How would the vulnerability discovery work? Is the current code encrypted so that it can't be viewed?
My understanding of the process is that code is written in a language that must be compiled. After it is compiled, it is then "packaged" into an installer file, whose internals cannot be examined. After it is installed, it then consists of a directory full of files which help run the program, but these can still not be examined.
Is it true that the code cannot be seen at all these stages? No way to reverse engineer it?
And by open sourcing, an experienced person could see ways to break the code by causing infinite loops, creating false helper files, using a fake "mp3" file, etc?
Vulnerabilities can still be discovered in the compiled code, but they are easier to discover in the source code. Simply running a static analyser on the code will probably point out numerous possible vulnerabilities already.
As @thinkpad20 said. I bet there are a lot of people that would fix things, provided it is not systemic design errors that would require global refactoring.
The original developers all departed in 2003/2004, winamp has been maintained / extended by whomever AOL could find to work on it for about a decade now. That doesn't bode terribly well for the current state of the code base.
Winamp has pretty much been Adware since Nullsoft was bought by AOL. It takes time to get an old proprietary codebase into a state where it can be released publicly. It could contain poor written code, rude comments, adware, phoning home, GPL or patent violations, secret RIAA backdoors, etc.
At least on Linux. The original was x11amp, which becamse XMMS. But there are much better options, especially if you want to go text mode. MOC (http://moc.daper.net/), or even mplayer if you just want simple playback. And of course, the original mpg123. Let's just say, open source music players are a solved problem.
