[geofft]

Why do you trust Debian? (I say this as a happy Debian user/sysadmin/occasional package maintainer).

In particular, it's a volunteer-run organization in which it's not unusual at all to volunteer to maintain a package as part of your day job that uses a package, and where a large amount of discretion is given to the individual package maintainer, until they choose to hand maintenance to someone else. This is perfect for an organization who wants to push security configuration weaknesses. Even if you can't get a back door in, you can certainly default to code that you have privately found vulnerabilities in, or compile with or without certain options, add third-party patches that are pretty questionable, or add CAs that are particularly easy to coerce. None of these actions look weird at all, they just look like someone who is putting work into their package and caring about doing Debian-specific work to make it work well. In particular, until relatively recently, the Debian ca-certificates package included the CAcert root cert, which was in very few other root stores, and the SPI one, which was in no other stores.

It's also the case that Debian accepts binary packages built on the developer's personal machine (and this used to be required until very recently), so it's very easy to straight-up upload a backdoor that isn't in the source. (This might have changed recently, but I believe this was true at least as recently as the last stable release.)

[mattnewton]

I trust people doing it largely for themselves and the community reputation _more_ than I trust people who are expected to deliver more returns every year in a stagnating market.

[geofft]

But you don't know if someone is doing it for themselves and community reputation, or if they're a fake persona created by someone who wants to break into servers. All it takes is one stereotypically-stubborn open source maintainer who gets grumpy about switching old reliable cryptographic defaults for kids-these-days defaults - which is a thing that real-world stubborn open source maintainers, on whom the stereotypes are based, do: https://sourceware.org/bugzilla/show_bug.cgi?id=13286

Do you know if the version of OpenSSL in your Debian has any patches to its cipher suite selection algorithm, compared to upstream? (Genuine question; I haven't checked.) If it did, and you saw someone being grumpy on a Debian bug and refusing to remove the patch, would you suspect that they were actually evil? Or just grumpy?

Remember, also, that Debian is the distro that patched their OpenSSL to ludicrously weaken the random-number generator, and the Snowden leaks confirmed that the NSA backdoored a random-number algorithm. I am not at all saying that the NSA was behind the patch (it looked genuinely like an oversight), but if the NSA wanted to be behind a similar patch, no one would think it abnormal.

[nixos]

The problem is getting a bad actor into a large community is quite easy if funds aren't an issue.

You think the NSA (or FSB, or whatever) can't pay for someone to maintain nginx or apache?

[mattnewton]

That's totally fair, but I hope that each of those organizations has a vested interest of exposing each other; at the very least it's in the NSA's charter to protect American businesses against attacks, I have no idea if they feel this is an effective way though. So yes, it's risky. But Microsoft has all those disadvantages too, even though it's harder to get moles inside it's easier to have their stuff undetected (and in the case of the NSA it might even be done with full cooperation). Plus, the market share makes them a bigger target.

Outside probably hypotheticals, what we know for certain is that microsoft is attempting to monetize their new windows on the back of user's data.

[nixos]

While I mentioned the NSA, really the bigger threat is a guy (or hacker group) who wants to pull off a million dollar heist. The NSA can get into (practically) anything and everything.

To get a job at MS, you have to have a real life reputation. Once you get in, there will be others analyzing your code, and your bug may not make it to release.

To insert a bug into Debian, become a packager and you're done. Access to one of the most popular server (the important stuff is here) OSs (Debian, Ubuntu) on the web.

You're busted? Create another account and start over.

[MikeHolman]

If the NSA were trying to protect American businesses against attacks, they would responsibly disclose vulnerabilities they discover. But for me most part they hoard them.

[lallysingh]

They have more incentive to use the vulnerabilities themselves and send out patch sets to critical systems.

[eeZi]

> It's also the case that Debian accepts binary packages built on the developer's personal machine

Pretty common - many community distros do. Arch Linux too. Worrying for obvious reasons.

At least they're putting in an actual effort at making builds reproducible.