Some yahoo at Debian found what he thought was a bug in OpenSSL, and decided to comment out some code without having any clue what purpose it served. That purpose was to seed a pseudo-random number generator with entropy from memory, specifically /dev/random. This only broke the cryptographic security of OpenSSL on Debian (and thus Ubuntu) while being mostly undetectable. It’s quite likely attacks of the same ilk were deliberately planted by various spy agencies.

This is just an extreme example of why I prefer to build open-source software from source code myself rather than trust blindly in some packager whose choice of compile-time settings almost certainly doesn’t match mine. I have a framework of makefiles that specify how each package is built from source (meta-makefiles, really). This includes checking for new versions of the package, setting configure options and make environment variables. For instance, to fetch the most recent version of OpenSSL, all I do is make sync-openssl; make openssl then as root run make install-openssl. The maintenance burden is low as I have been assembling these metamakefiles over the last 12 years, targeting Solaris and OS X. The end-result is a deterministic build according to my specifications.

My process would not ward against a malicious attack like Brian Kernighan’s notorious trusting trust attack, but it has served me well over the years.