"Many eyes make bugs shallow" doesn't apply to security bugs. You need the *right* eyes auditing the code. Until then, backdoors like this can hide in plain sight. https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
@kyle
>auth_su = true
I think anyone who looked at that code would notice...
Do you have any evidence this was hiding in plain sight, as opposed to hiding where nobody bothered to look?
@kyle Besides, lots of bugs have thousands of eyes, so it kind of evens out, doesn’t it?🙃
@kyle Bonus: Commit removing the backdoor: https://github.com/jks-prv/Beagle_SDR_GPS/commit/0edf5fcfb99fdffa2058c86f60c855a306a857ee#diff-ad090c36f5cf2b493c321e92af0edbf58f44764081e3a058a532f7b387fcc1fe