Access to the main code repository is still restricted to a short list of people. In the case of the Linux kernel, there is one master copy held by Mr Linus himself. Due to the size of the project, most of the work is broken down into subsystems with their own person in charge. Anybody can submit a patch to the subsystem maintainer for what they want to update, they accept it into their code repository and will give it to Linus to accept into the next release.

In smaller projects, it may simply come down to a much smaller number of people.

There is almost certainly a review system for updates submitted. Github has web based review. The linux kernel runs on an email based mailing list. People who are interested in projects do review the submissions. Often robots are doing testing of updates submitted. Malice is usually caught before it gets accepted. Overly large and complex updates are most commonly asked to be broken into a smaller number of bite-sized updates to make the review process easier.

Oh people have absolutely *tried*, and in a few cases succeeded for a short while. But these projects run themselves like their own organizations with rules and policies.