jodiendo,
I read somewhere (who knows if it is true) that one US government agency had
~1,000 full time analysts who look for bad code to be used for potential
exploits. Assuming other countries have something similar, in numbers alone,
the free (and open) software movements would need similar thousands--full
time equivalent--doing similar work and making fixes, rather than cataloging
and saving exploits for later.
This approach does not involve "trust", which is what you asked about, but
may well work better than trust. Just use plain old "overwhelm" and make the
opposition's work more and more expensive and more and more difficult to
justify and sustain.
The problem with trust is that while it ought to be "earned", the world is
full of good guys and bad guys and corruptions within both groups who do not
make the accounting easy or fair.
Ideally "they" want to dispense trust or safety or privacy; to bless it, to
control it, which in turn gives them an indirect control and status over all
people who "need" to believe in those issues. And many people are ok with,
and even welcome, a scenario of "letting someone else do it", so that kind of
trust system works, but doesn't really deliver what it promises.
It takes "work" to accept and deal with trust issues, poor security, and the
loss of privacy. Making the work harder is that there is no end point; the
work is never finished, it is an ongoing process as they say...because good
guys and bad guys keep figuring out new methods to accommodate their ends and
needs.
Personally I am still waking up to this reality and have difficulty accepting
it. I have noticed it however and that is a start.
There has been a compelling myth that freely readable software code has many
eyes constantly checking and improving it. That myth must die today and no
longer be recognized as "real". From now on, it needs to become real.
How to develop a real system of code checking that overwhelms the opposition
would be helpful. How to arrange that? At this time, I do not know. There
must be a way however.