> hopefully it is cheaper to add honest reviewers than to compromise developers
Cue the XKCD comic about compromising advanced encryption with a $5 wrench: https://xkcd.com/538/
The issue isn't adding honest reviewers, it's keeping them honest. If you have a nation-state adversary that has the resources to compromise supply chains, such an adversary almost by definition also has the resources to threaten the safety of the loved ones of key engineers.
Software security with such strong technical guarantees ultimately would require going back and re-learning the same security guarantees that militaries afford and demand of key officers and scientists - security clearances, bodyguards, loss of personal freedoms and privacies (most notably financial privacy), etc.
That's my point, really. The question is what is the minimum number of engineers needed to be compromised in order for a malicious change to be introduced and not be noticed before it does its intended harm. Think of that as an equivalent to the Bus Factor, which, thanks to your prompting, I will call the Wrench Factor.
As you say, the threat model has to start considering meatspace security, but there are some advantages here relative to traditional military/industrial settings, in that we can imagine reputations being held by pseudonymous identities, and audits being assigned to random groups of them, without each other's knowledge, to prevent collusion.
There has to be some point at which an attack becomes infeasible (or at least unprofitable), if it requires simultaneously kidnapping thousands of people in multiple jurisdictions, without anyone noticing. Having various dead man's switches and zero-knowledge silent alarm protocols could do a lot to raise the cost of such attacks.
I don't disagree, but the point is to make catching the easy stuff easy(it's not currently), and raise the alarm faster for the hard stuff(which is sometimes not even possible now).
Cue the XKCD comic about compromising advanced encryption with a $5 wrench: https://xkcd.com/538/
The issue isn't adding honest reviewers, it's keeping them honest. If you have a nation-state adversary that has the resources to compromise supply chains, such an adversary almost by definition also has the resources to threaten the safety of the loved ones of key engineers.
Software security with such strong technical guarantees ultimately would require going back and re-learning the same security guarantees that militaries afford and demand of key officers and scientists - security clearances, bodyguards, loss of personal freedoms and privacies (most notably financial privacy), etc.