Given enough eyeballs all bugs are shallow: True or False?

"Given enough eyeballs all bugs are shallow."  I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs.  This premise is built on the assumption that all reviewers have the best intentions in mind.  However, do all people have the best intentions in mind?  If all do, we will not need law enforcement officials.

Obviously there will be some malicious and devious "eyeballs" out there.  Rather than identifying bugs, they plant bugs in open source softwares.  This attack is named "Cross-Build Injection".  Fortify just published an article with reported incidents related to OpenSSH, SendMail and IRSSI.  Check out https://www.fortifysoftware.com/servlet/downloads/public/fortify_attacking_the_build.pdf.

Comments