Backdoors in Source Code

The obfuscated C coding contest shows that you probably won't catch backdoors with code reviews

Perhaps by knowing that the distributed binaries will be disassembled and inspected? The same way it would have to be examined even if there was a GitHub repo out there claiming to be the code used?

Yes but some one can break into whatever server is hosting the source and add a backdoor withought anyone noticing for quite a while, do you go through all the code you compile? Can't think of any specific examples right now but i remember this happening a few times

Why would they need to interrogate him, they could just look at the source code. Not to mention they could easily get a plant as a contributor and work in back door code (probably already happened)

Yes and even if they were squeaky clean and didn't do anything bad with your code, there's also the possibility that they've been hacked and code is getting siphoned off somewhere.

Are you familiar with the Underhanded C Contest? It's possible to maliciously tamper with C code such that you definitely wouldn't spot it with a cursory glance over, and possibly even with careful study.

You might be able to disguise it as debugging/development code that was mistakenly left in there. And instead of a hardcoded list of targets it could pull down the values in a more creative way. But at the end of the day that probably wouldn't stop a talented reverse engineer from figuring out what was going on.

Hypothetically, if someone integrated this into their own proprietary app with hidden code under a proprietary license... how would you know it hadn't been compromised?

I suggest looking into the Obfusicated C contest before relying on your own reading of code to verify lack of malicious intent.

This sounds like a really good idea... if you want to hide subtle backdoors in innocuous-looking code.