Peer review did work with SquirrelMail - somebody reviewed the checksum and raised the alarm. There was no possibility for review to happan any earlier - that code did not go through the ordinary process. The fact that almost all backdoor attempts have targeted the distribution point (the final tarball) rather than some point earlier in the process suggests that getting a backdoor in that way is hard.
In other cases where backdoors have actually made it into source repositories (interbase, for example, or the mICQ incident), peer reviewers have caught the problem. The interbase backdoor lasted for a year and a half, but I do not think it was being exploited. It was something the developers left in by mistake. I do not know of a case where a trojan was introduced into a free software project, then was exploited for any significant period of time before being found.
That, of course, does not say that no such compromise exists. But I would be more concerned about long-term backdoors if there had been some cases of compromises which lasted for an intermediate period of time.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds