There's two parts to that question. The first, "who updates it", isn't that dumb. For very small projects, a single person may write the code, publish it, and update the website, etc...For larger projects, there will be either a company or a non-profit "steering" committee that makes the technical decisions about what is included, what versions of software is included, etc... They will copy the source of the various components of the operating system, compile it, sign it with a GPG key, and upload it to their website. There will be a developer / porter in charge of one or more packages, probably an arch maintainer for the supported architectures, and finally a release maintainer who signs off on the final release. The second part. "can't somebody patch all the OS with a virus?" Yeah, that's pretty dumb. You can't do that for the same reason you can't sneak a virus into Windows Update. You don't have upload access to the servers that host the files, and even if you, say, hijacked a DNS server to point them at your own site, you don't have the cryptographic key used to sign the files. The operating system will immediately reject them. Being open source, yeah, you can compile your own, put your virus in it, and say "please download it" on some other site. But it'll be obvious it's not from the official project. And no one who already uses the official one will be affected.