[tptacek]

qmail has one of the most notoriously inscrutable codebases of all time, and it has a startlingly good track record, because there's a coherent security design behind it; the same --- to a greater extent! --- goes for OpenSSH.

[raggi]

There's a side of this that I agree with, however there's other sides.

The reason I've been in the code base a bunch is because I've taken on support of forks bootstrapped by others in various scenarios.

Design safety goes a fairly long way, but it's so easy to screw up patching code shaped this way. I might trust the core, but I don't trust external patches.

The problem in practice is, distros can't help themselves.

[tptacek]

I wouldn't trust external patches to OpenSSH either.

[Eduard]

Maybe qmail and SSH have their good track record because of security by inscrutability