The Canvas hack turned out to be really interesting as more details emerge. For example, a lot of people going into HN, including me, don't know that Canvas is completely OSI open source, which is a frank example of how worthless that can be from a security and product POV.

"lots of eyes on the code fixes all bugs" only works when eyes are on the code and things get fixed