There is always going to be an issue of trust at some point: the linux code base is public, but almost none of us compile linux and the packages we need to build a complete OS from source. We end-up getting pre-built packages from repositories that are often distributed all around the word.
How easy/hard would it be to compromise some packages or some repositories if you are determined enough?
You certainly could not compromise a base as large as the number of Windows users, but you could target your efforts on distributions that have key infrastructure roles, like servers, routers, firewalls...
Another vector used to compromise free software is to participate in it. Paid agents can actively participate in open source projects and allow clever exploits that could pass as bugs if uncovered.
Sure, it is possible. But it is harder, and the possibility of those "patches" getting discovered some randome users are much higher. It is much easier to use proprietary tool like microsoft to spy others.
If you have some valuable secret to keep (classified documents, trade secrets, whatever), you'd be stupid if you didn't compile all the software that touch it yourself.
"We" get pre-built packages from repositories, but only because "we" don't value our privacy enough.
okay you will compile it ... but will you read all of the 10 million (or whatever the number is) lines of code that will compile to your OS and every package that you need to use ?
But at least it's harder to hide it, and at some point you know it's going to be found out. If we found out about the proprietary solutions spying on us, I think we'll find out even sooner about the open source ones.
Security vulnerabilities are found in OSS programs all the time, how do you tell the difference between negligence/incompetence/mistakes and malicious activity?
You certainly could not compromise a base as large as the number of Windows users, but you could target your efforts on distributions that have key infrastructure roles, like servers, routers, firewalls...
Another vector used to compromise free software is to participate in it. Paid agents can actively participate in open source projects and allow clever exploits that could pass as bugs if uncovered.