They distributed source and the patch is not at all obfuscated.
Which is exactly my point.
Say you are a government organization that requires a backdoor. You can make a very sophisticated backdoor. When it's found it is clear that it is probably an intentional backdoor (e.g. Dual_EC_DRBG). Or you can make a very obvious backdoor that is disguised as a debugging option that you forgot to disable, an obvious logic error, etc. For such backdoors, it's easy to argue that it was just sloppy programming (in contrast to an intentional government-requested backdoor), so people will assume the simpler explanation (as in Hanlan's razor).
We have learned from the Debian OpenSSL saga [1] that trivial programming errors in critical software can go unnoticed for years. I don't think the Debian OpenSSL bug was government-mandated, but it's easy to see that this is a very attractive route: the bug caused only 32,768 unique private keys to be generated (great for spying), most people will believe it's a true programming error, you pay the person/company that introduces the bug royally for taking the blame.
Assume the printk("You're root now") had not been there. Would that increase your estimate for the probability of an intentional backdoor, or reduce it?
Two rival businessmen meet in the Warsaw railway station. "Where are you going?" says the first man.
"To Minsk," says the second.
"To Minsk, eh? What a nerve you have! I know you're telling me you're going to Minsk because you want me to think that you're really going to Pinsk. But it so happens that I know you really are going to Minsk. So why are you lying to me?"
Which is exactly my point.
Say you are a government organization that requires a backdoor. You can make a very sophisticated backdoor. When it's found it is clear that it is probably an intentional backdoor (e.g. Dual_EC_DRBG). Or you can make a very obvious backdoor that is disguised as a debugging option that you forgot to disable, an obvious logic error, etc. For such backdoors, it's easy to argue that it was just sloppy programming (in contrast to an intentional government-requested backdoor), so people will assume the simpler explanation (as in Hanlan's razor).
We have learned from the Debian OpenSSL saga [1] that trivial programming errors in critical software can go unnoticed for years. I don't think the Debian OpenSSL bug was government-mandated, but it's easy to see that this is a very attractive route: the bug caused only 32,768 unique private keys to be generated (great for spying), most people will believe it's a true programming error, you pay the person/company that introduces the bug royally for taking the blame.
[1] https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_ke...