Wouldn't help if the source code already has the backdoor in there though. Most people would just download and build a tool off GitHub if it has 200 stars and does what they need.
>> By building their binaries from source and hosting them on their servers
> Wouldn't help if the source code already has the backdoor in there though
I'm not sure if you're aware but random tools don't just spawn in official package repositories overnight.
There's a vetting process, for both new packages and new maintainers. Also in established distros, packages don't get accepted to official repositories unless it's a critical and highly demanded one.
So yeah, any software can have vulnerabilities, regardless of OS.
But stray tools and dubious actors, are pretty much a solved problem in linux distros. The situation on Windows is laughable in comparsion. No need to spread FUD.
This is a good thing to consider when picking Linux distros. Who are the maintainers, is maintenance done in the open, do they enforce reproducible builds, how is review process done, what are requirements for mainters/packages/releases?
You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.
This is BTW the main reason I wouldn't use derivate distros for anything serious.
Debian's generally trusted in the community - their slow pace come from risk-aversiveness.
> The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?
Pretty much, packaging is not a brainless process. One of the effort that specifically target this is the Reproducible builds project [0], along with many other security measures set by each distro.
There are also usually multiple testing and updates rolling stages.
The best evidence of how effective these measures is its actual reputation and record on the ground.