Building the software you rely on from source by default is one way to reduce the impact these events have on you and shift the power dynamic. If you're installing binaries/images from a vendor (free or otherwise), transitioning to a fork may be an undertaking and a sweaty risk-assessment.
Switching your existing build-infra to sync sources from a new remote should be a snap.
Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.
This is one of the reasons I like Guix so much: its packaging system treats source builds as the normal case, with binary packages available via caching. So if you go to install a package and there's no cached binary, Guix will happily build it for you on the spot, with bitwise reproducibility if it can. You still get the benefits of prebuilt packages, but you always have that escape hatch.
This also means that it's trivial to install a patched version of a package through the same package manager as everything else. No dedicated build infra required (though of course if you're deploying to a large fleet you may want to set up some build servers to avoid the need for rebuilds on most machines).
Debian has been like this in practice for at least 25 years (when I first switched to it).
The builds weren’t reproducible back then, but never mattered in practice for me personally. Now, the vast majority of the packages have reproducible builds, which is good enough for me. (Though these days I’m using devuan because I’ve never seen a stable systemd desktop/laptop that uses .debs)
Debian isn't source transparent in the same way tho. (I'm mostly nitpicking). That said, the contributions that Debian has made in terms of reproducible builds can't be understated. They built a wonderful foundation for the likes of nix and guix to build on.
Depends on the actual software licence, many commercial vendors do provide source code, however the licence doesn't allow you to do whatever you feel like with code, even if technically it is possible to do so.
This happens a lot in commercial products where scripting languages are used, for example.
Or enterprise consulting as another example, where the code is delivered as part of the project, but it is bound to the agency for compiling purposes, unless the customer pays extra for that right.
IMO if you're a technical decision maker, you should ignore fair source/business source stuff with extreme prejudice. These are fundamentally incompatible with the goal of having autonomy for your systems.
Only pick these if they're non-critical, have a significantly higher RoI, or a high commodity item.
This whole discussion is about FLOSS projects where the right to "do whatever you feel like with code" is well established - even literally so, in the case of purely private/internal changes that are not distributed to or publicly performed for any third party.
It's not about ideology per se—the dark humor in my mind is that you're not just paying for software you run yourself, you're paying to not be able to modify it. There's a reason why that sort of arrangement is dying and SaaS is stronger than ever—paying to access a server at least makes more sense as a transaction, even if it is just about as economically inefficient.
Switching your existing build-infra to sync sources from a new remote should be a snap.
Also no major need to hound maintainers to ship a release or merge that neglected bugfix or feature you desperately need - just cherry-pick it.