[wheelerof4te]

It's extremely hard to sneak backdoors in open-source code.

Which is one of the reasons why a lot of people promote that openness.

[userbinator]

It's extremely easy to sneak backdoors in open-source code that contains automatic update functionality.

[dewey]

Into a popular repository yes, but into a small tool like that it would most likely be very possible.

[wheelerof4te]

Small tool = less code to read through.

If you want to use that suspicious tool, you should at least take a glance at the source code.

[dewey]

In an ideal world that would be the case, but people barely read the README or documentation.

[tough]

That's on their own fault, and on the alternative closed source scenario nobody would be able to read the source without reverse engineering it first

[userbinator]

I did, and on the rare occasion that I need to use a downloaded binary today, still open it in a text editor and scroll through it for a cursory look. Packed -> reject. Bigger than expected -> reject. URLs or other strings, especially obfuscated, not related to expected functionality -> reject. Online AV multiscanners offer a reasonable alternative for those who aren't familiar with this sort of quick-glance RE, although they do have false positives too.

[account42]

> Online AV multiscanners offer a reasonable alternative

You're right, (not just) online AV multiscanners are also FUD machines that will happily accept malicious programs but reject anything well crafted and optimized because it doesn't like exactly like the shit MSVC craps out with default settings.