But merely being free software isn't sufficient - software developed in a way that prevents arbitrary observers from witnessing design conversations may still be free software, but doesn't give us a strong reason to trust the developers. We all know how easy it is to hide dubious code in the open. The libxz backdoor was discovered by examining the binary and tracking that back to the source, not through source examination.

Frankly: binaries are the thing that executes on your system and embody the truth of software behaviour, and with modern technology it's often *easier* to determine that truth through the binary than through the source code (throw the "login" app from Reflections on Trusting Trust into Ghidra and you'd learn the truth even if the source code wouldn't tell you that)

@mjg59 true but source access enables you having debug symbols, which are a blessing if you want to navigate to the critical parts you want to verify.

@twomikecharlie Assuming whatever built the source corresponds to the source, which, well, XZ and Solarwinds are counterarguments to

@mjg59 IIRC, I would argue, especially the xz backdoor is vastly better to analyze if you have the source and the build scripts, because of all the weird artefacts (obfuscated script, .so) in the build process it relied on. if you analyze the tarball with initial suspicion you can quickly see where's something wrong. In the binary this would've taken some time.

@twomikecharlie It's unambiguous that the issue was identified from the binary. What was in the source gave further insight, but in the end it was still an obfuscated binary.

@twomikecharlie And I'd challenge anyone to have identified the issue from the source without seeing the behaviour the binary had. I would never have seen it. I know nobody who's said they would have done.