@SteveBellovin Today you posted a note about how someone appears to have injected a Trojan into the source of XV. (Oops, I mean xz.) And there was another post about the increase in complex tool chains and dependencies that are larding-up the software many of us use.
That made me wonder about whether national security bodies - intelligence, military, or other - or social movements, e.g. ISI) might be injecting similar things into source trees.
It would be relatively easy to hide such things, particularly via the tool chains or Makefiles - like who is going to notice a sed script in a autoconfig part of a build chain?
Like good spies, such things could be planted years in advance and only triggered, if ever, when desired.
This is not an open source issue, it is a ubiquitous issue. And in light of Ken Thompson's "Reflections on Trust" some of these could be quite invisible in some kinds of source code.
I am very nervous about the vulnerability and brittleness of our new world of tech as a utility.