I think that the most effective form of code-review in any project, OSS or otherwise, derives from the notion of a distinct “development vs. production” barrier that developers cannot cross by themselves.

Development code, and the development team itself(!), does not have read/write access to the development code-libraries, nor any access at all to the production databases and files. This is enforced by management decree.

As an example of how this sort of thing can be done, look at Linux itself. “If you want to get something into ‘the” Linux distribution, you've gotta get it past Linus Torvalds.” Or, you gotta get it past somebody (else).

There is also very-often a rule that “any source-code change that is built ‘to address an RT ticket’ must strictly address the defect that is described in the (approved...) ticket.” {RT is a commonly used problem-reporting system...} The change will then be associated with that ticket, and managed with it.