Totally agree with that. Also good to note that in general it it easier to create a backdoor for FOSS because of the general code availability. For a proprietary product, you’d have to somehow gain access to the closed source, which is harder. Also, many FOSS projects have few maintainers doing a great amount of job for free, so with a bit of social engineering you can pressurise them into accepting code they don’t entirely understand.
On the other hand, many FOSS projects have more than one maintainer, so more eyes watching the code. Also, you have to find a way to conceal the backdoor, so that it can’t be easily identified.
All in all, open-source is certainly better, because you don’t have to blindly trust some company, but there are many factors which come to play in both camps. Ultimately, trust is not the only thing that matters since even a trusted repository can be compromised/hacked. Then you can only rely on fast mitigation of consequences, that is hope that the compromised code hasn’t been there for long.
{} + 0 >> 0 0 + {} >> "0[object Object]"
I’m going home.