[joesmo]

"Opensourcing is not a replacement for QA practices."

I'm not suggesting it is, simply that public oversight (open source) is the only way to ensure trust of a secure system. The system itself still has to be secure and requires QA like any other.

[kaftoy]

The only people who will understand that code (assuming is not just generated code) will be people from competitors... maybe. People outside the business will have no clue. It will be a continuous source of false alarms. Will be really hard to filter out the crap. Other people already talked about exploits. Every day you'll live the fear of "do I run up to date SW on my car???". This is not a phone.

First you need to know the system, then you can understand what the code should do then you can have a fare chance of doing a code inspection.

I think people parallelize too much to web development or other environments a lot more exposed to public development. People think that if you can read someone else's C code for voice communication, they will also be able to understand the C code behind a diesel injection system, air intake path, exhaust gas treatment, fuel mass setpoints calculation. If you have never been exposed to stuff like that, you cannot fully judge if the code is wrong. You may find something obvious here and there (like a loop that may go beyond the limit in theory but never in the field).

And believe it or not, there is still competition for IP. Technical strategies of doing something in certain ways giving supplier X clear advantage in some field. Why would X share his knowledge just like that? We are talking about huge money. Never seen Google share the source of all they do.