Can we rely on malware checkers from third-party vendors to safeguard against sophisticated backdoors like the one in xz? A rogue maintainer working for years to gain hold over a popular package and then compromising it with backdoors is an underrated threat model. The best prevention for this may be a crowd-sourced code review system.
The paper talks about the lack of code review in popular open source packages and discusses the merits and challenges of introducing a code review coverage metric as a quality control check.
