Backdoor detection is an unsolvable problem both in theory and in practice. We are talking about carefully hidden obfuscated backdoors in MLOC codebases, which will have unexplained binaries and arcane build scripts. No company, not even Google, can guarantee that they'll be able to catch every backdoor hidden in some arbitrary codebase.

The only practical solution is for these companies to rewrite the core packages from scratch, written from the ground up so that they are easy to audit - no unexplained binaries, no arcane build scripts, etc.

> AFAICT, open source software has a better security track record, in general.

iirc Studies was done on this and there was no measurable difference in security issues when it comes to open vs closed source.

Just because the code is visible doesn't mean much, as you need to have the right eyes to actually notice security issues and a lot of open source projects don't have this.

Also closed source projects have the advantage where if they have a massive company behind them, that company has the resources (i.e. $$$) to hire highly specialised people to look the security of the software. Open source projects usually don't have such resources, heartbleed and xz are indicative of that.