[dingi]

Sure, they are OSS but how do you know what goes into their binaries? Being open source does not imply that the binaries are not backdoored.

[rmbyrro]

Wouldn't it be relatively trivial for someone to compile, compare checksums and call them out?

It's more likely they'd introduce a security flaw that is hard to detect in the OSS code. If someone finds, they'd just claim it was a security incident which is now fixed (and then they'd move to another masked flaw).

[nicoburns]

> Wouldn't it be relatively trivial for someone to compile, compare checksums and call them out?

Generally not. Most software does not have reproducible builds, so the checksums would be unlikely to match.

[robertlagrant]

> Sure, they are OSS but how do you know what goes into their binaries? Being open source does not imply that the binaries are not backdoored.

Then build your own binaries. I'm sure the Russian government wouldn't struggle to do this.