@lxoliva TBH I think it's the wrong perspective. Look at event-stream in npm as a good example of something that was in theory free software, and from the trusted upstream, being backdoored.
See Ka Ping-Yee's thesis on why auditing can't catch intentionally placed malware. http://zesty.ca/pubs/yee-phd.pdf
We need software freedom. But software freedom *is not enough* to protect and secure users. For the full suite of user freedom, we need security too; better architectures are also necessary for that.