Who checks the integrity of Linux distros?
 

Is there a company or a coalition of people who inspect the source code of various/popular Linux distros to make sure they aren't doing any malicious such as logging or stealing private data? We all say/believe open source is safer and it is in most cases but are people actually checking the source code of distros to be sure or just taking their word for it?

No use woooooooooooorying about that.

Besides. I run ANTIX mostly and trust the developer and and Debian. Slackware users have their own faith in their distro. I am sure if malicious code is found. It will be brought to light quicker than you can say, "Sheesh"!

So you would just take anyone's word for it? If nobody is checking the code how do you know they are keeping their word? When people found out about Ubuntu and unity search collecting I for one believe that this wasn't discovered by looking in the code, there was a "Legal Notice" on the bottom right of the unity search. What I'm getting at is that nobody is actually inspecting code. Unless there's an organization that is doing so?

People pay for WHATEVER Mac and Windows sells as a operating system and their is no source code to inspect.

I really don't get your point one bit. Anyone? Would you trust the inspecting organization?
Especially funded by external resources. Maybe you are a candidate for http://stallman.org/stallman-computing.html and http://www.gnu.org/

I don't know what else to say to you. I am just a ignorant Linux using Biker.

Edit: Besides, when a flaw was found in the kernel at kernel.org. It was caught and flashed over the net in record time. I really don't see your point. Your
Hardware is probably more compromised with backdoors and stuff from asia where it was manufactured than worrying about the integrity of source code. Do our you trust your phone? Who filters/inspects that? Android? Ya gotta be kidding me.

Yes people look at the "code" within distros. As an example research AnonymousOS and what happened there. The beauty of Open Source is that the source is open and anyone can look at it and report bugs or other problems, submit patches, fork the code and improve on it.

Your reference to Ubuntu and Unity is, in my opinion, not the norm but then again Ubuntu, Canonical, and Ubuntu users are not the norm anyway. The Ubuntu ecosystem is unfortunately a very strange beast within Open Source and is, in my opinion, the Open Source equivalent to the MS Windows ecosystem. Fanboys believe whatever they are told by those who they look up to for their technology fashions.

@Altiris - Ask yourself this question. If you were an open source developer, would you risk your reputation, hard work and respect of your peers by doing something offensive that could be easily found by anyone reading the code or simply noticing an odd file or outgoing connection?

A further safeguard is that open source projects generally have multiple developers who inspect and approve each others new code and amendments.

Yes, in the case of rhel, they independantly get audits done.

http://www.redhat.com/solutions/indu...fications.html

Since rhel and those also contributes lots to the kernel and have their kernel based on the kernel at kernel.org, i think it is pretty safe to bet the kernel has been properly audited times over. Not only by peers, but also independants indirectly.

Not to mention the Debian Foundation, which is a large organization of disparate individuals who constantly examine each other's code. And its all published for anyone to see and use.

Even if there was some group inspecting code for malicious things, you still would have to take their word that they did not "forget" to tell you about a problem in the code. You would just move your trust from the distro's developers to some other guy working for that group. You just would need another group, inspecting the work of the first group, and another group that inspects the work of the second group, ... .
Effectively, nothing would change, at some point you just have to trust someone and the easiest way is to just trust the distro's developers. If you can't do that you are using the wrong distribution.

Most Linuxes are developed by a community of developers, even if they are commercially soponsored like OpenSUSE and Fedora. You'd have to get everyone in the conspiracy, or run the risk of one of the developers spotting the malicious code and blowing the whistle. Ubuntu, of course, is produced by a team of employees who will do whatever they're paid to.

The largest inspection is crowd sourced. Anyone who has the ability to read code (and there are a lot of random people who can) has the ability to inspect it. The "many eyes" approach is one of the principles behind the open source.

It was "discovered" by Canonical announcing it, wasn't it? That just means that Ubuntu was transparent about what they were actually doing. There isn't a problem here. And still, anyone who wants to inspect the code can do so by checking it out from, say, packages.ubuntu.com.

So as long as you can read code, you don't have to take anybody's word.

You.

If you are so sceptical, just put the computer back in the box. I personally would be more worried about what info they can get legally from my bank and other accounts and all the servers i connect to rather than the operating system. You obviously didn't see the bbc article where they can get info from your machine via wireless even though your machine is not connected to the net.

Oh please rip out your gps in the car too. That probably runs linux but is actually programmed with your favorite routes and past destinations. Oh and phone taps but mail wont solve that issue because they have authority to intercept your mail.

Thinking about it. Move to a desolate island, oh sorry, satellites can still spot you.

BSD, Ufw, IPtables, Firewalled, http://en.wikipedia.org/wiki/Penetration_test, http://sectools.org/,,, and on... :D

I don't say open source is safer.

jamison20000e posts the basic correct answer. You have every right and ability to view and test and submit changes.

No operating system has been proven resistant. Many very old applications still contain issues. Learning and using as many best practices as you can helps to avoid issues no matter what OS you use.

Well it may be extreme step, but next to it there are so many other options. Fear is not a solution in any ways. There is threat everywhere, even for Windows OS. What then can be said of open source which always available for free.

But that is the whole point. I don't agree with what goes on, but at the same time, if I chat on a forum, who cares? Nothing I say here is gonna land me in jail and why should i stop living and having fun because of it.

For example i smoke, i know it is bad, but also it is bad when i inhale exhast fumes from cars, so what do i do, walk with oxygen tanks all day even if i was not a smoker?

With all this that happened, it is good that it came to light but also important that we do not over react and start fear mongering.

Besides if security is such a big issue and you work for a corporation, they probably would be asking less and get their coders to check out things or if paranoid write their own systems.

Here come the Tomacco adds... :D