Comment by wvh

But companies wouldn't give commit access to somebody they just "hired" over the internet that "wants to help", and they'd (hopefully) have multiple layers of code sign-off before it ends up in the repository. Having worked in PCI-DSS environments, it would not be easy to get code into production without anybody else noticing.

Open-source projects often have random people "from the internet" working together with a great deal of individual autonomy (authority doesn't go down well when you are contributing for free). This ad-hoc style works well for open-source development, but it does make some kinds of code/system subversion a lot easier and we'd do well to keep that in mind.

Besides, I'm into open-source and security exactly because I don't want to rely on the goodwill of Apple, Google and Microsoft. ;)