Are those the same experts that missed gotofail? Static analysis should have caught that. Just because they can does not mean that they do. Having many developers sharing code means that they all have an incentive to do auditing.
By the way, there are definitely people who do things with OSS code and never tell others. I cannot know what everyone is doing. I am neither God nor the NSA.
By the way, there are definitely people who do things with OSS code and never tell others. I cannot know what everyone is doing. I am neither God nor the NSA.