Reading your list of complications though I wonder if the last one is really a problem? Hiding a vulnerability that doesn't look suspicious on first sight? Agreed. But hiding a vulnerability at all - if compiled without reading the source? Isn't that 'just' appending /* garbage */ or even code in IFDEFs? In other words: Is the last point really an issue or is it 'just' a collection against a fixed plaintext/hash?
Reading your list of complications though I wonder if the last one is really a problem? Hiding a vulnerability that doesn't look suspicious on first sight? Agreed. But hiding a vulnerability at all - if compiled without reading the source? Isn't that 'just' appending /* garbage */ or even code in IFDEFs? In other words: Is the last point really an issue or is it 'just' a collection against a fixed plaintext/hash?