Re: Linux kernel doesn't do too badly with this intractable problem
@Glen Turner 666
You are spot on.
With regard to point (2) many organisations have formal procedures for vetting people allowed into the 'inner circle'. Whilst these are fallible they at least raise the bar to some extent. I have no idea if such processes are applied in critical open source development environments.
The kernel is only one area where this problem exists and is probably not the best option for exploitation. The sweet spot is probably some component that is widely used and is not a standard component of major distributions.
If you use something direct from the (open) source then you are responsible for the due diligence.