Re: Open Source FTW
"That would be a clear flag to everyone that the company practices do not stand the light of day!"
Not if it's "hidden in plain sight" using a gestalt of very subtle adjustments that are legitimate in and of themselves but when put together just so create the exploit. Remember, we're talking some of the highest stakes there are. Nothing is taboo.
"I believe such regulations would do wonders to embedded code quality even if very few people actually inspected the code: it would force companies to stick to proper configuration management process. Any short-cuts (such as shipping code with patches that only exist on some developers laptop) would make impossible for others to replicate the build."
Unless you use techniques like evil compilers or just go beyond the firmware and use state-level tricks like subverting more basic hardware chips. Eventually, you hit stuff that CAN'T be opened up due to copyrights, trade secrets, or even patents, which means you're going to have to trust SOMEONE. Only problem is, with these kinds of stakes, ANYONE can be bought (or pushed out of the way and replaced with someone pliable).