Why do people trust binary distros?

You are assuming that they are competent and paying attention. The fact is the libre community is full of mentally ill trannies that are more likely to inject bad code than they are to report or fix it.

>(((community))) actually applies patches users submit
you might as well just ignore your particular flavor of linux's bug tracker and just go straight upstream, the xir's there might actually pay attention to your concerns, but probably not, they'll be more concerned that you get their pronouns right.

oh and let's not forget
NOTABUG WONTFIX
...
18 months later

What's easier and less likely to be discovered, trying to commit a malicious patch on github or starting a distro like antiX, Artix, Hyperbola, Obarun or MX Linux and patching the software from the upstream with your malicious piece of code before compiling it and distributing it as a binary?

Compromising a package maintainer or having an agent work hard to gain trust and become a package maintainer himself may not be easier but it's still less likely to be discovered if pulled off correctly, and come on, it's the fucking CIA, they can pull something like that off. It's just a question of whether it would pay off, and in my opinion it would, as I said, imagine how beneficial would be for them to own a Debian package maintainer (less likely) or a Fedora package maintainer (definitely likely) or have a man in the right position on the Mint or Ubuntu project.

You're now talking as if those kinds of people aren't a small minority of FOSS devs.
And all the important shit worth compromising is in the hands of competent devs, not mentally ill trannies.
And even if the mentally ill trannies were in charge of a program worth compromising, they may produce some low quality code, but those commies at least wouldn't sell themselves to American law enforcement agencies.
And again, what's easier, searching for exploits or just patching the code and distributing a malicious binary?

Hi reddit

Actually this is still easier than trying to commit a malicious patch to something that competent devs are in charge of.

And even if they manage it, again, what's more effective?
Pushing some patch that opens up a small vulnerability that can be exploited and used in roundabout ways before it's inevitably discovered or literally imbuing the upstream code with spyware before distributing the binaries that no one is taking a good look at?

...

...

Anyone can read build scripts, Gentoo has enough people who read ebuilds or who are likely to read them; each ebuild is likely to be read by someone other than it's maintainer at some more or less close point in time by someone, especially the important ones; even if an ebuild is somehow compromised, someone will eventually discover it.
Trying to compromise a build script doesn't pay off.
Nobody "reads" binaries though.

Anyone can read build scripts, Gentoo has enough people who read ebuilds or who are likely to read them; each ebuild is likely to be read by someone other than it's maintainer at some more or less close point in time, especially the important ones; even if an ebuild is somehow compromised, someone will eventually discover it.
I myself had to read the ebuild on two separate occasions.
Trying to compromise a build script doesn't pay off.
Nobody "reads" binaries though.