Here is an informed opinion on the subject matter:Julian Assange: Debian Is Owned By The NSA « IgnorantGuru's Bloghttps://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/https://youtube.com/watch?v=UFFTYRWB0Tk [Embed]
" and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised."
"Assange mentions how Debian famously botched the SSH random number generator for years (which was clearly sabotaged). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious – updated comments on how a defense contractor in Finland outed the NSA here?) It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys, including of providers, were potentially compromised, and much private info of service users. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference.) From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option. A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned. As Assange observed: “The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].” UPDATE: Wikileaks is officially denying that Julian Assange literally said “Debian Is Owned By The NSA”. For people who are choking on the mere summary title of this article, please see definition of Owned/Pwn (and get some hip!)"https://trisquel.info/en/forum/julian-assange-debian-owned-nsahttp://forums.debian.net/viewtopic.php?f=3&t=115121
If you search around you'll find more articles. It makes sense, they have a $20 Billion / year budget, and hire the top Bachelor and Masters degree computer science students from computer science programs from around the country, and post them as developers in these open source communities and in linux distribution projects. In the case of Red Hat the link is clearer and more direct.
There needs to be an audited version of GNU/linux that is audited by at least 3 professional auditing teams each signing the final source packages in tar files. There needs to be an audit distribution even if it lags behind rolling release distributions. Audited Source GNU/linux.