Also of course regardless of whatever the product is open source or propitary and paid for you can't from that draw any conclusions about the skills of the individual who have written the code but if it's a high prestige brand/project I guess chances are higher they have been more picky than if it's some small rather unknown one individual thing.
The idea was to make it a point that you for instance may not want to trust the individuals who roll their own packages for your Linux distribution of choice and download from random page or trust THISISTHEBEST___INTHEWORLDBUTITSNOTAWELLKNOWNPRODUCT from someone rather unknown for instance.
But I guess it all fails with this being OpenSSL which I feel is a high prestige / well-known product and where safety should be important and still it simply failed.
Somewhat related I noticed that Fedora run OpenSSH by default and with the defaults (PermitRootLogin yes) and listening to the whole world which imho is completely retarded and I don't see why one would want to have that the default. I guess it could be argued that "Hey, someone may need that to access the computer after installation!" but I guess in that case let them set that up in the installer or make a special installation with such settings and really, do they use the regular installer but have no keyboard and screen hooked up so they can turn it on if they want to afterwards?
It did seemed like none of the BSDs ran sshd by default. Which imho is much more reasonable. Whatever to allow root or not as default I guess one could argue on. Since the OpenSSH default is PermitRootLogin yes I guess it make some sense to keep that the default rather than changing it but I guess there has been some argument about that one too. A way of rescuing a poorly setup installation? Possibly better (imho) to just force people to redo it correctly if they mess up and really need some way to get in.
And regarding trusted source code, prestige projects and whatever anyone is actually watching the code and finding the bugs. What happened with the claim about some backdoor in was it OpenBSD or OpenSSH? Was it just bullshit or something real? I guess the first question would be whatever anything/it was actually found, because without that the answer would of course be "we don't know" =P
Guess I'm off-topic enough to not take it even further so I'll stop there :)