Isn't that a large part of the open-source nature? Audit the code or hardware designs yourself, determine their trustworthiness from that. It's much harder to trust something when you can't examine the inner workings of it.
I think its fair to call it 0%. Auditing a large, modern code base is going to be impossible for a single person. For example, the Linux kernel is 27.8M lines of code (as of Jan 2020, [0]). Yes, a lot of that code is for drivers you wont use, or platforms you aren't running on. But still, no one person is going to be able to get through all of it with enough attention to detail to notice things like subtle race conditions, especially if they were inserted maliciously.
How many people can authenticate a dollar bill? How many people can validate a cryptographic signature? How many people can direct a blockbuster action movie?
The point is, right now, nobody can audit these things. Once someone -- anyone! -- can, everyone else can benefit.
Even if there is no direct audit of the code, once a vulnerability is discovered it can be traced back to the person(s) who introduced it.
With a closed system, only the owner of the source code history can do that. With open source, any person in the world can, and can start a discussion to understand whether it was malicious or not, if the person(s) should be banned from pushing code, new code security standards to be adopted, etc. You lean on the world's expertise at that point.
Bad things happen. It's important to have the ability to understand why and mitigate for the future.
I guess you have never had commit rights to any Linux distribution or such?
You don't get commit rights as a random person, so yes, a commit can usually be traced back to a person. Sure, the committer could have received a patch from a unknown person, but then he's still responsible for the commit.
There is also plenty of documentation and books to learn coding and start auditing if you want to.
Fake validation is less like coding as to catch a really well made fake you would need years of experience seeing all sorts of fakes , while coding needs only experience to see what is good code to able to catch most issues
> Please note the entire absence of the dollar bill from that document.
A fair point. I took "dollar bill" to be the generic "US currency" rather than specifically "the $1 bill". But this page covers everything from $1 to $100 (although it seems the $1 and $2 have barely any.)
Open source is like Open courts or Right to Information.
Just like anything going in secrets courts is bad for judicial integrity, or RTI laws can help keep government somewhat honest, Open source can help like any other transparency framework.
Just transparency is not a magic solution , open source alone is not going to solve everything. It is just one among many other controls we need.