Exactly. How do we know that someone didn't crack the workstation of an apache or firefox
developer, didn't slip a backdoor into the code and currently isn't waiting for the highest
bidder to sell the access to these computers? Yes, I know, there is peer review, but it
obviously didn't work in the case of SquirrelMail...