The moral is obvious. You can’t trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.

Ken Thompson

His 1984 Turing Award paper on supply chain security is only four pages long and is worth reading repeatedly.