I think it's incumbent on us to insist on open source tools in this space.

Agreed, you can't "don't trust, verify" without the source code being open.