Once again you are talking about programmers in general and not security researchers.
Really, have a look at what it requires to write binary code, let alone reverse engineering complicated code, that somebody else wrote.
I have had a look. I’ve also done some solving of simple crackmes and such. I’m definitely not competent, but to find a security backdoor well-hidden you’ll have to examine behavior, which requires certain skills, and then you’ll have to look at the executable code, and then, of course, having the source is good, but less so if it’s deliberately made look like normal.
I agree with Linus’ statement though:
I think I’m mistaken on that attribution, OpenBSD’s Theo de Raadt is more likely to be the author.
I stand by my opinion that it’s a bad look for a privacy- and security-oriented piece of software, to restrict non-“experts” from inspecting that, which should ensure that.
Yes, I agree that it’s better when the source is present. But if you overvalue the effect, then it might be worse. Say, again, with Linux - plenty of people are using thousands of pieces of FOSS software, trusting that resulting thing far more than Windows. If we knew that the level of trust is absolutely the same, then one could say Linux is safer. But we know that people sometimes do with Linux all kinds of things they wouldn’t do with Windows, because they overvalue the effect of it being FOSS. It’s FOSS, but you still better not store 10 years of home video unencrypted on the laptop you are carrying around, things like that.
Once again you are talking about programmers in general and not security researchers.
I have had a look. I’ve also done some solving of simple crackmes and such. I’m definitely not competent, but to find a security backdoor well-hidden you’ll have to examine behavior, which requires certain skills, and then you’ll have to look at the executable code, and then, of course, having the source is good, but less so if it’s deliberately made look like normal.
I think I’m mistaken on that attribution, OpenBSD’s Theo de Raadt is more likely to be the author.
Yes, I agree that it’s better when the source is present. But if you overvalue the effect, then it might be worse. Say, again, with Linux - plenty of people are using thousands of pieces of FOSS software, trusting that resulting thing far more than Windows. If we knew that the level of trust is absolutely the same, then one could say Linux is safer. But we know that people sometimes do with Linux all kinds of things they wouldn’t do with Windows, because they overvalue the effect of it being FOSS. It’s FOSS, but you still better not store 10 years of home video unencrypted on the laptop you are carrying around, things like that.