True, in theory, though in practice, i know plenty of capable people but almost none of them bothers to read the openssh source (or even a subset, like recent changes) before updating or recompiling.
Make sure you read the code of the compiler you're using as well, and bootstrap/compile it from that source instead of trusting an existing compiler binary.
I mean I know it hyperbole but I am pretty sure there are hardware bugs that allow access, see that Intel or IBM remote management disclosure. It might not a real backdoor but it's as good as one. As people above are mentioning keep your paranoia inside your threat model
I wish I could find the story where someone actually had this issue.
Basically, the story was that a program for grad research was inserting all kinds of nasty, anti-semetic things into text and it turned out the previous grad student had poisoned the compiler which was modifying the strings and was able to re-poison it every time through something else.
I forgot the exact details but it is an amazing read.
> True, in theory, though in practice, i know plenty of capable people but almost none of them bothers to read the openssh source (or even a subset, like recent changes) before updating or recompiling.
For purposes of security paranoia, if you can perform a security audit on open source code it is just as good as any other code you've written.
Idk about other people but I find anything I don't find security holes in myself "as good" as anything I've written. I've got the same set of assumptions/blinders/competence either way.
