The major commercial Linux distributions ( such as Redhat, Suze, Mandrake etc ) and bundling vendors ( such as openlogic's blueglue ) maintain a large number of open source software packages as part of their core products. The reputation each of these distributions is entirely dependent upon the quality and security of each component. All of the vendors apply patches to the software before compiling, so effectively they maintain the included packages for you. You can depend on the vendors desire to maintain their reputation to use the open source software they distribute.
The difference with pure proprietary software is that either through a desire to do the right thing or because of the terms of the license, changes made by the vendors get distributed back to the open source software project developers. If you see that the original developers are including patches from the vendors or applying their own solutions to fix the same issues in a timely manner, then you can expect to trust that software project independent of the vendor platform.
To a lesser extent, the same dynamics of reputation apply to "community" Linux distributions ( Debian, Gentoo ) and vendor "development" distributions ( Fedora ).
At some point some open source projects developers may go in a direction that the distribution vendors and end uses may disagree with. It is the licensing which allows a fork of the project to develop that sets the open source development model apart from the pure proprietary development model. Apache, X.org and even the current version of the GNU GCC compiler toolset have been all derived from an outside fork of an existing open source project. No vendor or open source software developer can block development for any substantial period of time without the risk of the development being taken over by a descendant of the same project -- it's called evolution.
Any so called analyst or even a journalist who covers open source software, that cannot grasp the above simple concepts must be lacking in either competence or integrity.
- republish at will