Distributions handle this for you. Installing your software through a distro, instead of getting it from each individual software authour, means that you trust one organisation instead of hundreds of individuals.

For instance, Debian has a strict set of guidelines for Debian developers (who have the right to upload packages). They will be familiar with the software they are packaging, are often independent from the upstream authours, and are expected to check the package for various issues, including licensing, security, version incompatibilities etc. In addition, every upload is signed, so you can see who is responsible for everything.

And when something slips through, as almost happened with xz, the analysis and recovery all happens completely in the open. There may not have been enough eyes on xz to prevent the vulnerability in the first place, but once it was discovered, there were at at least hundreds of people dealing with the aftermath, all in the open.

Compare this with proprietary software, where you’d be lucky if such a vulnerability was even disclosed, vs just silently patched.

Yep

I can highly recommend Mythic Beasts (UK).

There is no upsell or variable pricing and they make money by charging a flat rate on top of the cost from their supplier. See this blog post for more info