They do to some extent in the larger distros, but for proprietary/binary packages they don't have much chance anyway unless they are willing to do some pretty time-consuming forensics.

It'd be a gargantuan effort to do it for every package, most times it's just a version + hash update and maybe a test.

I do, and I work at a security company. But thanks for knowing more about my life than myself, random internet person.

This is false.

Plus the app developers at least have some level of accountability. Like when JWZ got into it with Debian (can't link here). You might think you are running XScreensaver from the great Zawinski, but no you are actually running some weird fork from godknowswho, hopefully not Jia Tan.

XScreensaver is supposed to hide your desktop and Jia Tan is an expert at hiding things, so I think they'd be a perfect match.

You got downvoted but yes, it's quite sad when distros release a package under the same name as the original but with their own set of patches. I think they should rename the package when they do that, even just a prefix/suffix with the distro name would be nice.

No user cares. If they cared they would be building everything from scratch :)