tal , 5 hours ago

I have reviewed the tiniest fraction of code that I have ever used.

<span style="color:#323232;">$  dpkg -l|wc -l
</span><span style="color:#323232;">4526
</span><span style="color:#323232;">$
</span>

That’s about 4500 software packages I have installed on one Linux system, to say nothing of other computing devices I’ve used or the other packaging systems in use on this system alone. I have probably looked at any portion of…I don’t know, maybe 20 of those? And that’s to work on a small portion of any one’s codebase, certainly not to audit the software package.

Nobody using any kind of a remotely normal and modern computing environment, even if they are a software developer and know at least one programming language used by some of the software on their system and if they have the relevant domain knowledge to assess security concerns, has the realistic ability to conduct a review of the code that runs on their system, even in environments, like Linux, where the code is available.

It’s like asking a mechanical engineer to validate the design correctness of every mechanical device they’ve ever used prior to using it.