The moral is obvious. You can’t trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.
His 1984 Turing Award paper on supply chain security is only four pages long and is worth reading repeatedly.