[liberationtech] Fwd: [greg at pryzby.org: Ubuntu, Dash, Shuttleworth and privacy]

[Lee Fisher]

> Anyway, we are free to choose what fit our requirements.

True.

Is there any formal academic research on the topic of distro 
stability/quality/security, with any listed attributes/requirements?

On one hand, corporate control tends to spyware backdoors. On the other, 
volunteer control could have other problems, like the Debian OpenSSL 
port PRNG issue.

What are the other main characteristics to look for in a 
community-controlled distro, for signs of a trustworthy, secure platform?

Going to the other extreme of Debian community size, what about 
one-person projects? Some of the PET-centric distros are maintained by 
just a single person. Is that better, or worse? I'd tend to think that a 
 >1 team would be better.

Another factor is security/trust issues from the uptream distro, if any. 
If The Upstream Vendor (TUV) is a corporate-controlled one, you have to 
hope that the downstream community-controlled fork is able to identify 
any corporate-inserted spyware. It also may benefit from their presumed 
better QA.

For example, will Ubuntu Privacy Remix defang this new upstream Dash 
spyware feature, if UPR is still alive and ever updates to 12.x?

Even if TUV is community-based, like many are (Debian, or Gentoo, or 
Ubuntu), you have to now trust that their code, or that the downstream 
distro fixes things to your liking.

It would be nice if the EFF or some other org would poll their users, 
asking them for their favorite distro, and which characteristics caused 
this choice.

PS: Earlier I implied that Mint is corporate-controlled, but it appears 
I was wrong, and they appear community-controlled. Sorry, Mint!