Exactly. How can you trust something you don't have source code to? You can't, full stop. Any thinking otherwise is at best childishly naive ignorance. Given the recent revelations of the past few years, it should be glaringly obvious to anyone with half a clue that companies have been compromised, either willingly or otherwise, so that trusting closed source is a bad idea (as ESR, RMS and Bruce Schneier have been saying for decades!). The finding of this bug in GNUTLS is a good thing! Claiming that this bug would have been found at all, much less fixed, in proprietary software is galling, to put it lightly.
You can audit binaries. So definitely not "You can't full stop". Most people are in no position to audit all the source code they use, just like most technical people are in no position to audit binaries they use.
(And I'm putting aside the whole issue of backdoors in hardware, compilers, etc.)
