[anonymouskimmer]

> Ignoring trust issues (NK inserting a backdoor)

For another option, is it possible that patching a legitimate bug could open up a line of attack in an otherwise unrelated piece of code that the bug was somehow blocking? If it is, even legitimate, verified bug fixes, or even bug reports, from non-trusted sources, should be carefully vetted.

[arp242]

They did end up banning all of the University of Minnesota over trust issues. Everything should be carefully vetted, sure, but it's always possible something gets missed; a good backdoor is indistinguishable from a bug, and those definitely end up getting merged. Any merge is a "risk", so to speak. It's a matter of risk management: a patch from Greg Kroah-Hartman is very unlikely to contain an intentional backdoor and a patch from Kim Jong-un is more likely to contain one, and with lots of shades in-between those two extremes.

[kmac_]

Worse, you can be quite sure that a patch or series of patches from "Kim Jong-un" will introduce a bug (or rather a well hidden corner case) leading to a backdoor. It can be assumed that there's a hidden incentive behind the patches.