[oblio]

> While every Debian developer has technical access to upload every package, it's strongly socially frowned upon to upload someone else's package.

I wonder how much malware is in there, that we haven't found, because of this. I'm willing to bet there is some in there, especially since at this point Debian is for sure targeted by professionals.

[goodpoint]

Debian is not only doing both peer review of the packages but it's reviewed by the users.

Also, packages are rebuilt from source centrally.

And finally, there is a number of large companies that provide legal indemnification, long term support and so on as part of large contracts.

I.e. a 20-years long contract to provide all the software for an airport, or all branches of a bank, or a family of medical devices or cruise ships.

Those companies review the distro very carefully.

[geofft]

Well, first off, if you're providing all the software for medical devices or an airport, you probably don't care everything in the OS. You care about the software going into your platform, and from a minimal-trusted-base / least-privilege standpoint, you probably want to minimize the amount of software you use to the extent possible, whether or not you review it. So it's unlikely they're auditing the entire distro.

Second, if these companies are in fact auditing the code (which is a lot of code!), as opposed to just selling insurance and hoping for the best, that means that

a) it's some employee's job to spend a portion of their time reviewing the code

b) when they find issues, they report those bugs somewhere, so that the bug gets fixed

Can you point to either a job posting that lists reviewing Debian packages as part of the job requirements (or equivalently, someone's résumé/LinkedIn that says they did this work), or a bug report from one of these auditors?

[goodpoint]

> So it's unlikely they're auditing the entire distro.

No, you are oversimplifying the complexity of tenths-of-million-dollar contracts by far.

You can go from a simple and cheap indemnification https://ubuntu.com/legal/ubuntu-advantage-assurance to guaranteeing long term backports for a small set of packages https://www.cip-project.org/ to much bigger efforts.

Some commercial distros and various internal-only distros have a legal team to do license review. That's just the first step.

You can easily find jobspecs for security analysts in tech companies, or system engineers hired to handle the software lifecycle.

I opened the bug reports you are mentioning myself, and security advisories. I cannot name companies and colleagues, obviously, otherwise I would have done it already. The companies I work[ed] for rebuild entire ecosystems of packages, do legal review but don't do security audit on things like games.