compromised packages? And also not five years ago, but Fedora (https://lists.fedoraproject.org/pipermail/announce/2011-Janu...) and Debian (https://www.debian.org/News/2003/20031202) had compromises but no known package changes.
MVS also prevents unexpected upgrades just because someone deleted a lockfile.
What has happened in the package ecosystem to make you believe this? Is it velocity of updates or actual trust?
I haven’t heard of any malicious package maintainers.
For other kinds of quality, I have my own tests which are much more relevant to my use cases than whatever the distro maintainers are doing.
I've been a DD and while distros do work to integrate disparate upstreams as well as possible, they rarely reject packages for being fundamentally low quality or make significant quality judgements qua their role as maintainer (only when they're a maintainer because they're also a direct user). Other distributions do even less than Debian.
