"Many eyes make bugs shallow" doesn't apply to security bugs. You need the *right* eyes auditing the code. Until then, backdoors like this can hide in plain sight. https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
>auth_su = true
I think anyone who looked at that code would notice...
Do you have any evidence this was hiding in plain sight, as opposed to hiding where nobody bothered to look?