Is it harder to sneak in junk in open source projects? I'm reminded of Ken Thompson's Turing Award lecture, "Reflections on Trusting Trust". http://cm.bell-labs.com/who/ken/trust.html
Could someone add a backdoor to git that hides backdoors from showing up in git? Could gcc be backdoored to add backdoors to arbitrary software? How likely is it that NSA has a few zero-days lying around they could use to hack into the servers that host git or gcc or any other tool you rely on? What if they had agents among the committers and maintainers of these projects?
Security against a well-armed, well-funded, well-organized, secretive adversary is hard.
I have given some thought to this kind of thing, and one thing I realized is that the limits of the trusting trust attack can be exploited as well. Let's support you only have one compiler. Now, it is going to try to insert the worm into any compiler it compiles, right? The problem is that it must be able to detect that it is actually compiling a compiler.
This, however, is not a decidable problem. It is possible to construct a program that will fool the worm and thus you can create a compiler that you know you can trust for this test. It will probably be a hard compiler to use, but you will need it at most twice -- once to check for an attack, and if there is an attack once more to bootstrap a clean compiler.
But in order to create a disguised compiler, you need to know what method a compromised system uses to decide whether something is a compiler.
i.e., you actually have to have an example of a compromised compiler, which pretty much solves the problem in the first place.
If you decidedly don't-trust the only compiler on your system, and don't trust outside sources, the only solution is to hand-assemble a new compiler on the system, and hope that at least the hardware is trustworthy. which it isn't, necessarily.
Could someone add a backdoor to git that hides backdoors from showing up in git? Could gcc be backdoored to add backdoors to arbitrary software? How likely is it that NSA has a few zero-days lying around they could use to hack into the servers that host git or gcc or any other tool you rely on? What if they had agents among the committers and maintainers of these projects?
Security against a well-armed, well-funded, well-organized, secretive adversary is hard.