As I recall, studies have looked into this, and the bystander effect in open source is very real.

"You can view the source on GitHub" is very different than "A knowledgable person has audited the millions of lines of source code and confirmed that nobody added anything shady or stupid." People often don't take the time to comprehend all the source of the things they depend on, especially for large dependencies and/or prototyping-scale projects.

> the bystander effect in open source is very real.

Outside of open source, it was a NYT excuse for the NYPD failing to save Kitty Genovese. The number of witnesses was greatly exaggerated, and the police were called at least once.

I don't think you mean to refer to the bystander effect, because the bystander effect says that the likelihood of intervention goes down as the number of bystanders goes up. You don't seem to be arguing that people are less likely to look at the source because the source is available to more people. More just claiming that people don't look at the source as often as you would like? That open source isn't always perfectly bug and backdoor free? Because I don't know if:

> "A knowledgable person has audited the millions of lines of source code and confirmed that nobody added anything shady or stupid."

Has been claimed about many large pieces of software, proprietary or not.

It's a solvable problem.

1. Fully automated and reproducible builds, bootstrapped through a verifiable chain. GNU Guix has done this: https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-...

2. Unapologetically, ruthlessly, and tirelessly simplify the software. Suckless.org is a bit on the extreme end, but I continue to be impressed by OpenBSD - it strikes a beautiful balance between clarity and function. They've also meticulously combed the entire source tree around 2010, looking for any signs of the supposed FBI backdoor.

It takes a lot of motivation to do either, let alone both. The financial incentives are elsewhere. But it's been (and being) done.