For large open-source security-focused projects like Kali Linux, we’re told there are no backdoors but with millions of lines of code, how can we actually verify that? Full manual auditing isn’t feasible for most individuals.

Some thoughts/questions:

Are reproducible builds and supply-chain audits enough to trust the binaries?

What strategies exist for spotting subtle backdoors in such large codebases?

For hardware, how do you approach the risk of compromised firmware, microcode, or hidden subsystems (e.g. Intel ME, AMD PSP)?

Do projects like Coreboot, Heads, or formally verified kernels meaningfully reduce this risk in practice?

Beyond reading every line yourself, what’s the best way to build confidence?

How much trust (percentage-wise) do you personally put in OSS security projects or commodity hardware, and what technical mitigations do you use to minimize blind trust?